On Wed, 2014-07-16 at 11:11 -0400, Steve Lawrence wrote:
<snip>
> Hmm. I still can't get this error. The only thing I get with ausearch is
>
> type=USER_AVC msg=audit(1405522202.264:463): pid=1 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission
> start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=?
> addr=? terminal=?'
>
> Which looks correct. Fedora's latest policy does not include start in
> the system class:
>
> $ seinfo -csystem -x
> system
> status
> module_request
> reboot
> disable
> enable
> undefined
> ipc_info
> syslog_read
> halt
> reload
> syslog_console
> syslog_mod
>
> Also, the policy built with CIL on my machine allows the USER_AVC you're
> seeing:
>
> $ sesearch -A -s systemd_logind_t -t init_t -c service
> Found 2 semantic av rules:
> allow systemd_domain init_t : service { stop status reload start } ;
> allow systemd_logind_t init_t : service status ;
>
>
>
> Not sure if this would help, but it looks like you can set the boot
> parameter systemd.log_level=debug, and it should print all the selinux
> access checks, including which ones cause the "SELinux policy denies
> access" message. Unfortunately, I think the extra debug messages
> prevents my VM from booting, but you might have better luck.
>
The same symptoms as with the classorder issue except that this time it
only happens once after the upgrade. Rebooting fixes the issue (?)
That was not the case with the classorder issue.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
