2017-12-01 16:03:47

by Laurent Bigonville

[permalink] [raw]
Subject: [refpolicy] Policy for systemd inhibits

Hello,

ATM it seems that the policy has no interface to allow applications
(NetworkManager, upower,) or users to manage systemd inhibits. (see
denials in attachment)

I was thinking of creating an extra type for /run/systemd/inhibit/ and
allowing applications and users to interact with the files and pipes but
Dominick seems to prefer a different approach.

I'm not sure what would be the preferred way here, what do you think?

Regards,

Laurent Bigonville

-------------- next part --------------
----
type=PROCTITLE msg=audit(01/12/17 09:53:19.669:170) : proctitle=/usr/sbin/ModemManager
type=SYSCALL msg=audit(01/12/17 09:53:19.669:170) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x6 a1=0x7f974295bab0 a2=MSG_CMSG_CLOEXEC a3=0x7f974295b9d0 items=0 ppid=1 pid=766 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 09:53:19.669:170) : avc: denied { write } for pid=766 comm=gdbus path=/run/systemd/inhibit/1.ref dev="tmpfs" ino=22520 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(01/12/17 09:53:19.669:170) : avc: denied { use } for pid=766 comm=gdbus path=/run/systemd/inhibit/1.ref dev="tmpfs" ino=22520 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
----
type=PROCTITLE msg=audit(01/12/17 09:53:19.855:177) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 09:53:19.855:177) : arch=x86_64 syscall=inotify_add_watch success=yes exit=3 a0=0xb a1=0x7f401f9d7703 a2=0x280 a3=0x10b items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 09:53:19.855:177) : avc: denied { read } for pid=836 comm=NetworkManager name=users dev="tmpfs" ino=19329 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=dir permissive=1
----
type=PROCTITLE msg=audit(01/12/17 09:53:20.294:261) : proctitle=/usr/sbin/libvirtd
type=SYSCALL msg=audit(01/12/17 09:53:20.294:261) : arch=x86_64 syscall=recvmsg success=yes exit=76 a0=0xe a1=0x7fff7cd98980 a2=MSG_CMSG_CLOEXEC a3=0x7f96d28c1180 items=0 ppid=1 pid=985 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=libvirtd exe=/usr/sbin/libvirtd subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(01/12/17 09:53:20.294:261) : avc: denied { write } for pid=985 comm=libvirtd path=/run/systemd/inhibit/2.ref dev="tmpfs" ino=26842 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(01/12/17 09:53:20.294:261) : avc: denied { use } for pid=985 comm=libvirtd path=/run/systemd/inhibit/2.ref dev="tmpfs" ino=26842 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
----
type=PROCTITLE msg=audit(01/12/17 09:53:20.961:312) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 09:53:20.961:312) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x8 a1=0x7f40137fda30 a2=MSG_CMSG_CLOEXEC a3=0x7f40137fd950 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 09:53:20.961:312) : avc: denied { write } for pid=836 comm=gdbus path=/run/systemd/inhibit/3.ref dev="tmpfs" ino=25209 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 09:53:28.328:419) : proctitle=/usr/lib/upower/upowerd
type=SYSCALL msg=audit(01/12/17 09:53:28.328:419) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x5 a1=0x7f1595da5a20 a2=MSG_CMSG_CLOEXEC a3=0x7f1595da5940 items=0 ppid=1 pid=1582 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/lib/upower/upowerd subj=system_u:system_r:devicekit_power_t:s0 key=(null)
type=AVC msg=audit(01/12/17 09:53:28.328:419) : avc: denied { write } for pid=1582 comm=gdbus path=/run/systemd/inhibit/4.ref dev="tmpfs" ino=30458 scontext=system_u:system_r:devicekit_power_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(01/12/17 09:53:28.328:419) : avc: denied { use } for pid=1582 comm=gdbus path=/run/systemd/inhibit/4.ref dev="tmpfs" ino=30458 scontext=system_u:system_r:devicekit_power_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
----
type=PROCTITLE msg=audit(01/12/17 09:53:48.839:485) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 09:53:48.839:485) : arch=x86_64 syscall=open success=yes exit=20 a0=0x560a6afc95f0 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 09:53:48.839:485) : avc: denied { open } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33269 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(01/12/17 09:53:48.839:485) : avc: denied { read } for pid=836 comm=NetworkManager name=1000 dev="tmpfs" ino=33269 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 09:53:48.839:486) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 09:53:48.839:486) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x14 a1=0x7ffcf7106b70 a2=0x7ffcf7106b70 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 09:53:48.839:486) : avc: denied { getattr } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33269 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 09:53:48.496:503) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 09:53:48.496:503) : arch=x86_64 syscall=open success=yes exit=20 a0=0x560a6afc95f0 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 09:53:48.496:503) : avc: denied { open } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(01/12/17 09:53:48.496:503) : avc: denied { read } for pid=836 comm=NetworkManager name=1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 09:53:48.496:504) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 09:53:48.496:504) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x14 a1=0x7ffcf7106b70 a2=0x7ffcf7106b70 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 09:53:48.496:504) : avc: denied { getattr } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 10:44:21.116:1042) : proctitle=/usr/sbin/libvirtd
type=SYSCALL msg=audit(01/12/17 10:44:21.116:1042) : arch=x86_64 syscall=recvmsg success=yes exit=76 a0=0xe a1=0x7fff7cd98980 a2=MSG_CMSG_CLOEXEC a3=0x7f96d28c1180 items=0 ppid=1 pid=985 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=libvirtd exe=/usr/sbin/libvirtd subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(01/12/17 10:44:21.116:1042) : avc: denied { write } for pid=985 comm=libvirtd path=/run/systemd/inhibit/17.ref dev="tmpfs" ino=105825 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(01/12/17 10:44:21.116:1042) : avc: denied { use } for pid=985 comm=libvirtd path=/run/systemd/inhibit/17.ref dev="tmpfs" ino=105825 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
----
type=PROCTITLE msg=audit(01/12/17 10:44:21.159:1059) : proctitle=/usr/sbin/virtlogd
type=SYSCALL msg=audit(01/12/17 10:44:21.159:1059) : arch=x86_64 syscall=recvmsg success=yes exit=76 a0=0xa a1=0x7ffdfaed35a0 a2=MSG_CMSG_CLOEXEC a3=0x560b013fa500 items=0 ppid=1 pid=23556 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=virtlogd exe=/usr/sbin/virtlogd subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(01/12/17 10:44:21.159:1059) : avc: denied { write } for pid=23556 comm=virtlogd path=/run/systemd/inhibit/18.ref dev="tmpfs" ino=106981 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(01/12/17 10:44:21.159:1059) : avc: denied { use } for pid=23556 comm=virtlogd path=/run/systemd/inhibit/18.ref dev="tmpfs" ino=106981 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
----
type=PROCTITLE msg=audit(01/12/17 10:44:21.197:1064) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 10:44:21.197:1064) : arch=x86_64 syscall=open success=yes exit=21 a0=0x560a6ae66c70 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 10:44:21.197:1064) : avc: denied { open } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(01/12/17 10:44:21.197:1064) : avc: denied { read } for pid=836 comm=NetworkManager name=1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 10:44:21.197:1065) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 10:44:21.197:1065) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x15 a1=0x7ffcf7106b70 a2=0x7ffcf7106b70 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 10:44:21.197:1065) : avc: denied { getattr } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 10:51:42.796:1133) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 10:51:42.796:1133) : arch=x86_64 syscall=open success=yes exit=21 a0=0x560a6afb0d70 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 10:51:42.796:1133) : avc: denied { open } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(01/12/17 10:51:42.796:1133) : avc: denied { read } for pid=836 comm=NetworkManager name=1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 10:51:42.796:1134) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 10:51:42.796:1134) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x15 a1=0x7ffcf7106b70 a2=0x7ffcf7106b70 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 10:51:42.796:1134) : avc: denied { getattr } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 12:35:46.779:1595) : proctitle=/usr/sbin/libvirtd
type=SYSCALL msg=audit(01/12/17 12:35:46.779:1595) : arch=x86_64 syscall=recvmsg success=yes exit=76 a0=0xe a1=0x7fff7cd98980 a2=MSG_CMSG_CLOEXEC a3=0x7f96d28c1180 items=0 ppid=1 pid=985 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=libvirtd exe=/usr/sbin/libvirtd subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(01/12/17 12:35:46.779:1595) : avc: denied { write } for pid=985 comm=libvirtd path=/run/systemd/inhibit/31.ref dev="tmpfs" ino=231239 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(01/12/17 12:35:46.779:1595) : avc: denied { use } for pid=985 comm=libvirtd path=/run/systemd/inhibit/31.ref dev="tmpfs" ino=231239 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
----
type=PROCTITLE msg=audit(01/12/17 12:35:46.794:1597) : proctitle=/usr/sbin/virtlogd
type=SYSCALL msg=audit(01/12/17 12:35:46.794:1597) : arch=x86_64 syscall=recvmsg success=yes exit=76 a0=0xa a1=0x7ffdfaed35a0 a2=MSG_CMSG_CLOEXEC a3=0x560b013fa500 items=0 ppid=1 pid=23556 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=virtlogd exe=/usr/sbin/virtlogd subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(01/12/17 12:35:46.794:1597) : avc: denied { write } for pid=23556 comm=virtlogd path=/run/systemd/inhibit/32.ref dev="tmpfs" ino=230262 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(01/12/17 12:35:46.794:1597) : avc: denied { use } for pid=23556 comm=virtlogd path=/run/systemd/inhibit/32.ref dev="tmpfs" ino=230262 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
----
type=PROCTITLE msg=audit(01/12/17 12:35:46.866:1617) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 12:35:46.866:1617) : arch=x86_64 syscall=open success=yes exit=21 a0=0x560a6afb65e0 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 12:35:46.866:1617) : avc: denied { open } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(01/12/17 12:35:46.866:1617) : avc: denied { read } for pid=836 comm=NetworkManager name=1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 12:35:46.866:1618) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 12:35:46.866:1618) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x15 a1=0x7ffcf7106b70 a2=0x7ffcf7106b70 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 12:35:46.866:1618) : avc: denied { getattr } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 13:23:23.920:1825) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 13:23:23.920:1825) : arch=x86_64 syscall=open success=yes exit=21 a0=0x560a6ae7ffa0 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 13:23:23.920:1825) : avc: denied { open } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(01/12/17 13:23:23.920:1825) : avc: denied { read } for pid=836 comm=NetworkManager name=1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 13:23:23.921:1826) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 13:23:23.921:1826) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x15 a1=0x7ffcf7106b70 a2=0x7ffcf7106b70 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 13:23:23.921:1826) : avc: denied { getattr } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 14:33:36.351:1843) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 14:33:36.351:1843) : arch=x86_64 syscall=open success=yes exit=17 a0=0x560a6af01b00 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 14:33:36.351:1843) : avc: denied { open } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(01/12/17 14:33:36.351:1843) : avc: denied { read } for pid=836 comm=NetworkManager name=1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 14:33:36.351:1844) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 14:33:36.351:1844) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x11 a1=0x7ffcf7106b70 a2=0x7ffcf7106b70 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 14:33:36.351:1844) : avc: denied { getattr } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 14:33:36.503:1852) : proctitle=/usr/lib/upower/upowerd
type=SYSCALL msg=audit(01/12/17 14:33:36.503:1852) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x5 a1=0x7f1595da5b30 a2=MSG_CMSG_CLOEXEC a3=0x7f1595da5a50 items=0 ppid=1 pid=1582 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/lib/upower/upowerd subj=system_u:system_r:devicekit_power_t:s0 key=(null)
type=AVC msg=audit(01/12/17 14:33:36.503:1852) : avc: denied { write } for pid=1582 comm=gdbus path=/run/systemd/inhibit/43.ref dev="tmpfs" ino=284164 scontext=system_u:system_r:devicekit_power_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(01/12/17 14:33:36.503:1852) : avc: denied { use } for pid=1582 comm=gdbus path=/run/systemd/inhibit/43.ref dev="tmpfs" ino=284164 scontext=system_u:system_r:devicekit_power_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
----
type=PROCTITLE msg=audit(01/12/17 14:33:36.535:1853) : proctitle=/usr/sbin/ModemManager
type=SYSCALL msg=audit(01/12/17 14:33:36.535:1853) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x6 a1=0x7f974295bab0 a2=MSG_CMSG_CLOEXEC a3=0x7f974295b9d0 items=0 ppid=1 pid=766 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 14:33:36.535:1853) : avc: denied { write } for pid=766 comm=gdbus path=/run/systemd/inhibit/44.ref dev="tmpfs" ino=284168 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(01/12/17 14:33:36.535:1853) : avc: denied { use } for pid=766 comm=gdbus path=/run/systemd/inhibit/44.ref dev="tmpfs" ino=284168 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
----
type=PROCTITLE msg=audit(01/12/17 14:33:36.549:1854) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 14:33:36.549:1854) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x8 a1=0x7f40137fda30 a2=MSG_CMSG_CLOEXEC a3=0x7f40137fd950 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 14:33:36.549:1854) : avc: denied { write } for pid=836 comm=gdbus path=/run/systemd/inhibit/45.ref dev="tmpfs" ino=284172 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 14:37:39.132:1932) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 14:37:39.132:1932) : arch=x86_64 syscall=open success=yes exit=21 a0=0x560a6aefe300 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 14:37:39.132:1932) : avc: denied { open } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(01/12/17 14:37:39.132:1932) : avc: denied { read } for pid=836 comm=NetworkManager name=1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 14:37:39.134:1933) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 14:37:39.134:1933) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x15 a1=0x7ffcf7106b70 a2=0x7ffcf7106b70 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 14:37:39.134:1933) : avc: denied { getattr } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 14:38:36.567:1962) : proctitle=/usr/lib/upower/upowerd
type=SYSCALL msg=audit(01/12/17 14:38:36.567:1962) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x5 a1=0x7f1595da5b30 a2=MSG_CMSG_CLOEXEC a3=0x7f1595da5a50 items=0 ppid=1 pid=1582 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/lib/upower/upowerd subj=system_u:system_r:devicekit_power_t:s0 key=(null)
type=AVC msg=audit(01/12/17 14:38:36.567:1962) : avc: denied { write } for pid=1582 comm=gdbus path=/run/systemd/inhibit/54.ref dev="tmpfs" ino=292411 scontext=system_u:system_r:devicekit_power_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(01/12/17 14:38:36.567:1962) : avc: denied { use } for pid=1582 comm=gdbus path=/run/systemd/inhibit/54.ref dev="tmpfs" ino=292411 scontext=system_u:system_r:devicekit_power_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
----
type=PROCTITLE msg=audit(01/12/17 14:38:36.578:1963) : proctitle=/usr/sbin/ModemManager
type=SYSCALL msg=audit(01/12/17 14:38:36.578:1963) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x6 a1=0x7f974295bab0 a2=MSG_CMSG_CLOEXEC a3=0x7f974295b9d0 items=0 ppid=1 pid=766 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 14:38:36.578:1963) : avc: denied { write } for pid=766 comm=gdbus path=/run/systemd/inhibit/55.ref dev="tmpfs" ino=292413 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(01/12/17 14:38:36.578:1963) : avc: denied { use } for pid=766 comm=gdbus path=/run/systemd/inhibit/55.ref dev="tmpfs" ino=292413 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
----
type=PROCTITLE msg=audit(01/12/17 14:38:36.584:1964) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 14:38:36.584:1964) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x8 a1=0x7f40137fda30 a2=MSG_CMSG_CLOEXEC a3=0x7f40137fd950 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 14:38:36.584:1964) : avc: denied { write } for pid=836 comm=gdbus path=/run/systemd/inhibit/56.ref dev="tmpfs" ino=293012 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 15:30:16.835:2181) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 15:30:16.835:2181) : arch=x86_64 syscall=open success=yes exit=21 a0=0x560a6b003910 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 15:30:16.835:2181) : avc: denied { open } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(01/12/17 15:30:16.835:2181) : avc: denied { read } for pid=836 comm=NetworkManager name=1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(01/12/17 15:30:16.835:2182) : proctitle=/usr/sbin/NetworkManager --no-daemon
type=SYSCALL msg=audit(01/12/17 15:30:16.835:2182) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x15 a1=0x7ffcf7106b70 a2=0x7ffcf7106b70 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/12/17 15:30:16.835:2182) : avc: denied { getattr } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1


2017-12-02 11:17:11

by Dominick Grift

[permalink] [raw]
Subject: [refpolicy] Policy for systemd inhibits

On Fri, Dec 01, 2017 at 05:03:47PM +0100, Laurent Bigonville via refpolicy wrote:
> Hello,
>
> ATM it seems that the policy has no interface to allow applications
> (NetworkManager, upower,) or users to manage systemd inhibits. (see denials
> in attachment)
>
> I was thinking of creating an extra type for /run/systemd/inhibit/ and
> allowing applications and users to interact with the files and pipes but
> Dominick seems to prefer a different approach.

Let me just make clear that i think a private type for /run/systemd/inhibit is not really needed because AFAIK logind maintains only two kinds of fifo files in runtime, and one of it /run/systemd/sessions already has a private type

So that, to me, automatically implies that if a process can write an inherited login runtime fifo file, that it must be the inhibit one, since the other sesssions one has a private logind session runtime type

logind inhibit clients need to do a couple of things AFAIK:

1. they write the inherited logind runtime fifo files
2. they use logind's fd's
3. they dbus system chat with logind
4. they are dbus system clients

The only way AFAIK this differs from logind session clients (apart from the different fifo file) is that logind needs be able to read logind session clients state in addition.

>
> I'm not sure what would be the preferred way here, what do you think?
>
> Regards,
>
> Laurent Bigonville
>

> ----
> type=PROCTITLE msg=audit(01/12/17 09:53:19.669:170) : proctitle=/usr/sbin/ModemManager
> type=SYSCALL msg=audit(01/12/17 09:53:19.669:170) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x6 a1=0x7f974295bab0 a2=MSG_CMSG_CLOEXEC a3=0x7f974295b9d0 items=0 ppid=1 pid=766 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 09:53:19.669:170) : avc: denied { write } for pid=766 comm=gdbus path=/run/systemd/inhibit/1.ref dev="tmpfs" ino=22520 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
> type=AVC msg=audit(01/12/17 09:53:19.669:170) : avc: denied { use } for pid=766 comm=gdbus path=/run/systemd/inhibit/1.ref dev="tmpfs" ino=22520 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 09:53:19.855:177) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 09:53:19.855:177) : arch=x86_64 syscall=inotify_add_watch success=yes exit=3 a0=0xb a1=0x7f401f9d7703 a2=0x280 a3=0x10b items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 09:53:19.855:177) : avc: denied { read } for pid=836 comm=NetworkManager name=users dev="tmpfs" ino=19329 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=dir permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 09:53:20.294:261) : proctitle=/usr/sbin/libvirtd
> type=SYSCALL msg=audit(01/12/17 09:53:20.294:261) : arch=x86_64 syscall=recvmsg success=yes exit=76 a0=0xe a1=0x7fff7cd98980 a2=MSG_CMSG_CLOEXEC a3=0x7f96d28c1180 items=0 ppid=1 pid=985 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=libvirtd exe=/usr/sbin/libvirtd subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(01/12/17 09:53:20.294:261) : avc: denied { write } for pid=985 comm=libvirtd path=/run/systemd/inhibit/2.ref dev="tmpfs" ino=26842 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
> type=AVC msg=audit(01/12/17 09:53:20.294:261) : avc: denied { use } for pid=985 comm=libvirtd path=/run/systemd/inhibit/2.ref dev="tmpfs" ino=26842 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 09:53:20.961:312) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 09:53:20.961:312) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x8 a1=0x7f40137fda30 a2=MSG_CMSG_CLOEXEC a3=0x7f40137fd950 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 09:53:20.961:312) : avc: denied { write } for pid=836 comm=gdbus path=/run/systemd/inhibit/3.ref dev="tmpfs" ino=25209 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 09:53:28.328:419) : proctitle=/usr/lib/upower/upowerd
> type=SYSCALL msg=audit(01/12/17 09:53:28.328:419) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x5 a1=0x7f1595da5a20 a2=MSG_CMSG_CLOEXEC a3=0x7f1595da5940 items=0 ppid=1 pid=1582 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/lib/upower/upowerd subj=system_u:system_r:devicekit_power_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 09:53:28.328:419) : avc: denied { write } for pid=1582 comm=gdbus path=/run/systemd/inhibit/4.ref dev="tmpfs" ino=30458 scontext=system_u:system_r:devicekit_power_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
> type=AVC msg=audit(01/12/17 09:53:28.328:419) : avc: denied { use } for pid=1582 comm=gdbus path=/run/systemd/inhibit/4.ref dev="tmpfs" ino=30458 scontext=system_u:system_r:devicekit_power_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 09:53:48.839:485) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 09:53:48.839:485) : arch=x86_64 syscall=open success=yes exit=20 a0=0x560a6afc95f0 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 09:53:48.839:485) : avc: denied { open } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33269 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> type=AVC msg=audit(01/12/17 09:53:48.839:485) : avc: denied { read } for pid=836 comm=NetworkManager name=1000 dev="tmpfs" ino=33269 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 09:53:48.839:486) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 09:53:48.839:486) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x14 a1=0x7ffcf7106b70 a2=0x7ffcf7106b70 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 09:53:48.839:486) : avc: denied { getattr } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33269 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 09:53:48.496:503) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 09:53:48.496:503) : arch=x86_64 syscall=open success=yes exit=20 a0=0x560a6afc95f0 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 09:53:48.496:503) : avc: denied { open } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> type=AVC msg=audit(01/12/17 09:53:48.496:503) : avc: denied { read } for pid=836 comm=NetworkManager name=1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 09:53:48.496:504) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 09:53:48.496:504) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x14 a1=0x7ffcf7106b70 a2=0x7ffcf7106b70 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 09:53:48.496:504) : avc: denied { getattr } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 10:44:21.116:1042) : proctitle=/usr/sbin/libvirtd
> type=SYSCALL msg=audit(01/12/17 10:44:21.116:1042) : arch=x86_64 syscall=recvmsg success=yes exit=76 a0=0xe a1=0x7fff7cd98980 a2=MSG_CMSG_CLOEXEC a3=0x7f96d28c1180 items=0 ppid=1 pid=985 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=libvirtd exe=/usr/sbin/libvirtd subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(01/12/17 10:44:21.116:1042) : avc: denied { write } for pid=985 comm=libvirtd path=/run/systemd/inhibit/17.ref dev="tmpfs" ino=105825 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
> type=AVC msg=audit(01/12/17 10:44:21.116:1042) : avc: denied { use } for pid=985 comm=libvirtd path=/run/systemd/inhibit/17.ref dev="tmpfs" ino=105825 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 10:44:21.159:1059) : proctitle=/usr/sbin/virtlogd
> type=SYSCALL msg=audit(01/12/17 10:44:21.159:1059) : arch=x86_64 syscall=recvmsg success=yes exit=76 a0=0xa a1=0x7ffdfaed35a0 a2=MSG_CMSG_CLOEXEC a3=0x560b013fa500 items=0 ppid=1 pid=23556 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=virtlogd exe=/usr/sbin/virtlogd subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(01/12/17 10:44:21.159:1059) : avc: denied { write } for pid=23556 comm=virtlogd path=/run/systemd/inhibit/18.ref dev="tmpfs" ino=106981 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
> type=AVC msg=audit(01/12/17 10:44:21.159:1059) : avc: denied { use } for pid=23556 comm=virtlogd path=/run/systemd/inhibit/18.ref dev="tmpfs" ino=106981 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 10:44:21.197:1064) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 10:44:21.197:1064) : arch=x86_64 syscall=open success=yes exit=21 a0=0x560a6ae66c70 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 10:44:21.197:1064) : avc: denied { open } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> type=AVC msg=audit(01/12/17 10:44:21.197:1064) : avc: denied { read } for pid=836 comm=NetworkManager name=1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 10:44:21.197:1065) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 10:44:21.197:1065) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x15 a1=0x7ffcf7106b70 a2=0x7ffcf7106b70 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 10:44:21.197:1065) : avc: denied { getattr } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 10:51:42.796:1133) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 10:51:42.796:1133) : arch=x86_64 syscall=open success=yes exit=21 a0=0x560a6afb0d70 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 10:51:42.796:1133) : avc: denied { open } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> type=AVC msg=audit(01/12/17 10:51:42.796:1133) : avc: denied { read } for pid=836 comm=NetworkManager name=1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 10:51:42.796:1134) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 10:51:42.796:1134) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x15 a1=0x7ffcf7106b70 a2=0x7ffcf7106b70 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 10:51:42.796:1134) : avc: denied { getattr } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 12:35:46.779:1595) : proctitle=/usr/sbin/libvirtd
> type=SYSCALL msg=audit(01/12/17 12:35:46.779:1595) : arch=x86_64 syscall=recvmsg success=yes exit=76 a0=0xe a1=0x7fff7cd98980 a2=MSG_CMSG_CLOEXEC a3=0x7f96d28c1180 items=0 ppid=1 pid=985 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=libvirtd exe=/usr/sbin/libvirtd subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(01/12/17 12:35:46.779:1595) : avc: denied { write } for pid=985 comm=libvirtd path=/run/systemd/inhibit/31.ref dev="tmpfs" ino=231239 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
> type=AVC msg=audit(01/12/17 12:35:46.779:1595) : avc: denied { use } for pid=985 comm=libvirtd path=/run/systemd/inhibit/31.ref dev="tmpfs" ino=231239 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 12:35:46.794:1597) : proctitle=/usr/sbin/virtlogd
> type=SYSCALL msg=audit(01/12/17 12:35:46.794:1597) : arch=x86_64 syscall=recvmsg success=yes exit=76 a0=0xa a1=0x7ffdfaed35a0 a2=MSG_CMSG_CLOEXEC a3=0x560b013fa500 items=0 ppid=1 pid=23556 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=virtlogd exe=/usr/sbin/virtlogd subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(01/12/17 12:35:46.794:1597) : avc: denied { write } for pid=23556 comm=virtlogd path=/run/systemd/inhibit/32.ref dev="tmpfs" ino=230262 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
> type=AVC msg=audit(01/12/17 12:35:46.794:1597) : avc: denied { use } for pid=23556 comm=virtlogd path=/run/systemd/inhibit/32.ref dev="tmpfs" ino=230262 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 12:35:46.866:1617) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 12:35:46.866:1617) : arch=x86_64 syscall=open success=yes exit=21 a0=0x560a6afb65e0 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 12:35:46.866:1617) : avc: denied { open } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> type=AVC msg=audit(01/12/17 12:35:46.866:1617) : avc: denied { read } for pid=836 comm=NetworkManager name=1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 12:35:46.866:1618) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 12:35:46.866:1618) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x15 a1=0x7ffcf7106b70 a2=0x7ffcf7106b70 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 12:35:46.866:1618) : avc: denied { getattr } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 13:23:23.920:1825) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 13:23:23.920:1825) : arch=x86_64 syscall=open success=yes exit=21 a0=0x560a6ae7ffa0 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 13:23:23.920:1825) : avc: denied { open } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> type=AVC msg=audit(01/12/17 13:23:23.920:1825) : avc: denied { read } for pid=836 comm=NetworkManager name=1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 13:23:23.921:1826) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 13:23:23.921:1826) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x15 a1=0x7ffcf7106b70 a2=0x7ffcf7106b70 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 13:23:23.921:1826) : avc: denied { getattr } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 14:33:36.351:1843) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 14:33:36.351:1843) : arch=x86_64 syscall=open success=yes exit=17 a0=0x560a6af01b00 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 14:33:36.351:1843) : avc: denied { open } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> type=AVC msg=audit(01/12/17 14:33:36.351:1843) : avc: denied { read } for pid=836 comm=NetworkManager name=1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 14:33:36.351:1844) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 14:33:36.351:1844) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x11 a1=0x7ffcf7106b70 a2=0x7ffcf7106b70 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 14:33:36.351:1844) : avc: denied { getattr } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 14:33:36.503:1852) : proctitle=/usr/lib/upower/upowerd
> type=SYSCALL msg=audit(01/12/17 14:33:36.503:1852) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x5 a1=0x7f1595da5b30 a2=MSG_CMSG_CLOEXEC a3=0x7f1595da5a50 items=0 ppid=1 pid=1582 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/lib/upower/upowerd subj=system_u:system_r:devicekit_power_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 14:33:36.503:1852) : avc: denied { write } for pid=1582 comm=gdbus path=/run/systemd/inhibit/43.ref dev="tmpfs" ino=284164 scontext=system_u:system_r:devicekit_power_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
> type=AVC msg=audit(01/12/17 14:33:36.503:1852) : avc: denied { use } for pid=1582 comm=gdbus path=/run/systemd/inhibit/43.ref dev="tmpfs" ino=284164 scontext=system_u:system_r:devicekit_power_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 14:33:36.535:1853) : proctitle=/usr/sbin/ModemManager
> type=SYSCALL msg=audit(01/12/17 14:33:36.535:1853) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x6 a1=0x7f974295bab0 a2=MSG_CMSG_CLOEXEC a3=0x7f974295b9d0 items=0 ppid=1 pid=766 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 14:33:36.535:1853) : avc: denied { write } for pid=766 comm=gdbus path=/run/systemd/inhibit/44.ref dev="tmpfs" ino=284168 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
> type=AVC msg=audit(01/12/17 14:33:36.535:1853) : avc: denied { use } for pid=766 comm=gdbus path=/run/systemd/inhibit/44.ref dev="tmpfs" ino=284168 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 14:33:36.549:1854) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 14:33:36.549:1854) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x8 a1=0x7f40137fda30 a2=MSG_CMSG_CLOEXEC a3=0x7f40137fd950 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 14:33:36.549:1854) : avc: denied { write } for pid=836 comm=gdbus path=/run/systemd/inhibit/45.ref dev="tmpfs" ino=284172 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 14:37:39.132:1932) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 14:37:39.132:1932) : arch=x86_64 syscall=open success=yes exit=21 a0=0x560a6aefe300 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 14:37:39.132:1932) : avc: denied { open } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> type=AVC msg=audit(01/12/17 14:37:39.132:1932) : avc: denied { read } for pid=836 comm=NetworkManager name=1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 14:37:39.134:1933) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 14:37:39.134:1933) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x15 a1=0x7ffcf7106b70 a2=0x7ffcf7106b70 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 14:37:39.134:1933) : avc: denied { getattr } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 14:38:36.567:1962) : proctitle=/usr/lib/upower/upowerd
> type=SYSCALL msg=audit(01/12/17 14:38:36.567:1962) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x5 a1=0x7f1595da5b30 a2=MSG_CMSG_CLOEXEC a3=0x7f1595da5a50 items=0 ppid=1 pid=1582 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/lib/upower/upowerd subj=system_u:system_r:devicekit_power_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 14:38:36.567:1962) : avc: denied { write } for pid=1582 comm=gdbus path=/run/systemd/inhibit/54.ref dev="tmpfs" ino=292411 scontext=system_u:system_r:devicekit_power_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
> type=AVC msg=audit(01/12/17 14:38:36.567:1962) : avc: denied { use } for pid=1582 comm=gdbus path=/run/systemd/inhibit/54.ref dev="tmpfs" ino=292411 scontext=system_u:system_r:devicekit_power_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 14:38:36.578:1963) : proctitle=/usr/sbin/ModemManager
> type=SYSCALL msg=audit(01/12/17 14:38:36.578:1963) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x6 a1=0x7f974295bab0 a2=MSG_CMSG_CLOEXEC a3=0x7f974295b9d0 items=0 ppid=1 pid=766 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 14:38:36.578:1963) : avc: denied { write } for pid=766 comm=gdbus path=/run/systemd/inhibit/55.ref dev="tmpfs" ino=292413 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
> type=AVC msg=audit(01/12/17 14:38:36.578:1963) : avc: denied { use } for pid=766 comm=gdbus path=/run/systemd/inhibit/55.ref dev="tmpfs" ino=292413 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 14:38:36.584:1964) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 14:38:36.584:1964) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x8 a1=0x7f40137fda30 a2=MSG_CMSG_CLOEXEC a3=0x7f40137fd950 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 14:38:36.584:1964) : avc: denied { write } for pid=836 comm=gdbus path=/run/systemd/inhibit/56.ref dev="tmpfs" ino=293012 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=fifo_file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 15:30:16.835:2181) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 15:30:16.835:2181) : arch=x86_64 syscall=open success=yes exit=21 a0=0x560a6b003910 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 15:30:16.835:2181) : avc: denied { open } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> type=AVC msg=audit(01/12/17 15:30:16.835:2181) : avc: denied { read } for pid=836 comm=NetworkManager name=1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
> ----
> type=PROCTITLE msg=audit(01/12/17 15:30:16.835:2182) : proctitle=/usr/sbin/NetworkManager --no-daemon
> type=SYSCALL msg=audit(01/12/17 15:30:16.835:2182) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x15 a1=0x7ffcf7106b70 a2=0x7ffcf7106b70 a3=0x80000 items=0 ppid=1 pid=836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> type=AVC msg=audit(01/12/17 15:30:16.835:2182) : avc: denied { getattr } for pid=836 comm=NetworkManager path=/run/systemd/users/1000 dev="tmpfs" ino=33310 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1

> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171202/09c05e7f/attachment-0001.bin

2017-12-03 21:38:06

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] Policy for systemd inhibits

On 12/02/2017 06:17 AM, Dominick Grift via refpolicy wrote:
> On Fri, Dec 01, 2017 at 05:03:47PM +0100, Laurent Bigonville via refpolicy wrote:
>> Hello,
>>
>> ATM it seems that the policy has no interface to allow applications
>> (NetworkManager, upower,) or users to manage systemd inhibits. (see denials
>> in attachment)
>>
>> I was thinking of creating an extra type for /run/systemd/inhibit/ and
>> allowing applications and users to interact with the files and pipes but
>> Dominick seems to prefer a different approach.
>
> Let me just make clear that i think a private type for /run/systemd/inhibit is not really needed because AFAIK logind maintains only two kinds of fifo files in runtime, and one of it /run/systemd/sessions already has a private type
>
> So that, to me, automatically implies that if a process can write an inherited login runtime fifo file, that it must be the inhibit one, since the other sesssions one has a private logind session runtime type
>
> logind inhibit clients need to do a couple of things AFAIK:
>
> 1. they write the inherited logind runtime fifo files
> 2. they use logind's fd's
> 3. they dbus system chat with logind
> 4. they are dbus system clients
>
> The only way AFAIK this differs from logind session clients (apart from the different fifo file) is that logind needs be able to read logind session clients state in addition.

Perhaps I misunderstand, but it seems like these two approaches are the
same.


>>
>> I'm not sure what would be the preferred way here, what do you think?
>>
>> Regards,
>>
>> Laurent Bigonville

--
Chris PeBenito

2017-12-04 09:24:11

by Dominick Grift

[permalink] [raw]
Subject: [refpolicy] Policy for systemd inhibits

On Sun, Dec 03, 2017 at 04:38:06PM -0500, Chris PeBenito via refpolicy wrote:
> On 12/02/2017 06:17 AM, Dominick Grift via refpolicy wrote:
> > On Fri, Dec 01, 2017 at 05:03:47PM +0100, Laurent Bigonville via refpolicy wrote:
> >> Hello,
> >>
> >> ATM it seems that the policy has no interface to allow applications
> >> (NetworkManager, upower,) or users to manage systemd inhibits. (see denials
> >> in attachment)
> >>
> >> I was thinking of creating an extra type for /run/systemd/inhibit/ and
> >> allowing applications and users to interact with the files and pipes but
> >> Dominick seems to prefer a different approach.
> >
> > Let me just make clear that i think a private type for /run/systemd/inhibit is not really needed because AFAIK logind maintains only two kinds of fifo files in runtime, and one of it /run/systemd/sessions already has a private type
> >
> > So that, to me, automatically implies that if a process can write an inherited login runtime fifo file, that it must be the inhibit one, since the other sesssions one has a private logind session runtime type
> >
> > logind inhibit clients need to do a couple of things AFAIK:
> >
> > 1. they write the inherited logind runtime fifo files
> > 2. they use logind's fd's
> > 3. they dbus system chat with logind
> > 4. they are dbus system clients
> >
> > The only way AFAIK this differs from logind session clients (apart from the different fifo file) is that logind needs be able to read logind session clients state in addition.
>
> Perhaps I misunderstand, but it seems like these two approaches are the
> same.

Essentially, but Laurent's suggestion to create a private type for the inhibit pipes *seems* not needed to me. It does not do much harm either i suppose.

>
>
> >>
> >> I'm not sure what would be the preferred way here, what do you think?
> >>
> >> Regards,
> >>
> >> Laurent Bigonville
>
> --
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171204/9b687e3c/attachment.bin