0013920: sshd regression: openssh hangs on startup if an attempt was made to restart ssh within cloud-init bootcmd section

September 27, 2017, 3:41 am

≫ Next: 0013272: [abrt] yum: yumRepo.py:527:dump:UnicodeDecodeError: 'ascii' codec can't decode byte 0xef in position 1489: ordinal not in ...

≪ Previous: 0013890: Compiling kernel-plus-3.10.0-693.2.2.el7.centos.plus.src for i686

We have a CentOS7 system provisioned at AWS using cloud-init, which downloads and unpacks sshd keys and restarts the sshd daemon during the bootcmd section like so: bootcmd: - echo "Running bootcmds..." - /usr/sbin/groupadd -r ssl-cert-server - /usr/sbin/groupadd -r ssl-cert-client - /usr/sbin/groupadd -r ssl-key - echo "Fetching credentials..." - /usr/bin/curl --proxy "${proxy}" <a href="http://[url]">http://[url]</a> | openssl aes-256-cbc -pass pass:${secret} -d -a -salt | tar -zx -C / --no-same-owner - /usr/sbin/service sshd reload-or-try-restart This process has worked fine for over a year. Part of the cloud-init process is to apply all system updates on boot, bringing openssh up to the following version: openssh-server-7.4p1-12.el7_4.x86_64 We have suddenly encountered a change where despite the machine coming up and being provisioned correctly, when that machine is rebooted for the first time that machine hangs at the point when sshd is started. As this box is at AWS, with the boot process hung and no way to get in, you have permanent lockout on the machine. It appears that if sshd is started early on during the cloud-init bootcmd hook, a later attempt to start sshd will hang and stop further bootup of the machine.

↧

0013272: [abrt] yum: yumRepo.py:527:dump:UnicodeDecodeError: 'ascii' codec can't decode byte 0xef in position 1489: ordinal not in ...

September 27, 2017, 5:58 am

≫ Next: 0013921: Access to symlinked directories stop working after upgrade

≪ Previous: 0013920: sshd regression: openssh hangs on startup if an attempt was made to restart ssh within cloud-init bootcmd section

Description of problem: Hi all, When I use yum updating for my CentOS 7 after first time complete installation, It occurs this problem! and I don't know what's happened. Would you tell me why? and what can I do. Thanks. by Mike 5/18/2017 Version-Release number of selected component: yum-3.4.3-150.el7.centos Truncated backtrace: yumRepo.py:527:dump:UnicodeDecodeError: 'ascii' codec can't decode byte 0xef in position 1489: ordinal not in range(128) Traceback (most recent call last): File "/bin/yum", line 29, in <module> yummain.user_main(sys.argv[1:], exit_code=True) File "/usr/share/yum-cli/yummain.py", line 370, in user_main errcode = main(args) File "/usr/share/yum-cli/yummain.py", line 276, in main return_code = base.doTransaction() File "/usr/share/yum-cli/cli.py", line 773, in doTransaction resultobject = self.runTransaction(cb=cb) File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 1853, in runTransaction self._store_config_in_history() File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 6784, in _store_config_in_history myrepos += repo.dump() File "/usr/lib/python2.7/site-packages/yum/yumRepo.py", line 527, in dump output = output + '%s = %s\n' % (attr, res) UnicodeDecodeError: 'ascii' codec can't decode byte 0xef in position 1489: ordinal not in range(128) Local variables in innermost frame: self: <yum.yumRepo.YumRepository object at 0x1603ed0> res: u'CentOS-7 - Base' excluded_vars: ('mediafunc', 'sack', 'metalink_data', 'grab', 'grabfunc', 'repoXML', 'cfg', 'retrieved', 'mirrorlistparsed', 'gpg_import_func', 'gpgca_import_func', 'failure_obj', 'callback', 'confirm_func', 'groups_added', 'interrupt_callback', 'id', 'mirror_failure_obj', 'repo_config_age', 'groupsfilename', 'copy_local', 'basecachedir', 'http_headers', 'metadata_cookie', 'metadata_cookie_fn', 'quick_enable_disable', 'repoMDFile', 'timestamp_check', 'urls', 'mirrorurls', 'yumvar', 'repofile', 'multi_callback') attr: 'name' output: '[base]\nasync = True\nbandwidth = 0\nbase_persistdir = /var/lib/yum/repos/x86_64/7\nbaseurl = <a href="http://ftp.stu.edu.tw/Linux/CentOS/7.3.1611/os/x86_64/,\n">http://ftp.stu.edu.tw/Linux/CentOS/7.3.1611/os/x86_64/,\n</a> <a href="http://ftp.isu.edu.tw/pub/Linux/CentOS/7.3.1611/os/x86_64/,\n">http://ftp.isu.edu.tw/pub/Linux/CentOS/7.3.1611/os/x86_64/,\n</a> <a href="http://ftp.tc.edu.tw/Linux/CentOS/7.3.1611/os/x86_64/,\n">http://ftp.tc.edu.tw/Linux/CentOS/7.3.1611/os/x86_64/,\n</a> <a href="http://centos.cs.nctu.edu.tw/7.3.1611/os/x86_64/,\n">http://centos.cs.nctu.edu.tw/7.3.1611/os/x86_64/,\n</a> <a href="http://ftp.yzu.edu.tw/Linux/CentOS/7.3.1611/os/x86_64/,\n">http://ftp.yzu.edu.tw/Linux/CentOS/7.3.1611/os/x86_64/,\n</a> <a href="http://ftp.ksu.edu.tw/pub/CentOS/7.3.1611/os/x86_64/,\n">http://ftp.ksu.edu.tw/pub/CentOS/7.3.1611/os/x86_64/,\n</a> <a href="http://ftp.twaren.net/Linux/CentOS/7.3.1611/os/x86_64/,\n">http://ftp.twaren.net/Linux/CentOS/7.3.1611/os/x86_64/,\n</a> <a href="http://mirrors.sohu.com/centos/7.3.1611/os/x86_64/,\n">http://mirrors.sohu.com/centos/7.3.1611/os/x86_64/,\n</a> <a href="http://mirrors.cn99.com/centos/7.3.1611/os/x86_64/,\n">http://mirrors.cn99.com/centos/7.3.1611/os/x86_64/,\n</a> <a href="http://mirrors.njupt.edu.cn/centos/7.3.1611/os/x86_64/\ncache">http://mirrors.njupt.edu.cn/centos/7.3.1611/os/x86_64/\ncache</a> = 0\ncachedir = /var/cache/yum/x86_64/7/base\ncheck_config_file_age = True\ncompare_providers_priority = 80\ncost = 1000\ndeltarpm_metadata_percentage = 100\ndeltarpm_percentage = \nenabled = True\nenablegroups = True\nexclude = \nfailovermethod = priority\nftp_disable_epsv = False\ngpgcadir = /var/lib/yum/repos/x86_64/7/base/gpgcadir\ngpgcakey = \ngpgcheck = True\ngpgdir = /var/lib/yum/repos/x86_64/7/base/gpgdir\ngpgkey = <a href="file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7\nhdrdir">file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7\nhdrdir</a> = /var/cache/yum/x86_64/7/base/headers\nhttp_caching = all\nincludepkgs = \nip_resolve = \nkeepalive = True\nkeepcache = False\nmddownloadpolicy = sqlite\nmdpolicy = group:small\nmediaid = \nmetadata_expire = 21600\nmetadata_expire_filter = read-only:present\nmetalink = \nminrate = 0\nmirrorlist = <a href="http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock\xef\xbc\x86cc=tw\nmirrorlist_expire">http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock\xef\xbc\x86cc=tw\nmirrorlist_expire</a> = 86400\nmirrorlist_file = /var/cache/yum/x86_64/7/base/mirrorlist.txt\n'

↧

0013921: Access to symlinked directories stop working after upgrade

September 27, 2017, 6:24 am

≫ Next: 0013922: gssproxy will not start Failed to write to /proc/net/rpc/use-gss-proxy

≪ Previous: 0013272: [abrt] yum: yumRepo.py:527:dump:UnicodeDecodeError: 'ascii' codec can't decode byte 0xef in position 1489: ordinal not in ...

After the upgrade to the latest patch (in particular CVE-2017-2619.patch), all the symlinked directories that point inside a veto/hidden directory cannot be accessed

↧

0013922: gssproxy will not start Failed to write to /proc/net/rpc/use-gss-proxy

September 27, 2017, 8:10 am

≫ Next: 0013923: I'd like access to apps.ci.centos.org

≪ Previous: 0013921: Access to symlinked directories stop working after upgrade

After updating to Centos 7.4 on a NFS server that provides kerberos mounts. Kerberos mounts started getting permission denied errors. Looking at systemctl gsssproxy failed to start. When I tried to start it manually in debug mode I get the following error. [2017/09/27 14:47:05]: Debug Enabled (level: 0) [2017/09/27 14:47:05]: Failed to write to /proc/net/rpc/use-gss-proxy: 16 (Device or resource busy) [2017/09/27 14:47:05]: Problem with kernel communication! NFS server will not work [2017/09/27 14:47:05]: Client connected (fd = 10)[2017/09/27 14:47:05]: (pid = 6147) (uid = 0) (gid = 0)[2017/09/27 14:47:05]: (context = system_u:system_r:kernel_t:s0)[2017/09/27 14:47:05]: ^C[2017/09/27 14:47:06]: Exiting after receiving a signal When I do an lsof +D /proc/net/rpc I get the following output COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpc.idmap 964 root 8u REG 0,3 0 4026532512 /proc/11590/net/rpc/nfs4.nametoid/channel rpc.idmap 964 root 9u REG 0,3 0 4026532508 /proc/11590/net/rpc/nfs4.idtoname/channel rpc.mount 13434 root 3u REG 0,3 0 4026532483 /proc/11590/net/rpc/auth.unix.ip/channel rpc.mount 13434 root 4u REG 0,3 0 4026532500 /proc/11590/net/rpc/nfsd.export/channel rpc.mount 13434 root 5u REG 0,3 0 4026532504 /proc/11590/net/rpc/nfsd.fh/channel netdata 14020 netdata 36r REG 0,3 0 4026532514 /proc/11590/net/rpc/nfsd Also according to <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1203913">https://bugzilla.redhat.com/show_bug.cgi?id=1203913</a> /proc/net/rpc/use-gss-proxy has to be set to -1 or it will not work. It is currently 0. If I try to echo 1 into /proc/net/rpc/use-gss-proxy I get write error: Connection refused

↧

0013923: I'd like access to apps.ci.centos.org

September 27, 2017, 10:59 am

≫ Next: 0013285: SELinux is preventing /usr/libexec/accounts-daemon from 'search' accesses on the directory 24495.

≪ Previous: 0013922: gssproxy will not start Failed to write to /proc/net/rpc/use-gss-proxy

I'd like to have access to apps.ci.centos.org, please. This request currently encompasses the following people: Dominik Perpeet <<a href="mailto:dperpeet@redhat.com">dperpeet@redhat.com</a>> Pierre-Yves Chibon <<a href="mailto:pingou@redhat.com">pingou@redhat.com</a>> Andrei Stepanov <<a href="mailto:astepano@redhat.com">astepano@redhat.com</a>> Serhii Turivnyi <<a href="mailto:sturivny@redhat.com">sturivny@redhat.com</a>> Thank you!

↧

0013285: SELinux is preventing /usr/libexec/accounts-daemon from 'search' accesses on the directory 24495.

September 27, 2017, 12:04 pm

≫ Next: 0013924: Staging Fedmsg Relay in CI

≪ Previous: 0013923: I'd like access to apps.ci.centos.org

Description of problem: Add a user to the system using Settings -> Users app SELinux is preventing /usr/libexec/accounts-daemon from 'search' accesses on the directory 24495. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that accounts-daemon should be allowed search access on the 24495 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon # semodule -i my-accountsdaemon.pp Additional Information: Source Context system_u:system_r:accountsd_t:s0 Target Context system_u:system_r:unconfined_service_t:s0 Target Objects 24495 [ dir ] Source accounts-daemon Source Path /usr/libexec/accounts-daemon Port <Unknown> Host (removed) Source RPM Packages accountsservice-0.6.35-12.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-102.el7_3.16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.10.0-514.16.1.el7.x86_64 #1 SMP Wed Apr 12 15:04:24 UTC 2017 x86_64 x86_64 Alert Count 2 First Seen 2017-05-19 19:41:31 PDT Last Seen 2017-05-19 19:43:52 PDT Local ID f5e2b651-e9b3-485b-8f65-30e206bc87b2 Raw Audit Messages type=AVC msg=audit(1495248232.12:459): avc: denied { search } for pid=24632 comm="accounts-daemon" name="24495" dev="proc" ino=86793 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir type=SYSCALL msg=audit(1495248232.12:459): arch=x86_64 syscall=open success=no exit=EACCES a0=7fa1ca9a98a0 a1=0 a2=7ffceb74f530 a3=0 items=0 ppid=1 pid=24632 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null) Hash: accounts-daemon,accountsd_t,unconfined_service_t,dir,search Version-Release number of selected component: selinux-policy-3.13.1-102.el7_3.16.noarch

↧

0013924: Staging Fedmsg Relay in CI

September 27, 2017, 12:34 pm

≫ Next: 0013834: Reboot or 'systemctl stop ipsec' brings down _ethernet_ interfaces on _both_ ends of ipv4 ipsec tunnel !!!

≪ Previous: 0013285: SELinux is preventing /usr/libexec/accounts-daemon from 'search' accesses on the directory 24495.

We need to set up a staging relay that accepts org.centos.stage topics and posts to ONLY stg.fp.o

↧

0013834: Reboot or 'systemctl stop ipsec' brings down _ethernet_ interfaces on _both_ ends of ipv4 ipsec tunnel !!!

September 27, 2017, 12:35 pm

≫ Next: 0013893: Jenkins container exited with code 1

≪ Previous: 0013924: Staging Fedmsg Relay in CI

'systemctl stop ipsec' brings down _ethernet_ interfaces on _both_ ends of ipv4 ipsec tunnel, hence machines go offline but system is still alive as my watchdog script eventually reboots machines on both ends and ipsec tunnel is properly rebuilt after some time. It is really painful for it also happens during reboot of client machine, shuts down ethernet interfaces on both ends and therefore causes downtime of ipsec hub.

↧

0013893: Jenkins container exited with code 1

September 27, 2017, 1:21 pm

≫ Next: 0013925: [abrt] kernel: NMI watchdog: BUG: soft lockup - CPU#4 stuck for 23s! [X:1000]

≪ Previous: 0013834: Reboot or 'systemctl stop ipsec' brings down _ethernet_ interfaces on _both_ ends of ipv4 ipsec tunnel !!!

On Friday Sept 22 at 10:32 AM EST, my Jenkins container exited with code 1. pod name: jenkins-19-xpzwq project: continuous-infra Nothing in Jenkins logs or on pod console. Can you please scan output logs for any relevant details?

↧

0013925: [abrt] kernel: NMI watchdog: BUG: soft lockup - CPU#4 stuck for 23s! [X:1000]

September 27, 2017, 1:55 pm

≫ Next: 0013926: http://download.webmin.com/download/yum/webmin-1.850-1.noarch.rpm: [Errno 14]

≪ Previous: 0013893: Jenkins container exited with code 1

Description of problem: tried to `reboot` and this happened Version-Release number of selected component: kernel Truncated backtrace: #1 ioread32 #2 ? nv04_timer_read in nouveau #3 nvkm_timer_read in nouveau #4 nvkm_pmu_reset in nouveau #5 nvkm_pmu_preinit in nouveau #6 nvkm_subdev_preinit in nouveau #7 nvkm_device_init in nouveau #8 nvkm_udevice_init in nouveau #9 nvkm_object_init in nouveau #10 nvkm_object_init in nouveau

↧

0013926: http://download.webmin.com/download/yum/webmin-1.850-1.noarch.rpm: [Errno 14]

September 27, 2017, 3:36 pm

≫ Next: 0013927: ProtectHome=yes breaks /home

≪ Previous: 0013925: [abrt] kernel: NMI watchdog: BUG: soft lockup - CPU#4 stuck for 23s! [X:1000]

Dopo aver eseguito il comando Yum Update con utente root, il sistema mi dice che manca il file in oggetto, ovvero: <a href="http://download.webmin.com/download/yum/webmin-1.850-1.noarch.rpm:">http://download.webmin.com/download/yum/webmin-1.850-1.noarch.rpm:</a> [Errno 14] Come faccio a risolvere il problema? grazie Luca

↧

0013927: ProtectHome=yes breaks /home

September 27, 2017, 4:05 pm

≫ Next: 0013801: gnome-system-monitor incorrect cpu numbers

≪ Previous: 0013926: http://download.webmin.com/download/yum/webmin-1.850-1.noarch.rpm: [Errno 14]

Having ProtectHome=yes in any service file causes a symlinked or autofs mounted /home directory to return ELOOP ls: cannot open directory /home: Too many levels of symbolic links This bug report describes the issue. <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1444223">https://bugzilla.redhat.com/show_bug.cgi?id=1444223</a>

↧

0013801: gnome-system-monitor incorrect cpu numbers

September 27, 2017, 5:37 pm

≫ Next: 0013928: [abrt] virt-manager: gtk_css_static_style_compute_value(): python2.7 killed by SIGSEGV

≪ Previous: 0013927: ProtectHome=yes breaks /home

i get 2 cpu 44 cores 88 threads, but only show 0-57 cpus in gnome-system-monitor

↧

0013928: [abrt] virt-manager: gtk_css_static_style_compute_value(): python2.7 killed by SIGSEGV

September 27, 2017, 6:26 pm

≫ Next: 0013929: [abrt] nautilus: idle_callback(): nautilus killed by SIGABRT

≪ Previous: 0013801: gnome-system-monitor incorrect cpu numbers

Description of problem: Just started setting up LVM/QEMU Version-Release number of selected component: virt-manager-1.4.1-7.el7 Truncated backtrace: Thread no. 0 (10 frames) #1 gtk_css_static_style_compute_value at gtkcssstaticstyle.c:237 #2 _gtk_css_lookup_resolve at gtkcsslookup.c:122 #3 gtk_css_static_style_new_compute at gtkcssstaticstyle.c:195 #4 gtk_css_node_create_style at gtkcssnode.c:371 #5 gtk_css_node_real_update_style at gtkcssnode.c:425 #6 gtk_css_node_ensure_style at gtkcssnode.c:1003 #10 gtk_css_node_get_style at gtkcssnode.c:1029 #11 gtk_style_context_lookup_style at gtkstylecontext.c:493 #12 _gtk_style_context_peek_style_property at gtkstylecontext.c:1635 #13 gtk_widget_style_get_valist at gtkwidget.c:13238

↧

0013929: [abrt] nautilus: idle_callback(): nautilus killed by SIGABRT

September 27, 2017, 6:46 pm

≫ Next: 0013930: Error in grub2-2.02-0.64.el7.centos.x86_64 rpm spec

≪ Previous: 0013928: [abrt] virt-manager: gtk_css_static_style_compute_value(): python2.7 killed by SIGSEGV

Version-Release number of selected component: nautilus-3.22.3-3.el7 Truncated backtrace: Thread no. 1 (5 frames) #4 idle_callback #5 g_idle_dispatch at /lib64/libglib-2.0.so.0 #7 g_main_context_iterate.isra.21 at /lib64/libglib-2.0.so.0 #8 g_main_context_iteration at /lib64/libglib-2.0.so.0 #9 g_application_run at /lib64/libgio-2.0.so.0

↧

0013930: Error in grub2-2.02-0.64.el7.centos.x86_64 rpm spec

September 27, 2017, 8:14 pm

≫ Next: 0013931: Cloud-init can't resize instances anymore since update to 0.7.9

≪ Previous: 0013929: [abrt] nautilus: idle_callback(): nautilus killed by SIGABRT

After upgrading from 7.3 to 7.4, I get this error: # yum check all Loaded plugins: fastestmirror, langpacks, priorities, remove-with-leaves 1:grub2-2.02-0.64.el7.centos.x86_64 is obsoleted by 1:grub2-2.02-0.64.el7.centos.x86_64 Error: check ['all'] This isn't just an annoying error. It will block transactions acting on grub2, like 'yum reinstall grub2'.

↧

0013931: Cloud-init can't resize instances anymore since update to 0.7.9

September 27, 2017, 8:33 pm

≫ Next: 0013932: SELinux is preventing /usr/bin/pulseaudio from using the 'signull' accesses on a process.

≪ Previous: 0013930: Error in grub2-2.02-0.64.el7.centos.x86_64 rpm spec

It appears that since the cloud-init update to 0.7.9, cloud-init can't resize our instances anymore. While some parts of it run properly, I'm getting the following error which may be linked : 2017-09-28 02:01:43,641 - util.py[WARNING]: failed stage init 2017-09-28 02:01:43,641 - util.py[DEBUG]: failed stage init Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/cloudinit/cmd/main.py", line 513, in status_wrapper ret = functor(name, args) File "/usr/lib/python2.7/site-packages/cloudinit/cmd/main.py", line 281, in main_init init.update() File "/usr/lib/python2.7/site-packages/cloudinit/stages.py", line 357, in update self._store_vendordata() File "/usr/lib/python2.7/site-packages/cloudinit/stages.py", line 381, in _store_vendordata util.write_file(self._get_ipath('vendordata_raw'), raw_vd, 0o600) File "/usr/lib/python2.7/site-packages/cloudinit/util.py", line 1755, in write_file content = encode_text(content) File "/usr/lib/python2.7/site-packages/cloudinit/util.py", line 154, in encode_text return text.encode(encoding) AttributeError: 'dict' object has no attribute 'encode' I suspect this is preventing the cloud_init_modules from running. More information may be found in the attached logs.

↧

0013932: SELinux is preventing /usr/bin/pulseaudio from using the 'signull' accesses on a process.

September 27, 2017, 11:40 pm

≫ Next: 0013933: SELinux is preventing /usr/bin/dbus-launch from 'write' accesses on the file cf8c2a48e5444ca2955e9e1cfd264438-0.

≪ Previous: 0013931: Cloud-init can't resize instances anymore since update to 0.7.9

Description of problem: Just logged in to KDE SELinux is preventing /usr/bin/pulseaudio from using the 'signull' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If sie denken, dass es pulseaudio standardmäßig erlaubt sein sollte, signull Zugriff auf unconfined_t Prozesse zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do allow this access for now by executing: # ausearch -c 'pulseaudio' --raw | audit2allow -M my-pulseaudio # semodule -i my-pulseaudio.pp Additional Information: Source Context system_u:system_r:pulseaudio_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects Unknown [ process ] Source pulseaudio Source Path /usr/bin/pulseaudio Port <Unknown> Host (removed) Source RPM Packages pulseaudio-10.0-3.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-166.el7_4.4.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.13.2-1.el7.elrepo.x86_64 #1 SMP Wed Sep 13 18:48:00 EDT 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-09-28 08:36:11 CEST Last Seen 2017-09-28 08:36:11 CEST Local ID 52d0feaa-e9da-48c7-92c5-d5bac6d9fd7f Raw Audit Messages type=AVC msg=audit(1506580571.403:136): avc: denied { signull } for pid=5487 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 type=SYSCALL msg=audit(1506580571.403:136): arch=x86_64 syscall=kill success=no exit=EACCES a0=1303 a1=0 a2=0 a3=0 items=0 ppid=5486 pid=5487 auid=18914 uid=18914 gid=1000 euid=18914 suid=18914 fsuid=18914 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=pulseaudio exe=/usr/bin/pulseaudio subj=system_u:system_r:pulseaudio_t:s0 key=(null) Hash: pulseaudio,pulseaudio_t,unconfined_t,process,signull Version-Release number of selected component: selinux-policy-3.13.1-166.el7_4.4.noarch

↧

0013933: SELinux is preventing /usr/bin/dbus-launch from 'write' accesses on the file cf8c2a48e5444ca2955e9e1cfd264438-0.

September 28, 2017, 4:22 am

≫ Next: 0013934: SELinux is preventing /usr/bin/dbus-launch from 'write' accesses on the directory session-bus.

≪ Previous: 0013932: SELinux is preventing /usr/bin/pulseaudio from using the 'signull' accesses on a process.

Description of problem: Recovering from suspend-to-ram (re-openeing the Laptop lid) SELinux is preventing /usr/bin/dbus-launch from 'write' accesses on the file cf8c2a48e5444ca2955e9e1cfd264438-0. ***** Plugin catchall (100. confidence) suggests ************************** If sie denken, dass es dbus-launch standardmäßig erlaubt sein sollte, write Zugriff auf cf8c2a48e5444ca2955e9e1cfd264438-0 file zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do allow this access for now by executing: # ausearch -c 'dbus-launch' --raw | audit2allow -M my-dbuslaunch # semodule -i my-dbuslaunch.pp Additional Information: Source Context system_u:system_r:pulseaudio_t:s0 Target Context system_u:object_r:dbus_home_t:s0 Target Objects cf8c2a48e5444ca2955e9e1cfd264438-0 [ file ] Source dbus-launch Source Path /usr/bin/dbus-launch Port <Unknown> Host (removed) Source RPM Packages dbus-x11-1.6.12-17.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-166.el7_4.4.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.13.2-1.el7.elrepo.x86_64 #1 SMP Wed Sep 13 18:48:00 EDT 2017 x86_64 x86_64 Alert Count 6 First Seen 2017-09-28 10:50:01 CEST Last Seen 2017-09-28 12:27:21 CEST Local ID 608275d8-49b7-446e-9664-a397ba616642 Raw Audit Messages type=AVC msg=audit(1506594441.946:263): avc: denied { write } for pid=26550 comm="dbus-launch" name="cf8c2a48e5444ca2955e9e1cfd264438-0" dev="dm-1" ino=53599436 scontext=system_u:system_r:pulseaudio_t:s0 tcontext=system_u:object_r:dbus_home_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1506594441.946:263): arch=x86_64 syscall=open success=no exit=EACCES a0=561410c37f40 a1=241 a2=1b6 a3=24 items=0 ppid=2277 pid=26550 auid=18914 uid=18914 gid=1000 euid=18914 suid=18914 fsuid=18914 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=dbus-launch exe=/usr/bin/dbus-launch subj=system_u:system_r:pulseaudio_t:s0 key=(null) Hash: dbus-launch,pulseaudio_t,dbus_home_t,file,write Version-Release number of selected component: selinux-policy-3.13.1-166.el7_4.4.noarch

↧

0013934: SELinux is preventing /usr/bin/dbus-launch from 'write' accesses on the directory session-bus.

September 28, 2017, 4:25 am

≫ Next: 0013935: openssh-server-7.4 doesn't work with WinSCP >=5.10

≪ Previous: 0013933: SELinux is preventing /usr/bin/dbus-launch from 'write' accesses on the file cf8c2a48e5444ca2955e9e1cfd264438-0.

Description of problem: reopening Laoptop Lid (recover from suspend-to-ram) SELinux is preventing /usr/bin/dbus-launch from 'write' accesses on the directory session-bus. ***** Plugin catchall (100. confidence) suggests ************************** If sie denken, dass es dbus-launch standardmäßig erlaubt sein sollte, write Zugriff auf session-bus directory zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do allow this access for now by executing: # ausearch -c 'dbus-launch' --raw | audit2allow -M my-dbuslaunch # semodule -i my-dbuslaunch.pp Additional Information: Source Context system_u:system_r:pulseaudio_t:s0 Target Context system_u:object_r:dbus_home_t:s0 Target Objects session-bus [ dir ] Source dbus-launch Source Path /usr/bin/dbus-launch Port <Unknown> Host (removed) Source RPM Packages dbus-x11-1.6.12-17.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-166.el7_4.4.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.13.2-1.el7.elrepo.x86_64 #1 SMP Wed Sep 13 18:48:00 EDT 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-09-28 10:49:58 CEST Last Seen 2017-09-28 10:49:58 CEST Local ID a0983557-9842-4fe2-9a5b-0f4ebd79dcd5 Raw Audit Messages type=AVC msg=audit(1506588598.794:137): avc: denied { write } for pid=2302 comm="dbus-launch" name="session-bus" dev="dm-1" ino=53599435 scontext=system_u:system_r:pulseaudio_t:s0 tcontext=system_u:object_r:dbus_home_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1506588598.794:137): avc: denied { write } for pid=2302 comm="dbus-launch" name="cf8c2a48e5444ca2955e9e1cfd264438-0" dev="dm-1" ino=53599436 scontext=system_u:system_r:pulseaudio_t:s0 tcontext=system_u:object_r:dbus_home_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1506588598.794:137): arch=x86_64 syscall=open success=no exit=EACCES a0=55b65b96afe0 a1=241 a2=1b6 a3=24 items=0 ppid=2277 pid=2302 auid=18914 uid=18914 gid=1000 euid=18914 suid=18914 fsuid=18914 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=dbus-launch exe=/usr/bin/dbus-launch subj=system_u:system_r:pulseaudio_t:s0 key=(null) Hash: dbus-launch,pulseaudio_t,dbus_home_t,dir,write Version-Release number of selected component: selinux-policy-3.13.1-166.el7_4.4.noarch

↧