[DSE-Dev] Bug#740682: avc: denied { getattr } for /sbin/setfiles (virtual filesystem roots)

Zack Weinberg zackw at panix.com
Tue Mar 4 02:17:33 UTC 2014 

Source: refpolicy
Version: 2:2.20140206-1
Severity: normal

This seems to happen on any invocation of restorecon (as the unconfined
superuser):

type=AVC msg=audit(1393898218.762:233): avc:  denied  { getattr } for  pid=3902 comm="setfiles" name="/" dev=sysfs ino=1 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1393898218.762:233): arch=c000003e syscall=137 success=yes exit=0 a0=7f74fdd8d296 a1=7fffe0d11a70 a2=7f74fdd8d296 a3=75736f6e2c6c6562 items=0 ppid=3900 pid=3902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1393898218.762:234): avc:  denied  { getattr } for  pid=3902 comm="setfiles" name="/" dev=devtmpfs ino=1025 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1393898218.762:234): arch=c000003e syscall=137 success=yes exit=0 a0=7f74fdd8d295 a1=7fffe0d11a70 a2=7f74fdd8d295 a3=6f6d2c3738353332 items=0 ppid=3900 pid=3902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1393898218.762:235): avc:  denied  { getattr } for  pid=3902 comm="setfiles" name="/" dev=devpts ino=1 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1393898218.762:235): arch=c000003e syscall=137 success=yes exit=0 a0=7f74fdd8d297 a1=7fffe0d11a70 a2=7f74fdd8d297 a3=3d65646f6d2c353d items=0 ppid=3900 pid=3902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1393898218.762:236): avc:  denied  { getattr } for  pid=3902 comm="setfiles" name="/" dev=tmpfs ino=5056 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1393898218.762:236): arch=c000003e syscall=137 success=yes exit=0 a0=7f74fdd8d296 a1=7fffe0d11a70 a2=7f74fdd8d296 a3=6f6d2c6b38323032 items=0 ppid=3900 pid=3902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)

This is one of the last things I need to correct before I can switch to
enforcing mode, but I'm at a complete loss as to what might be wrong.
Possibly relevant:

# mount
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,relatime,seclabel,size=10240k,nr_inodes=123587,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,seclabel,size=102028k,mode=755)
/dev/xvda on / type ext3 (rw,noatime,seclabel,errors=remount-ro,barrier=1,data=ordered)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,rootcontext=system_u:object_r:var_lock_t:s0,seclabel,size=5120k)
tmpfs on /run/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,rootcontext=system_u:object_r:tmpfs_t:s0,seclabel,size=256480k)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime,rootcontext=system_u:object_r:tmp_t:s0,seclabel,size=256480k)

# ls -ldZ / /sys /proc /dev /dev/pts /run /run/lock /run/shm /tmp
drwxr-xr-x. 22 root root system_u:object_r:root_t:SystemLow     4096 Mar  2 23:23 /
drwxr-xr-x. 11 root root system_u:object_r:device_t:SystemLow   2580 Mar  4 01:17 /dev
drwxr-xr-x.  2 root root system_u:object_r:devpts_t:SystemLow      0 Mar  4 01:16 /dev/pts
dr-xr-xr-x. 95 root root system_u:object_r:proc_t:SystemLow        0 Mar  4 01:16 /proc
drwxr-xr-x. 15 root root system_u:object_r:var_run_t:SystemLow   600 Mar  4 01:17 /run
drwxrwxrwt.  3 root root system_u:object_r:var_lock_t:SystemLow   60 Mar  4 01:17 /run/lock
drwxrwxrwt.  2 root root system_u:object_r:tmpfs_t:SystemLow      60 Mar  4 01:16 /run/shm
drwxr-xr-x. 13 root root system_u:object_r:sysfs_t:SystemLow       0 Mar  4 01:16 /sys
drwxrwxrwt.  2 root root system_u:object_r:tmp_t:SystemLow        40 Mar  4 02:02 /tmp

# ls -lZ /sbin/setfiles 
-rwxr-xr-x. 1 root root system_u:object_r:setfiles_exec_t:SystemLow 26488 Dec 29 13:44 /sbin/setfiles

I'm running a mostly-stable system with selected things from testing:
in particular, everything to do with SELinux is from testing.  I cannot
run the kernel from testing because the cloud provider's pv-grub is too
old for it.

-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (990, 'stable-updates'), (990, 'stable'), (100, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

More information about the SELinux-devel mailing list