Bug 1401625

Summary:	user_r can't run systemctl --user
Product:	[Fedora] Fedora	Reporter:	Robin Powell <rlpowell>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	low	Docs Contact:
Priority:	low
Version:	25	CC:	dominick.grift, dwalsh, jpokorny, lvrabec, mgrepl, plautrba, pmoore, ssekidde
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	selinux-policy-3.13.1-225.6.fc25	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-01-11 07:23:38 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Robin Powell 2016-12-05 18:07:27 UTC

This may be a policy decision rather than a bug, but if so I'd like to know how I should handle this situation.

I want to let users use systemctl --user to talk to systemd --user to launch things at boot time.  My normal users are user_r, and the unconfined module is disabled.

Running "/usr/bin/systemctl --user status" as such a user with dontaudit off and setenforce 0 gives:



type=AVC msg=audit(1480961161.434:45524): avc:  denied  { rlimitinh } for  pid=30186 comm="unix_chkpwd" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1480961161.434:45525): avc:  denied  { siginh } for  pid=30186 comm="unix_chkpwd" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1480961161.435:45526): avc:  denied  { noatsecure } for  pid=30186 comm="unix_chkpwd" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1480961161.445:45530): avc:  denied  { net_admin } for  pid=30185 comm="crond" capability=12  scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability permissive=1
type=USER_AVC msg=audit(1480961161.473:45531): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1480961161.500:45532): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[833929]" dev="sockfs" ino=833929 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1480961161.504:45533): avc:  denied  { wake_alarm } for  pid=340 comm="systemd-udevd" capability=35  scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability2 permissive=1
type=AVC msg=audit(1480961161.545:45534): avc:  denied  { rlimitinh } for  pid=30189 comm="unix_chkpwd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1480961161.545:45535): avc:  denied  { siginh } for  pid=30189 comm="unix_chkpwd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1480961161.546:45536): avc:  denied  { noatsecure } for  pid=30189 comm="unix_chkpwd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1480961161.615:45541): avc:  denied  { wake_alarm } for  pid=340 comm="systemd-udevd" capability=35  scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability2 permissive=1
type=AVC msg=audit(1480961161.619:45542): avc:  denied  { rlimitinh } for  pid=30187 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1480961161.619:45543): avc:  denied  { siginh } for  pid=30187 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1480961161.650:45544): avc:  denied  { wake_alarm } for  pid=340 comm="systemd-udevd" capability=35  scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability2 permissive=1
type=AVC msg=audit(1480961161.737:45548): avc:  denied  { rlimitinh } for  pid=30218 comm="sh" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1480961161.737:45549): avc:  denied  { siginh } for  pid=30218 comm="sh" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1480961161.738:45550): avc:  denied  { noatsecure } for  pid=30218 comm="sh" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1480961161.749:45552): avc:  denied  { net_admin } for  pid=30185 comm="crond" capability=12  scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability permissive=1
type=AVC msg=audit(1480961161.851:45555): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[833989]" dev="sockfs" ino=833989 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1480961163.135:45556): avc:  denied  { execute } for  pid=30240 comm="bash" name="systemctl" dev="vda2" ino=271798 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1480961163.136:45557): avc:  denied  { read open } for  pid=30240 comm="bash" path="/usr/bin/systemctl" dev="vda2" ino=271798 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1480961163.136:45558): avc:  denied  { execute_no_trans } for  pid=30240 comm="bash" path="/usr/bin/systemctl" dev="vda2" ino=271798 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1


Let me know what the correct solution is.  Thanks.

Comment 1 Lukas Vrabec 2016-12-06 16:42:10 UTC

Hi, 

Could you try this local policy?

$ cat user_systemd.cil 
(allow user_t systemd_systemctl_exec_t (file execute execute_no_trans open read))

Please let me know. 
Thanks.

Comment 2 Robin Powell 2016-12-28 07:18:59 UTC

I'm sorry, I've never used cil before, so my apologies if I'm doing something dumb, but:

rlpowell@vrici> sudo semodule -i /tmp/user_systemd.cil
Invalid syntax
Bad class-permissions
Problem filling class-permissions list
Bad allow rule at /var/lib/selinux/targeted/tmp/modules/400/user_systemd/cil:1
/sbin/semodule:  Failed!

Comment 3 Robin Powell 2016-12-28 07:19:38 UTC

Just in case:

rlpowell@vrici> cat /tmp/user_systemd.cil
(allow user_t systemd_systemctl_exec_t (file execute execute_no_trans open read))

Comment 4 Robin Powell 2016-12-28 07:22:18 UTC

Ah, I figured it out.  Yes, this:

rlpowell@vrici> sudo semodule -i /tmp/user_systemd.cil
rlpowell@vrici> cat /tmp/user_systemd.cil
(allow user_t systemd_systemctl_exec_t (file (execute execute_no_trans open read)))

seems to work.

Comment 5 Robin Powell 2016-12-28 07:25:54 UTC

(note that the problem before was "(file execute ...)" instead of "(file (execute ...))")

Comment 6 Fedora Update System 2017-01-08 22:21:56 UTC

selinux-policy-3.13.1-225.6.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-66d634473a

Comment 7 Fedora Update System 2017-01-10 03:25:30 UTC

selinux-policy-3.13.1-225.6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-66d634473a

Comment 8 Jan Pokorný [poki] 2017-01-10 22:23:01 UTC

Please build this also for f26/rawhide as this is where I observe
something pretty similar.

Comment 9 Jan Pokorný [poki] 2017-01-10 22:39:11 UTC

In fact, with selinux-policy-3.13.1-231.fc26.noarch, the main problem I have
is that with enforcing SELinux, I am receiving:

$ su -c "systemctl status --no-pager -l user@$(id -u)"
> ● user - User Manager for UID 1000
>    Loaded: loaded (/usr/lib/systemd/system/user@.service; static; vendor preset: disabled)
>    Active: inactive (dead)
>
> Jan 10 22:17:42 betenoire systemd[1]: Starting User Manager for UID 1000...
> Jan 10 22:17:42 betenoire systemd[1167]: user: Failed at step USER spawning
> /usr/lib/systemd/systemd: Permission denied
> Jan 10 22:17:42 betenoire systemd[1]: Started User Manager for UID 1000.

whereas after setting to permissive and relogin, it works.

I am not sure if it's a material for a separate bug, but the workaround from
[comment 1] does not seem to help with this prerequisite (at least I think
it is a hard prerequisite for "systemctl --user" to succeed).

Comment 10 Fedora Update System 2017-01-11 07:23:38 UTC

selinux-policy-3.13.1-225.6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Jan Pokorný [poki] 2017-01-11 10:35:29 UTC

OK, received update up to selinux-policy-3.13-1.233.fc26 and it did not
help for issue detailed in [comment 9], will file a separate bug for
that with details.

Comment 12 Robin Powell 2017-02-01 01:34:27 UTC

This seems to mostly work; the only problem I'm having is that "/bin/systemctl --user status" doesn't show logs; my local hack is:

logging_list_logs(user_t)
logging_read_generic_logs(user_t)
init_script_file_entry_type(user_t)