Hi,
Could you try it with the latest selinux-policy package?
It's fixed in F25 and higher:
#============= init_t ==============
#!!!! This avc is allowed in the current policy
allow init_t kernel_t:unix_stream_socket { read write };
$ rpm -q selinux-policy
selinux-policy-3.13.1-225.15.fc25.noarch
Thanks,
Lukas.
On 04/11/2017 08:06 AM, Ed Greshko wrote:
I was having some problems with getting a setting to stick under
network
manager. I wanted to eliminate a silent selinux AVC. So I issued a
semodule -DB. This is on F25, BTW.
But now I'm continuously getting the following....
SELinux is preventing systemd from 'read, write' accesses on the
unix_stream_socket unix_stream_socket.
***** Plugin catchall (100. confidence) suggests
**************************
If you believe that systemd should be allowed read write access on the
unix_stream_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:system_r:kernel_t:s0-s0:c0.c1023
Target Objects unix_stream_socket [ unix_stream_socket ]
Source systemd
Source Path systemd
Port <Unknown>
Host
meimei.greshko.com
Source RPM Packages
Target RPM Packages
Policy RPM <Unknown>
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name
meimei.greshko.com
Platform Linux
meimei.greshko.com
4.10.8-200.fc25.x86_64 #1
SMP Fri Mar 31 13:20:22 UTC 2017 x86_64 x86_64
Alert Count 2
First Seen 2017-04-11 13:59:41 CST
Last Seen 2017-04-11 13:59:41 CST
Local ID a9f3060f-290b-4777-bf8f-28d0313ca9f1
Raw Audit Messages
type=AVC msg=audit(1491890381.516:407): avc: denied { read write }
for pid=1 comm="systemd" path="socket:[65875]"
dev="sockfs" ino=65875
scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023
tclass=unix_stream_socket permissive=0
Hash: systemd,init_t,kernel_t,unix_stream_socket,read,write
Should I follow the recommendation of generating a local policy? Should
this be BZ'd?
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.