Bug 1413047
| Summary: | Failed at step USER spawning /usr/lib/systemd/systemd: Permission denied | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Lukas Slebodnik <lslebodn> |
| Component: | systemd | Assignee: | systemd-maint |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | awilliam, johannbg, lnykryn, msekleta, muadda, ssahani, s, systemd-maint, zbyszek |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-01-17 20:57:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
And few SELinux reports which I saw a second before login
I am not sure which are related and which are caused by disabled dontaudit rule
SELinux is preventing login from using the rlimitinh access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that login should be allowed rlimitinh access on processes labeled local_login_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'login' --raw | audit2allow -M my-login
# semodule -X 300 -i my-login.pp
Additional Information:
Source Context system_u:system_r:getty_t:s0-s0:c0.c1023
Target Context system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Objects Unknown [ process ]
Source login
Source Path login
Port <Unknown>
Host host.example.com
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-233.fc26.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name host.example.com
Platform Linux host.example.com
4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49
UTC 2017 x86_64 x86_64
Alert Count 1
First Seen 2017-01-13 14:06:42 CET
Last Seen 2017-01-13 14:06:42 CET
Local ID a289469d-e0d2-47a4-84bb-55514a8ee52a
Raw Audit Messages
type=AVC msg=audit(1484312802.410:934): avc: denied { rlimitinh } for pid=4036 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0
Hash: login,getty_t,local_login_t,process,rlimitinh
SELinux is preventing login from using the siginh access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that login should be allowed siginh access on processes labeled local_login_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'login' --raw | audit2allow -M my-login
# semodule -X 300 -i my-login.pp
Additional Information:
Source Context system_u:system_r:getty_t:s0-s0:c0.c1023
Target Context system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Objects Unknown [ process ]
Source login
Source Path login
Port <Unknown>
Host host.example.com
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-233.fc26.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name host.example.com
Platform Linux host.example.com
4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49
UTC 2017 x86_64 x86_64
Alert Count 1
First Seen 2017-01-13 14:06:42 CET
Last Seen 2017-01-13 14:06:42 CET
Local ID 10f45660-99a6-413c-b502-9aaf2aff560f
Raw Audit Messages
type=AVC msg=audit(1484312802.410:935): avc: denied { siginh } for pid=4036 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0
Hash: login,getty_t,local_login_t,process,siginh
SELinux is preventing login from using the noatsecure access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that login should be allowed noatsecure access on processes labeled local_login_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'login' --raw | audit2allow -M my-login
# semodule -X 300 -i my-login.pp
Additional Information:
Source Context system_u:system_r:getty_t:s0-s0:c0.c1023
Target Context system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Objects Unknown [ process ]
Source login
Source Path login
Port <Unknown>
Host host.example.com
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-233.fc26.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name host.example.com
Platform Linux host.example.com
4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49
UTC 2017 x86_64 x86_64
Alert Count 1
First Seen 2017-01-13 14:06:42 CET
Last Seen 2017-01-13 14:06:42 CET
Local ID 63541f56-cff2-45d8-b609-2a15a56d3d1d
Raw Audit Messages
type=AVC msg=audit(1484312802.411:936): avc: denied { noatsecure } for pid=4036 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0
Hash: login,getty_t,local_login_t,process,noatsecure
SELinux is preventing systemd from 'read, write' accesses on the unix_stream_socket unix_stream_socket.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that systemd should be allowed read write access on the unix_stream_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:system_r:kernel_t:s0-s0:c0.c1023
Target Objects unix_stream_socket [ unix_stream_socket ]
Source systemd
Source Path systemd
Port <Unknown>
Host host.example.com
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-233.fc26.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name host.example.com
Platform Linux host.example.com
4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49
UTC 2017 x86_64 x86_64
Alert Count 45
First Seen 2017-01-13 13:51:30 CET
Last Seen 2017-01-13 14:17:46 CET
Local ID fe48d463-6f29-45c3-8a69-f62cb5d5fbee
Raw Audit Messages
type=AVC msg=audit(1484313466.915:974): avc: denied { read write } for pid=1 comm="systemd" path="socket:[141825]" dev="sockfs" ino=141825 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
Hash: systemd,init_t,kernel_t,unix_stream_socket,read,write
Here are AVCs which I used for fixing the issue with "systemctl status --user"
type=AVC msg=audit(1484313466.915:974): avc: denied { read write } for pid=1 comm="systemd" path="socket:[141825]" dev="sockfs" ino=141825 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1484315059.928:498): avc: denied { write } for pid=1395 comm="(systemd)" path="socket:[14492]" dev="sockfs" ino=14492 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
I do not have a problem with "systemctl status --user" on older kernel 4.8.15-300.fc25.x86_64 The problem is only with 4.8.16-300.fc25.x86_64 Yes; kernel is from f25 and not from rawhide It works well with f25 systemd and f25 kernel sh$ uname -a Linux vm-115.example.com 4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux sh$ rpm -q systemd systemd-231-10.fc25.x86_64 And there is still problem with latest rawhide kernel sh$ uname -a Linux vm-118.example.com 4.10.0-0.rc3.git1.1.fc26.x86_64 #1 SMP Tue Jan 10 15:32:37 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux sh$ rpm -q systemd systemd-232-6.fc26.x86_64 Probably the same as https://bugzilla.redhat.com/show_bug.cgi?id=1412750 ? ah, apparently not, says zbyszek. See also bug after change to permissive mode https://bugzilla.redhat.com/show_bug.cgi?id=1413075 *** This bug has been marked as a duplicate of bug 1412750 *** |
Description of problem: Version-Release number of selected component (if applicable): sh$ rpm -q systemd selinux-policy systemd-232-6.fc26.x86_64 selinux-policy-3.13.1-233.fc26.noarch How reproducible: Deterministic Steps to Reproduce: 1. #Boot rawhide in SELinux Enforcing mode 2. #login as an ordinary user 3. systemctl status --user Actual results: Failed to read server status: Input/output error Expected results: Displayed all user services Additional info: Related part of journal log with disabled dontaudit rules. I could not see any AVCs by default. Jan 13 14:06:47 host.example.com audit[4036]: CRED_ACQ pid=4036 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_sss acct="lslebodn" exe="/usr/bin/login" hostname=? addr=? terminal=tty2 res=success' Jan 13 14:06:47 host.example.com audit[4036]: USER_ROLE_CHANGE pid=4036 uid=0 auid=20728 ses=2 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/bin/login" hostname=? addr=? terminal=tty2 res=success' Jan 13 14:06:47 host.example.com audit[4036]: AVC avc: denied { net_admin } for pid=4036 comm="login" capability=12 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability permissive=0 Jan 13 14:06:47 host.example.com audit[4036]: AVC avc: denied { net_admin } for pid=4036 comm="login" capability=12 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability permissive=0 Jan 13 14:06:47 host.example.com systemd[1]: Created slice User Slice of lslebodn. Jan 13 14:06:47 host.example.com audit[4133]: AVC avc: denied { write } for pid=4133 comm="(systemd)" path="socket:[14684]" dev="sockfs" ino=14684 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0 Jan 13 14:06:47 host.example.com systemd[4133]: user: Failed at step USER spawning /usr/lib/systemd/systemd: Permission denied Jan 13 14:06:47 host.example.com systemd[1]: Starting User Manager for UID 20728... Jan 13 14:06:47 host.example.com systemd[1]: Started User Manager for UID 20728. Jan 13 14:06:47 host.example.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@20728 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jan 13 14:06:47 host.example.com audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@20728 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jan 13 14:06:47 host.example.com systemd-logind[1034]: New session 2 of user lslebodn. Jan 13 14:06:47 host.example.com systemd[1]: Started Session 2 of user lslebodn. There was access denied to the inode 14684 sh# find /sys/ -inum 14684 /sys/devices/platform/serial8250/tty/ttyS21/dev sh matchpathcon /sys/devices/platform/serial8250/tty/ttyS21/dev /sys/devices/platform/serial8250/tty/ttyS21/dev system_u:object_r:sysfs_t:s0 sh# ls -lZ /sys/devices/platform/serial8250/tty/ttyS21/dev -r--r--r--. 1 root root system_u:object_r:sysfs_t:s0 4096 Jan 13 14:15 /sys/devices/platform/serial8250/tty/ttyS21/dev