[DSE-Dev] Bug#879037: refpolicy: SELinux prevents systemctl from listing units durring tab completion.
Maksim K.
debian_bug at k-max.name
Sun Jun 14 23:30:55 BST 2020
Package: selinux-policy-default
Version: 2:2.20161023.1-9
Followup-For: Bug #879037
Hi,
I have the same issue, but I could provide audit.log.
When I am trying to Tab-Tab after (for example) 'systemctl status a' <Tab><Tab>
I've got next messages in audit.log
***
type=USER_AVC msg=audit(1592171060.677:242): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=0 uid=0 gid=0 path="/proc/self/mountinfo" cmdline="systemctl --system --full --no-legend show --property CanStop -- mnt-maks.automount proc-sys-fs-binfmt_misc.automount sys-devices-pci0000:00-0000:00:02.0-virtio0-net-ens2.device sys-devices-pci0000:00-0000:00:03.0-virtio1-block-vda-vda1.device sys-devices-pci0000:00-0000:00:03.0-virtio1-block-vda-vda15.device sys-devices-pci0000:00-0000:00:03.0-virtio1-block-vda.device sys-devices-platform-serial8250-tty-ttyS1.device sys-devices-platform-serial8250-tty-ttyS2.device sys-devices-platform-serial8250-tty-ttyS3.device sys-devices-pnp0-00:04-tty-ttyS0.device sys-devices-virtual-net-tun0.device sys-devices-virtual-net-tun1.device sys-subsystem-net-devices-ens2.device sys-subsystem-net-devices-tun0.device sys-subsystem-net-devices-tun1.device -.mount boot-efi.mount dev-hugepages.mount
dev-mqueue.mount run-user-0.mount sys-kernel-debug.mount systemd-ask-password-console.path systemd-ask-password-wall.path init.scope session-1.scope s exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1592171894.511:255): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=0 uid=0 gid=0 path="/proc/self/mountinfo" cmdline="systemctl --system --full --no-legend show --property CanStop -- mnt-maks.automount proc-sys-fs-binfmt_misc.automount sys-devices-pci0000:00-0000:00:02.0-virtio0-net-ens2.device sys-devices-pci0000:00-0000:00:03.0-virtio1-block-vda-vda1.device sys-devices-pci0000:00-0000:00:03.0-virtio1-block-vda-vda15.device sys-devices-pci0000:00-0000:00:03.0-virtio1-block-vda.device sys-devices-platform-serial8250-tty-ttyS1.device sys-devices-platform-serial8250-tty-ttyS2.device sys-devices-platform-serial8250-tty-ttyS3.device sys-devices-pnp0-00:04-tty-ttyS0.device sys-devices-virtual-net-tun0.device sys-devices-virtual-net-tun1.device sys-subsystem-net-devices-ens2.device sys-subsystem-net-devices-tun0.device sys-subsystem-net-devices-tun1.device -.mount boot-efi.mount dev-hugepages.mount
dev-mqueue.mount run-user-0.mount sys-kernel-debug.mount systemd-ask-password-console.path systemd-ask-password-wall.path init.scope session-1.scope s exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1592171902.891:257): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=0 uid=0 gid=0 path="/proc/self/mountinfo" cmdline="systemctl --system --full --no-legend show --property CanStop -- mnt-maks.automount proc-sys-fs-binfmt_misc.automount sys-devices-pci0000:00-0000:00:02.0-virtio0-net-ens2.device sys-devices-pci0000:00-0000:00:03.0-virtio1-block-vda-vda1.device sys-devices-pci0000:00-0000:00:03.0-virtio1-block-vda-vda15.device sys-devices-pci0000:00-0000:00:03.0-virtio1-block-vda.device sys-devices-platform-serial8250-tty-ttyS1.device sys-devices-platform-serial8250-tty-ttyS2.device sys-devices-platform-serial8250-tty-ttyS3.device sys-devices-pnp0-00:04-tty-ttyS0.device sys-devices-virtual-net-tun0.device sys-devices-virtual-net-tun1.device sys-subsystem-net-devices-ens2.device sys-subsystem-net-devices-tun0.device sys-subsystem-net-devices-tun1.device -.mount boot-efi.mount dev-hugepages.mount
dev-mqueue.mount run-user-0.mount sys-kernel-debug.mount systemd-ask-password-console.path systemd-ask-password-wall.path init.scope session-1.scope s exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1592172046.089:277): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=0 uid=0 gid=0 path="/proc/self/mountinfo" cmdline="systemctl --system --full --no-legend show --property CanStop -- mnt-maks.automount proc-sys-fs-binfmt_misc.automount sys-devices-pci0000:00-0000:00:02.0-virtio0-net-ens2.device sys-devices-pci0000:00-0000:00:03.0-virtio1-block-vda-vda1.device sys-devices-pci0000:00-0000:00:03.0-virtio1-block-vda-vda15.device sys-devices-pci0000:00-0000:00:03.0-virtio1-block-vda.device sys-devices-platform-serial8250-tty-ttyS1.device sys-devices-platform-serial8250-tty-ttyS2.device sys-devices-platform-serial8250-tty-ttyS3.device sys-devices-pnp0-00:04-tty-ttyS0.device sys-devices-virtual-net-tun0.device sys-devices-virtual-net-tun1.device sys-subsystem-net-devices-ens2.device sys-subsystem-net-devices-tun0.device sys-subsystem-net-devices-tun1.device -.mount boot-efi.mount dev-hugepages.mount
dev-mqueue.mount run-user-0.mount sys-kernel-debug.mount systemd-ask-password-console.path systemd-ask-password-wall.path init.scope session-1.scope s exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1592172050.077:279): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=0 uid=0 gid=0 path="/proc/self/mountinfo" cmdline="systemctl --system --full --no-legend show --property CanStop -- mnt-maks.automount proc-sys-fs-binfmt_misc.automount sys-devices-pci0000:00-0000:00:02.0-virtio0-net-ens2.device sys-devices-pci0000:00-0000:00:03.0-virtio1-block-vda-vda1.device sys-devices-pci0000:00-0000:00:03.0-virtio1-block-vda-vda15.device sys-devices-pci0000:00-0000:00:03.0-virtio1-block-vda.device sys-devices-platform-serial8250-tty-ttyS1.device sys-devices-platform-serial8250-tty-ttyS2.device sys-devices-platform-serial8250-tty-ttyS3.device sys-devices-pnp0-00:04-tty-ttyS0.device sys-devices-virtual-net-tun0.device sys-devices-virtual-net-tun1.device sys-subsystem-net-devices-ens2.device sys-subsystem-net-devices-tun0.device sys-subsystem-net-devices-tun1.device -.mount boot-efi.mount dev-hugepages.mount
dev-mqueue.mount run-user-0.mount sys-kernel-debug.mount systemd-ask-password-console.path systemd-ask-password-wall.path init.scope session-1.scope s exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1592172210.962:292): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=0 uid=0 gid=0 path="/proc/self/mountinfo" cmdline="systemctl --system --full --no-legend show --property CanStart -- proc-sys-fs-binfmt_misc.automount dev-hugepages.mount dev-mqueue.mount proc-sys-fs-binfmt_misc.mount sys-fs-fuse-connections.mount sys-kernel-config.mount sys-kernel-debug.mount systemd-ask-password-console.path systemd-ask-password-wall.path apache-htcacheclean.service apache2.service apt-daily-upgrade.service apt-daily.service auditd.service bind9-pkcs11.service bind9-resolvconf.service bind9.service cgmanager.service cgproxy.service chrony.service chronyd.service cloud-config.service cloud-final.service cloud-init-local.service cloud-init.service console-getty.service cron.service dbus-org.freedesktop.hostname1.service dbus-org.freedesktop.locale1.service dbus-org.freedesktop.login1.service dbus-org.freedeskt
op.network1.service dbus-org.freedesktop.resolve1.service dbus-org.freedesktop.timedate1.service dbus.service debug-shell.service emergency.service get exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
***
-- System Information:
Debian Release: 9.12
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-12-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages selinux-policy-default depends on:
ii libselinux1 2.6-3+b3
ii libsemanage1 2.6-2
ii libsepol1 2.6-2
ii policycoreutils 2.6-3
ii selinux-utils 2.6-3+b3
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.6-2
ii setools 4.0.1-6
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- no debconf information
More information about the SELinux-devel
mailing list