Bug 1372754
| Summary: | SELinux is preventing systemd from 'create' accesses on the tcp_socket port None. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Brian J. Murrell <brian> | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 24 | CC: | alessandro.suardi, antoine, antonin.vecera, brjohnso, dominick.grift, dwalsh, fredoche, j, lvrabec, martin, mbarnes, mgrepl, plautrba, zdohnal | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | abrt_hash:f680596475fced633dedd2c4c4709c05c4f100a4edae2ebdc4859736d157eae2; | ||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-01-05 13:55:07 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Description of problem: Not sure what caused this. Version-Release number of selected component: selinux-policy-3.13.1-191.8.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.6.4-301.fc24.x86_64 type: libreport Brian, Could you attach output of: # ps -efZ | grep unconfined_service_t Thanks. # ps -efZ | grep unconfined_service_t system_u:system_r:unconfined_service_t:s0 named 12580 1 0 Sep10 ? 00:41:25 /usr/sbin/named-pkcs11 -u named system_u:system_r:unconfined_service_t:s0 ods 16909 1 0 Sep10 ? 00:00:06 /usr/bin/python2 /usr/libexec/ipa/ipa-dnskeysyncd Description of problem: ran citrix receiver Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.3-200.fc24.x86_64 type: libreport system_u:system_r:unconfined_service_t:s0 root 1012 1 0 10:13 ? 00:00:00 /sbin/rngd -f system_u:system_r:unconfined_service_t:s0 root 2227 1 0 10:14 ? 00:00:00 /usr/libexec/udisks2/udisksd --no-debug unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 fred 4493 4427 0 10:27 pts/0 00:00:00 grep --color=auto --exclude-dir=.bzr --exclude-dir=CVS --exclude-dir=.git --exclude-dir=.hg --exclude-dir=.svn unconfined_service_t Could you reproduce it with the latest selinux-policy rpm package? $ rpm -q selinux-policy selinux-policy-3.13.1-191.16.fc24.noarch (In reply to Lukas Vrabec from comment #6) > Could you reproduce it with the latest selinux-policy rpm package? > > $ rpm -q selinux-policy > selinux-policy-3.13.1-191.16.fc24.noarch Since I don't know what reproduces it specifically, I guess only time will tell. :-) Description of problem: wasnt using citrix this time... Started a bunch of java 8 servers Version-Release number of selected component: selinux-policy-3.13.1-191.14.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.3-200.fc24.x86_64 type: libreport Description of problem: $ sudo dnf install sane-backends-daemon $ sudo systemctl status saned.socket ● saned.socket - saned incoming socket Loaded: loaded (/usr/lib/systemd/system/saned.socket; disabled; vendor preset: disabled) Active: inactive (dead) Listen: [::]:6566 (Stream) Accepted: 0; Connected: 0 [martin@desk1 ~]$ sudo systemctl start saned.socket Job for saned.socket failed. See "systemctl status saned.socket" and "journalctl -xe" for details. [martin@desk1 ~]$ sudo systemctl status saned.socket ● saned.socket - saned incoming socket Loaded: loaded (/usr/lib/systemd/system/saned.socket; disabled; vendor preset: disabled) Active: failed (Result: resources) Listen: [::]:6566 (Stream) Accepted: 0; Connected: 0 nov 06 22:40:05 desk1.stefany.eu systemd[1]: saned.socket: Failed to listen on sockets: Permission denied nov 06 22:40:05 desk1.stefany.eu systemd[1]: Failed to listen on saned incoming socket. nov 06 22:40:05 desk1.stefany.eu systemd[1]: saned.socket: Unit entered failed state. Version-Release number of selected component: selinux-policy-3.13.1-191.19.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.4-200.fc24.x86_64 type: libreport Created attachment 1219916 [details]
Patch I've been applying for some time now
I've been applying this patch in my local builds of the selinux-policy package since the F24 betas in order to get one local socket-activated service to start. The AVC is as above:
type=AVC msg=audit(1478911391.841:269): avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=0
Sadly that means I have to rebuild for every selinux-policy package update that comes around. Have just done some F25 machines and, sadly, the problem persists there so I'll be rebuilding the policy for those releases as well.
I don't pretend to understand what the patch does, but it was explained to me that the issue stems from pid 1 now being confined by default, and so it has to be explicitly allowed to listen on various sockets on behalf of the services it will activate, even if those services are themselves unconfined.
It would be super great if this could be fixed, either with the attached patch or in any other way that actually works, so I don't have to keep doing local rebuilds of the policy or loading a local policy for every one of my machines. I don't mind adding a local policy module for a one-off service but this hits a couple hundred of my machines.
I still see on my pc that saned.socket is not allowed to open port 6566. Is it a problem with SELinux? Or is it systemd problem? I see other systemd services opening their ports to listen without any problem. (sshd, cockpit). What is so strange on saned daemon? As far as I can tell it's basically a general problem. Since systemd is now confined by selinux, it must somehow be authorized (in selinux) to listen on various ports on behalf of any socket-activated service. Of course there are transitions involved as well which is where I kind of get lost. If you're having a problem with saned starting, and your AVCs don't reference unconfined_service_t, then I would definitely file a separate ticket against selinux-policy and CC sane-backends-maintainer. Make sure to provide complete information, including similar things to those requested in this ticket. Perhaps a separate SANE-specific ticket would receive more attention than piling on this ticket. The selinux-policy maintainers can always close it as a duplicate if it's the same underlying issue. (In reply to Jason Tibbitts from comment #12) > If you're having a problem with saned starting, and your AVCs don't > reference unconfined_service_t, then I would definitely file a separate > ticket against selinux-policy $ sudo systemctl restart saned.socket ...and I got these messages in journal: May 03 17:50:25 pc1.home audit[1]: AVC avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=0 May 03 17:50:25 pc1.home systemd[1]: saned.socket: Failed to listen on sockets: Permission denied May 03 17:50:25 pc1.home systemd[1]: Failed to listen on saned incoming socket. ---- AVC message of systemd starting saned.socket does(!) reference unconfined_service_t. I am not sure if it is related to this bug or I should I open new one? saned daemon wants to open port 6566 but this bug is about port "none". I am confused. Well it sure does look like the same thing. You could of course try the patch I attached, if you feel comfortable patching and rebuilding the selinux policy package but it's probably not worth it. I've since stopped patching the policy package because it changes too often and instead just push a local policy module out to all of my desktops with ansible. I don't know if filing a separate ticket would help. Having a bunch of tickets for the same basic issue just wastes more developer time. I doubt it would help to get this bug noticed. This message is a reminder that Fedora 24 is nearing its end of life. Approximately 2 (two) weeks from now Fedora will stop maintaining and issuing updates for Fedora 24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '24'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 24 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. Issue with saned.socket is still unsolved in selinux-policy, reopening this issue. Still hitting this problem in F26 with: selinux-policy-3.13.1-260.10.fc26.noarch Still hitting this problem in Fedora 27 *** This bug has been marked as a duplicate of bug 1366968 *** |
Description of problem: SELinux is preventing systemd from 'create' accesses on the tcp_socket port None. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd should be allowed create access on the port None tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:system_r:unconfined_service_t:s0 Target Objects port None [ tcp_socket ] Source systemd Source Path systemd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.8.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.6.4-301.fc24.x86_64 #1 SMP Tue Jul 12 11:50:00 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-07-20 13:28:20 EDT Last Seen 2016-08-08 10:54:03 EDT Local ID a1062218-6ed9-4904-8e6a-8bdb30fed956 Raw Audit Messages type=AVC msg=audit(1470668043.867:103): avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=0 Hash: systemd,init_t,unconfined_service_t,tcp_socket,create Version-Release number of selected component: selinux-policy-3.13.1-191.8.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.6.4-301.fc24.x86_64 type: libreport