Bug 1365214

Summary: SELinux is preventing gdbus from 'write' accesses on the fifo_file /run/systemd/inhibit/1.ref.
Product: Red Hat Enterprise Linux 7 Reporter: Radka Brychtova <rskvaril>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: dominick.grift, dwalsh, extras-qa, jfrieben, kwang.m.yi, lvrabec, mgrepl, mmalik, momcilo, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: abrt_hash:2af4b81290245108b108c0f47c7bd93a25ec2149390ab923891522cdf30ab910;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-3.13.1-93.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1357144 Environment:
Last Closed: 2016-11-04 02:36:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1357144    
Bug Blocks:    

Description Radka Brychtova 2016-08-08 16:07:54 UTC 
I found similar problem of this bug in rhel7

selinux-policy-3.13.1-92.el7.noarch
systemd-219-25.el7.x86_64

AVC:
type=SYSCALL msg=audit(08/08/2016 11:53:53.631:567) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x6 a1=0x7f7fe5445b20 a2=MSG_CMSG_CLOEXEC a3=0x0 items=0 ppid=1 pid=646 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null) 


type=AVC msg=audit(08/08/2016 11:53:53.631:567) : avc:  denied  { write } for  pid=646 comm=gdbus path=/run/systemd/inhibit/1.ref dev="tmpfs" ino=22752 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:systemd_logind_inhibit_var_run_t:s0 tclass=fifo_file 

Steps to Reproduce:
1.setenforce 0
2.systemctl restart systemd-logind.service




+++ This bug was initially created as a clone of Bug #1357144 +++

Description of problem:
SELinux is preventing gdbus from 'write' accesses on the fifo_file /run/systemd/inhibit/1.ref.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gdbus should be allowed write access on the 1.ref fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdbus' --raw | audit2allow -M my-gdbus
# semodule -X 300 -i my-gdbus.pp

Additional Information:
Source Context                system_u:system_r:modemmanager_t:s0
Target Context                system_u:object_r:systemd_logind_inhibit_var_run_t
                              :s0
Target Objects                /run/systemd/inhibit/1.ref [ fifo_file ]
Source                        gdbus
Source Path                   gdbus
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-202.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.7.0-0.rc7.git2.1.fc25.x86_64 #1
                              SMP Wed Jul 13 21:14:25 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-07-15 21:04:18 EDT
Last Seen                     2016-07-15 21:04:18 EDT
Local ID                      26691368-6123-410d-b856-efb9fea7d8e4

Raw Audit Messages
type=AVC msg=audit(1468631058.973:104): avc:  denied  { write } for  pid=943 comm="gdbus" path="/run/systemd/inhibit/1.ref" dev="tmpfs" ino=18215 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:systemd_logind_inhibit_var_run_t:s0 tclass=fifo_file permissive=0


Hash: gdbus,modemmanager_t,systemd_logind_inhibit_var_run_t,fifo_file,write

Version-Release number of selected component:
selinux-policy-3.13.1-202.fc25.noarch

Additional info:
reporter:       libreport-2.7.1
hashmarkername: setroubleshoot
kernel:         4.7.0-0.rc7.git2.1.fc25.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

--- Additional comment from Medic Momcilo on 2016-07-22 03:04:51 EDT ---

Description of problem:
Boot up the PC after an update and had SE alert shown.

Version-Release number of selected component:
selinux-policy-3.13.1-203.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.0-0.rc7.git4.1.fc25.x86_64
type:           libreport

--- Additional comment from Jan Kurik on 2016-07-26 00:44:18 EDT ---

This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.

--- Additional comment from Kwang Moo Yi on 2016-08-03 12:46:48 EDT ---

I can confirm the problem exists for me as well, on fedora24 instead of 25.

selinux-policy-3.13.1-191.9.fc24.noarch
kernel:         4.6.5-300.fc24.x86_64
Comment 2 Milos Malik 2016-08-09 07:19:24 UTC 
The scenario in fact generates 3 different SELinux denials (2 USER_AVCs and 1 AVC):
----
type=USER_AVC msg=audit(08/09/2016 09:16:32.057:355) : pid=565 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { 0x2 } for msgtype=method_call interface=org.freedesktop.login1.Manager member=Inhibit dest=:1.82 spid=532 tpid=7477 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=(null)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(08/09/2016 09:16:32.063:356) : pid=565 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { 0x2 } for msgtype=signal interface=org.freedesktop.login1.Manager member=SeatNew dest=org.freedesktop.DBus spid=7477 tpid=532 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=(null)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=SYSCALL msg=audit(08/09/2016 09:16:32.095:357) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x6 a1=0x7fbbabffeb20 a2=MSG_CMSG_CLOEXEC a3=0x0 items=0 ppid=1 pid=573 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdbus exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null) 
type=AVC msg=audit(08/09/2016 09:16:32.095:357) : avc:  denied  { write } for  pid=573 comm=gdbus path=/run/systemd/inhibit/7.ref dev="tmpfs" ino=51290 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:systemd_logind_inhibit_var_run_t:s0 tclass=fifo_file 
----
Comment 7 errata-xmlrpc 2016-11-04 02:36:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html