Box was set to "fixfiles onboot"
Saw this avc: *** Warning -- SELinux targeted policy relabel is required. *** Relabeling could take a very long time, depending on file *** system size and speed of hard drives. [ 8.566136] type=1400 audit(1335687882.859:7): avc: denied { relabelfrom } for pid=489 comm="systemd-tmpfile" name="lp2" dev="devtmpfs" ino=11419 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file [ 8.588374] type=1400 audit(1335687882.881:8): avc: denied { relabelto } for pid=489 comm="systemd-tmpfile" name="lp2" dev="devtmpfs" ino=11419 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
selinux-policy-targeted-3.10.0-118.fc17.noarch
Not important i believe, but this is something that should be fixed i guess.
systemd-tmpfiles is trying to change the context (/dev/lp2) where it is not needed. Does not seem very efficient to me.
Is that location mentioned anywhere in /etc/tmpfiles.d?
On Sun, 2012-04-29 at 09:38 +0100, Frank Murphy wrote:
Box was set to "fixfiles onboot"
Saw this avc: *** Warning -- SELinux targeted policy relabel is required. *** Relabeling could take a very long time, depending on file *** system size and speed of hard drives. [ 8.566136] type=1400 audit(1335687882.859:7): avc: denied { relabelfrom } for pid=489 comm="systemd-tmpfile" name="lp2" dev="devtmpfs" ino=11419 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file [ 8.588374] type=1400 audit(1335687882.881:8): avc: denied { relabelto } for pid=489 comm="systemd-tmpfile" name="lp2" dev="devtmpfs" ino=11419 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
selinux-policy-targeted-3.10.0-118.fc17.noarch
On 29/04/12 11:45, Dominick Grift wrote:
Not important i believe, but this is something that should be fixed i guess.
systemd-tmpfiles is trying to change the context (/dev/lp2) where it is not needed. Does not seem very efficient to me.
Is that location mentioned anywhere in /etc/tmpfiles.d?
No, and they're breeding, the avc's cover lp0, lp1,lp2,lp3,lp4
On Sun, 2012-04-29 at 12:32 +0100, Frank Murphy wrote:
On 29/04/12 11:45, Dominick Grift wrote:
Not important i believe, but this is something that should be fixed i guess.
systemd-tmpfiles is trying to change the context (/dev/lp2) where it is not needed. Does not seem very efficient to me.
Is that location mentioned anywhere in /etc/tmpfiles.d?
No, and they're breeding, the avc's cover lp0, lp1,lp2,lp3,lp4
I would say that this is a bug in a systemd-tmpfiles configuration file that some package includes.
Because i do not think systemd-tmpfiles should set device node labels, and even if it should it should probably check first to see if setting it is even needed.
In the case you enclosed, it is trying to set a context the same as the device nodes current context. (e.g. redundant)
So imho this isnt a selinux-policy bug but a instead it is a bug in a systemd-tmpfiles configuration file. I could be wrong about that though.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/29/2012 12:17 PM, Dominick Grift wrote:
On Sun, 2012-04-29 at 12:32 +0100, Frank Murphy wrote:
On 29/04/12 11:45, Dominick Grift wrote:
Not important i believe, but this is something that should be fixed i guess.
systemd-tmpfiles is trying to change the context (/dev/lp2) where it is not needed. Does not seem very efficient to me.
Is that location mentioned anywhere in /etc/tmpfiles.d?
No, and they're breeding, the avc's cover lp0, lp1,lp2,lp3,lp4
I would say that this is a bug in a systemd-tmpfiles configuration file that some package includes.
Because i do not think systemd-tmpfiles should set device node labels, and even if it should it should probably check first to see if setting it is even needed.
In the case you enclosed, it is trying to set a context the same as the device nodes current context. (e.g. redundant)
So imho this isnt a selinux-policy bug but a instead it is a bug in a systemd-tmpfiles configuration file. I could be wrong about that though.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Yes please open a bug on systemd to check if a context is the same as the context it is going to set, and then don't set it.
On 30/04/12 18:24, Daniel J Walsh wrote:
Yes please open a bug on systemd to check if a context is the same as the context it is going to set, and then don't set it.
https://bugzilla.redhat.com/show_bug.cgi?id=817765
On Tue, 2012-05-01 at 08:55 +0100, Frank Murphy wrote:
On 30/04/12 18:24, Daniel J Walsh wrote:
Yes please open a bug on systemd to check if a context is the same as the context it is going to set, and then don't set it.
The avc denials you enclosed in that bz do not support the bug. They only have the "relabelfrom" and not the "relabelto" ones:
[ 8.566136] type=1400 audit(1335687882.859:7): avc: denied { relabelfrom } for pid=489 comm="systemd-tmpfile" name="lp2" dev="devtmpfs" ino=11419 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file [ 8.588374] type=1400 audit(1335687882.881:8): avc: denied { relabelto } for pid=489 comm="systemd-tmpfile" name="lp2" dev="devtmpfs" ino=11419 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
The above shows the issue
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/29/2012 04:38 AM, Frank Murphy wrote:
Box was set to "fixfiles onboot"
Saw this avc: *** Warning -- SELinux targeted policy relabel is required. *** Relabeling could take a very long time, depending on file *** system size and speed of hard drives. [ 8.566136] type=1400 audit(1335687882.859:7): avc: denied { relabelfrom } for pid=489 comm="systemd-tmpfile" name="lp2" dev="devtmpfs" ino=11419 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file [ 8.588374] type=1400 audit(1335687882.881:8): avc: denied { relabelto } for pid=489 comm="systemd-tmpfile" name="lp2" dev="devtmpfs" ino=11419 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
selinux-policy-targeted-3.10.0-118.fc17.noarch
That should show up in selinux-policy-targeted-3.10.0-120.fc17.noarch
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dominick Grift -
Frank Murphy