Bug#707245: selinux-policy-default: systemd_logind_t cannot access to /sys/fs/cgroup/cpu

Wed, 08 May 2013 07:24:31 -0700 

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: normal

Hi,

on boot, I see this AVC :

May  5 14:28:40 venser kernel: [  379.071332] type=1400 
audit(1367756920.294:11): avc:  denied  { read } for  pid=515 
comm="systemd-logind" name="cpu" dev=tmpfs ino=3309 
scontext=system_u:system_r:systemd_logind_t:s0 
tcontext=system_u:object_r:cgroup_t:s0 tclass=lnk_file

It seems that systemd try to access to all cgroups in /sys/fs/cgroup/ but there 
is now a symlink for cpu :

# ls -lZ /sys/fs/cgroup/
total 0
drwxr-xr-x. 2 root root system_u:object_r:cgroup_t:SystemLow  0 mai    5 14:22 
blkio
lrwxrwxrwx. 1 root root system_u:object_r:cgroup_t:SystemLow 11 mai    5 14:22 
cpu -> cpu,cpuacct
lrwxrwxrwx. 1 root root system_u:object_r:cgroup_t:SystemLow 11 mai    5 14:22 
cpuacct -> cpu,cpuacct
drwxr-xr-x. 3 root root system_u:object_r:cgroup_t:SystemLow  0 mai    5 14:22 
cpu,cpuacct
drwxr-xr-x. 2 root root system_u:object_r:cgroup_t:SystemLow  0 mai    5 14:22 
cpuset
drwxr-xr-x. 2 root root system_u:object_r:cgroup_t:SystemLow  0 mai    5 14:22 
devices
drwxr-xr-x. 2 root root system_u:object_r:cgroup_t:SystemLow  0 mai    5 14:22 
freezer
drwxr-xr-x. 2 root root system_u:object_r:cgroup_t:SystemLow  0 mai    5 14:22 
net_cls
drwxr-xr-x. 2 root root system_u:object_r:cgroup_t:SystemLow  0 mai    5 14:22 
perf_event
drwxr-xr-x. 4 root root system_u:object_r:cgroup_t:SystemLow  0 mai    5 14:22 
systemd

So the policy should be extended to also take in account the symlinks :

# sesearch -s systemd_logind_t -A -t cgroup_t
Found 2 semantic av rules:
   allow systemd_logind_t cgroup_t : file { ioctl read write create getattr 
setattr lock append unlink link rename open } ; 
   allow systemd_logind_t cgroup_t : dir { ioctl read write create getattr 
setattr lock unlink link rename add_name remove_name reparent search rmdir open 
} ; 


 
-- System Information:
Debian Release: 7.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=ANSI_X3.4-1968) 
(ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1      2.1.9-5
ii  libsepol1        2.1.4-3
ii  policycoreutils  2.1.10-9
ii  python           2.7.3-4

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
ii  setools      3.3.7-3

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission 
denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to