Bug 1285019

Summary: SELinux is preventing systemd-logind from 'create' accesses on the file .#nologinDUxFTb.
Product: [Fedora] Fedora Reporter: Vinicius Reis <angiolucci>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: 23CC: adalsaady, dfulgido, dominick.grift, dwalsh, lvrabec, mauricio.pronet, mgrepl, plautrba, stefw, wolfgang.rupprecht
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:41c659030036e40b5782668201cc32115126be8a86c424e9b892e258ed7b1202;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-3.13.1-158.9.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-05 06:22:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Vinicius Reis 2015-11-24 16:57:25 UTC
Description of problem:
Typed on a terminal window "sudo shutdown -h 15:00", while SELinux is in Enforcing mode.  
selinux-policy-3.13.1-155.fc23.noarch
SELinux is preventing systemd-logind from 'create' accesses on the file .#nologinDUxFTb.

*****  Plugin catchall (100. confidence) suggests   **************************

If você acredita que o systemd-logind deva ser permitido acesso de create em .#nologinDUxFTb file  por default.
Then você precisa reportar este como um erro.
Você pode gerar um módulo de política local para permitir este acesso.
Do
permitir este acesso agora executando:
# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_logind_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                .#nologinDUxFTb [ file ]
Source                        systemd-logind
Source Path                   systemd-logind
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-155.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.6-300.fc23.x86_64 #1 SMP Tue
                              Nov 10 19:32:21 UTC 2015 x86_64 x86_64
Alert Count                   6
First Seen                    2015-11-22 05:25:00 BRST
Last Seen                     2015-11-24 14:55:16 BRST
Local ID                      1ad8b651-3406-4c9a-a8b1-426d8f8c7259

Raw Audit Messages
type=AVC msg=audit(1448384116.310:594): avc:  denied  { create } for  pid=740 comm="systemd-logind" name=".#nologinDUxFTb" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0


Hash: systemd-logind,systemd_logind_t,var_run_t,file,create

Version-Release number of selected component:
selinux-policy-3.13.1-155.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.6-300.fc23.x86_64
type:           libreport

Comment 1 Wolfgang Rupprecht 2015-11-28 11:36:11 UTC
Description of problem:
shutdown -r

Version-Release number of selected component:
selinux-policy-3.13.1-155.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.6-301.fc23.x86_64
type:           libreport

Comment 2 Stef Walter 2015-12-14 12:54:21 UTC
We see this sporadically in the Cockpit integration tests.

For example: https://fedorapeople.org/groups/cockpit/logs/pull-3327-9b09bfed-fedora-23/log.html

Comment 3 Stef Walter 2015-12-14 12:56:59 UTC
Cockpit is now working around this bug in its integration tests by ignoring the AVC: https://github.com/cockpit-project/cockpit/pull/3328

Comment 4 Daniel Walsh 2015-12-14 21:22:23 UTC
Currently systemd-logind is only allowed to create nologin file in /run,  We should open it up transition on any file.

Comment 5 Miroslav Grepl 2015-12-15 13:09:13 UTC
There is github discussion about this issue. The point is it is about a generic transition in /run vs. filename transitions which can not be applied here because of .#nologinDUxFTb.

There are systemd fixes in systemd code to label these files correctly according the policy context.

We can try to add a generic transition to rawhide to see if it works correctly.

Comment 6 Daniel Walsh 2015-12-15 13:28:12 UTC
Or get systemd-logind to claim a directory /run/logind/ or something

Comment 7 Lukas Vrabec 2015-12-15 15:17:18 UTC
I like idea to store this in /run/logind or /run/systemd/. This should be best for us. 

Mirek, could you attach link with the discussion? 

Thank you.

Comment 8 Miroslav Grepl 2015-12-20 10:56:15 UTC
Lets have this bug opened and have a discussion in

https://github.com/systemd/systemd/pull/2100


Basically it will be fixed by systemd code changes. If we find a better solution we will remove these systemd code changes.

Comment 9 Miroslav Grepl 2016-01-04 20:08:21 UTC
As we discussed it with Dominick if we get all proper confinements we can revert systemd SELinux code changes.

Comment 10 adalsaady 2016-02-08 15:26:16 UTC
*** Bug 1305567 has been marked as a duplicate of this bug. ***

Comment 11 Lukas Vrabec 2016-02-25 16:43:31 UTC
To be honest, I'm not sure what is solution here after github discussion. Can I make generic transition that systemd_logind_t can create any file in /run labeled as system_logind_var_run_t ? 

Mirek, 
What is your opinion?

Comment 12 Miroslav Grepl 2016-02-25 17:35:18 UTC
Yes, I would go with this suggested solution from Dominick here.

Comment 13 Lukas Vrabec 2016-02-25 17:44:04 UTC
Yes, I also agree with this solution. 

Thank you.

Comment 14 Fedora Update System 2016-02-27 13:50:00 UTC
selinux-policy-3.13.1-158.9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870

Comment 15 Fedora Update System 2016-02-28 13:53:55 UTC
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870

Comment 16 Fedora Update System 2016-03-05 06:21:36 UTC
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Daniel 2016-03-07 20:53:54 UTC
*** Bug 1315477 has been marked as a duplicate of this bug. ***

Comment 18 Stef Walter 2016-03-14 08:01:52 UTC
This is happening again on Fedora 24 with different AVC's, but essentially the same problem:

https://bugzilla.redhat.com/show_bug.cgi?id=1317389