Bug 1401625
Summary: | user_r can't run systemctl --user | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Robin Powell <rlpowell> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 25 | CC: | dominick.grift, dwalsh, jpokorny, lvrabec, mgrepl, plautrba, pmoore, ssekidde |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-225.6.fc25 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-01-11 07:23:38 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Robin Powell
2016-12-05 18:07:27 UTC
Hi, Could you try this local policy? $ cat user_systemd.cil (allow user_t systemd_systemctl_exec_t (file execute execute_no_trans open read)) Please let me know. Thanks. I'm sorry, I've never used cil before, so my apologies if I'm doing something dumb, but: rlpowell@vrici> sudo semodule -i /tmp/user_systemd.cil Invalid syntax Bad class-permissions Problem filling class-permissions list Bad allow rule at /var/lib/selinux/targeted/tmp/modules/400/user_systemd/cil:1 /sbin/semodule: Failed! Just in case: rlpowell@vrici> cat /tmp/user_systemd.cil (allow user_t systemd_systemctl_exec_t (file execute execute_no_trans open read)) Ah, I figured it out. Yes, this: rlpowell@vrici> sudo semodule -i /tmp/user_systemd.cil rlpowell@vrici> cat /tmp/user_systemd.cil (allow user_t systemd_systemctl_exec_t (file (execute execute_no_trans open read))) seems to work. (note that the problem before was "(file execute ...)" instead of "(file (execute ...))") selinux-policy-3.13.1-225.6.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-66d634473a selinux-policy-3.13.1-225.6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-66d634473a Please build this also for f26/rawhide as this is where I observe something pretty similar. In fact, with selinux-policy-3.13.1-231.fc26.noarch, the main problem I have is that with enforcing SELinux, I am receiving: $ su -c "systemctl status --no-pager -l user@$(id -u)" > ● user - User Manager for UID 1000 > Loaded: loaded (/usr/lib/systemd/system/user@.service; static; vendor preset: disabled) > Active: inactive (dead) > > Jan 10 22:17:42 betenoire systemd[1]: Starting User Manager for UID 1000... > Jan 10 22:17:42 betenoire systemd[1167]: user: Failed at step USER spawning > /usr/lib/systemd/systemd: Permission denied > Jan 10 22:17:42 betenoire systemd[1]: Started User Manager for UID 1000. whereas after setting to permissive and relogin, it works. I am not sure if it's a material for a separate bug, but the workaround from [comment 1] does not seem to help with this prerequisite (at least I think it is a hard prerequisite for "systemctl --user" to succeed). selinux-policy-3.13.1-225.6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. OK, received update up to selinux-policy-3.13-1.233.fc26 and it did not help for issue detailed in [comment 9], will file a separate bug for that with details. This seems to mostly work; the only problem I'm having is that "/bin/systemctl --user status" doesn't show logs; my local hack is: logging_list_logs(user_t) logging_read_generic_logs(user_t) init_script_file_entry_type(user_t) |