Bug 1284066
Summary: | SELinux is preventing /usr/lib/systemd/systemd-logind from create access on the file .#nologinoPzXni. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Alexander Ploumistos <alex.ploumistos> |
Component: | systemd | Assignee: | systemd-maint |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 23 | CC: | dominick.grift, dwalsh, johannbg, lnykryn, lvrabec, mgrepl, msekleta, plautrba, s, systemd-maint, zbyszek |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-03-30 12:58:25 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Alexander Ploumistos
2015-11-20 17:15:50 UTC
Where is file ".#nologinoPzXni" stored? I can't find any of the ".#nologinABCXYZ" files anywhere, but I guess that's to be expected, since systemd-logind is not allowed to create them. In the past couple of days, I haven't had any SELinux alerts pop up, but whenever there is about a minute left on the shutdown, or if I schedule the shutdown in one minute, I get these in the journal: Nov 24 14:49:41 <hostname> systemd[1]: Starting Cleanup of Temporary Directories... Nov 24 14:49:42 <hostname> systemd[1]: Started Cleanup of Temporary Directories. Nov 24 14:49:42 <hostname> audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-tmpfiles-clean comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Nov 24 14:49:42 <hostname> audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-tmpfiles-clean comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Nov 24 14:57:33 <hostname> systemd-logind[993]: Creating /run/nologin, blocking further logins... Nov 24 14:57:33 <hostname> systemd-logind[993]: Failed to create /run/nologin: Permission denied Nov 24 14:57:33 <hostname> audit[993]: AVC avc: denied { create } for pid=993 comm="systemd-logind" name=".#nologinXo434m" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 Nov 24 14:57:33 <hostname> audit[993]: SYSCALL arch=c000003e syscall=2 success=no exit=-13 a0=55accaffa850 a1=800c2 a2=180 a3=0 items=0 ppid=1 pid=993 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null) Nov 24 14:57:33 <hostname> audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-logind" Thank you for reporting. This is a systemd bug. They need to backport fixes related to nologin labeling. This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions This should be already fixed in systemd-222-10.fc23.x86_64. *** This bug has been marked as a duplicate of bug 1287592 *** Related fix appeared upstream in the meantime. https://github.com/systemd/systemd/commit/4b51966cf6c06250036e428608da92f8640beb96 However I didn't observe any problems regarding labeling of /run/user/$UID directories on Fedora. There were follow-up commits, e.g. c3dacc8bbf2dc2f5d498072418289c3ba79160ac. I think we need to backport at least some of them. All fixes relates to selinux and #nologinXXXXXX files are fixed in F23. |