Bug 1393505

Summary: systemd generates USER_AVCs after selinux-policy update
Product: Red Hat Enterprise Linux 7 Reporter: Michal Sekletar <msekleta>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact: Mirek Jahoda <mjahoda>
Priority: urgent    
Version: 7.3CC: boyang, ldu, leiwang, lvrabec, mgrepl, mkolaja, mleitner, mmalik, msekleta, plautrba, pvrabec, sauchter, ssekidde, vanhoof, yacao
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-108.el7 Doc Type: Bug Fix
Doc Text:
Cause: Updating systemd on RHEL-7.2 to version from RHEL-7.3 and then as a separate yum command update the selinux policy. Consequence: systemd starts generating USER_AVC denials and will start returning "Access Denied" errors to DBus clients. Fix: Reexec systemd daemon after update selinux-policy package when updating from rhel-7.2 to rhel-7.3 (or higher) Result: After separate update selinux-policy, systemd doesn't generate any AVC denials.
Story Points: ---
Clone Of:
: 1394715 (view as bug list) Environment:
Last Closed: 2017-08-01 15:17:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1298243, 1394715    

Description Michal Sekletar 2016-11-09 17:27:27 UTC
Description of problem:
If you update systemd on RHEL-7.2 box to version from RHEL-7.3 and then as a separate yum command update the selinux policy systemd will start generating USER_AVC denials and will start returning "Access Denied" errors to DBus clients. IOW, most systemctl commands (start/stop/status) will return "Access Denied".

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102

How reproducible:
always

Steps to Reproduce:
1. provision RHEL-7.2 box 
2. yum update -y systemd
3. yum update -y selinux-policy
4  systemctl start reboot.target (attempt to reboot the machine)

Actual results:
systemctl returns access denied error.

Expected results:
No error is returned and machine is cleanly rebooted.

Additional info:
Versions before update on RHEL-7.2 systemd-219-19, selinux-policy-3.13.1-60.el7

Note that explicit "systemctl daeamon-rexec" after selinux-policy update mitigates the problem. I think that as a temporary fix we should re-execute systemd from %post installation script in selinux-policy package.

Comment 2 Milos Malik 2016-11-10 09:13:26 UTC
Did you update a RHEL-7.2 machine to RHEL-7.3 without updating selinux-policy* packages? Do I understand the issue correctly?

Comment 3 Milos Malik 2016-11-10 09:29:39 UTC
The only USER_AVC, which appears before reboot, looks this way:
----
type=USER_AVC msg=audit(11/10/2016 04:20:57.006:289) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=root uid=root gid=root path=/usr/lib/systemd/system/reboot.target cmdline="reboot" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----

The more interesting thing is that the machine does not reboot when you run the reboot command as root insteaf of step 4.

Comment 25 errata-xmlrpc 2017-08-01 15:17:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861