Bug 1412165

Summary: user@.service (systemd --user) silently fails on being started by systemd with enforcing SELinux
Product: [Fedora] Fedora Reporter: Jan Pokorný [poki] <jpokorny>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, pmoore, ssekidde, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-07 17:23:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pokorný [poki] 2017-01-11 12:23:49 UTC
This was initially mentioned at [bug 1401625 comment 9], but is orthogonal
to that very bug.

After disabling dontaudit rules and subsequent user relogin, I observe:

type=AVC msg=audit(1484136253.411:210): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[35285]" dev="sockfs" ino=35285 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1484136255.877:213): avc:  denied  { rlimitinh } for  pid=1613 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136255.877:214): avc:  denied  { siginh } for  pid=1613 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136255.878:215): avc:  denied  { noatsecure } for  pid=1613 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136255.884:217): avc:  denied  { rlimitinh } for  pid=1614 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136255.884:218): avc:  denied  { siginh } for  pid=1614 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136255.884:219): avc:  denied  { noatsecure } for  pid=1614 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136256.987:221): avc:  denied  { rlimitinh } for  pid=1615 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136256.987:222): avc:  denied  { siginh } for  pid=1615 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136256.987:223): avc:  denied  { noatsecure } for  pid=1615 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136257.000:226): avc:  denied  { rlimitinh } for  pid=1616 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136257.000:227): avc:  denied  { siginh } for  pid=1616 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136257.000:228): avc:  denied  { noatsecure } for  pid=1616 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136257.034:233): avc:  denied  { net_admin } for  pid=1613 comm="login" capability=12  scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability permissive=0
type=AVC msg=audit(1484136257.034:234): avc:  denied  { net_admin } for  pid=1613 comm="login" capability=12  scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability permissive=0
type=AVC msg=audit(1484136257.044:235): avc:  denied  { write } for  pid=1617 comm="(systemd)" path="socket:[16693]" dev="sockfs" ino=16693 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1484136257.050:241): avc:  denied  { siginh } for  pid=1618 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136257.050:242): avc:  denied  { noatsecure } for  pid=1618 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136336.182:255): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[31397]" dev="sockfs" ino=31397 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1484136336.182:256): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[31398]" dev="sockfs" ino=31398 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0

This is overapproximation what needs to be looked at, but "systemd" process
is the most suitable candidate AFAICT.

systemd-232-6.fc26.x86_64
selinux-policy-3.13.1-233.fc26.noarch

Comment 1 Jan Pokorný [poki] 2017-01-11 12:25:34 UTC
Note that no such symptom is exhibited after turning SELinux to permissive.

Comment 2 Jan Pokorný [poki] 2017-01-12 16:56:46 UTC
As an aside, there's an upstream request to make this sort of execution
failures more self-explanatory:
https://github.com/systemd/systemd/issues/5000#issuecomment-271899678

Comment 3 Jan Pokorný [poki] 2017-02-07 17:23:40 UTC
This is working correctly again after updating to
selinux-policy-3.13.1-236.fc26.

Looking at the changelog, I think this was in fact a forerunner
of [bug 1412750].

*** This bug has been marked as a duplicate of bug 1412750 ***