Bug 1688671
| Summary: | SELinux is preventing init_t to read session_dbusd_tmp_t directories | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Cédric Jeanneret <cjeanner> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.2 | CC: | bnater, jpichon, lvrabec, mmalik, msekleta, plautrba, ssekidde, systemd-maint-list, zpytela |
| Target Milestone: | rc | ||
| Target Release: | 8.1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-6 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 22:10:18 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1673107 | ||
| Bug Blocks: | |||
Is it possible that the directory (mentioned in comment#0) was mislabeled ? # find /run/ -context \*session_dbusd_tmp_t\* /run/user/0/dbus-1 /run/user/0/dbus-1/services /run/user/42/dbus-1 /run/user/42/dbus-1/services # restorecon -Rv /run/ Relabeled /run/user/0/dbus-1 from unconfined_u:object_r:session_dbusd_tmp_t:s0 to unconfined_u:object_r:user_tmp_t:s0 Relabeled /run/user/0/dbus-1/services from unconfined_u:object_r:session_dbusd_tmp_t:s0 to unconfined_u:object_r:user_tmp_t:s0 Relabeled /run/user/42/dbus-1 from unconfined_u:object_r:session_dbusd_tmp_t:s0 to unconfined_u:object_r:user_tmp_t:s0 Relabeled /run/user/42/dbus-1/services from unconfined_u:object_r:session_dbusd_tmp_t:s0 to unconfined_u:object_r:user_tmp_t:s0 # commit 1f11e1d145b299da5899271b7af4f4b2bb3c2dea (HEAD -> rhel8.1-base, origin/rhel8.1-base)
Author: Lukas Vrabec <lvrabec>
Date: Fri May 17 23:16:50 2019 +0200
Allow init_t to manage session_dbusd_tmp_t dirs
Resolves: rhbz#1688671
commit ad0ca80e163eb102b1fc9eb6322d82577c4c5ac8 (HEAD -> rhel8.1-contrib, origin/rhel8.1-contrib)
Author: Lukas Vrabec <lvrabec>
Date: Fri May 17 23:14:55 2019 +0200
Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t
Resolves:rhbz#1688671
*** Bug 1766464 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3547 |
Description of problem: Version-Release number of selected component (if applicable): rpm-plugin-systemd-inhibit-4.14.2-9.el8.x86_64 python3-systemd-234-8.el8.x86_64 systemd-libs-239-13.el8.x86_64 systemd-pam-239-13.el8.x86_64 systemd-udev-239-13.el8.x86_64 systemd-239-13.el8.x86_64 oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8+2769+577ad176.x86_64 How reproducible: Always Steps to Reproduce: 1. Install a rhel8 system 2. Deploy RHOSP-15 3. Actual results: audit.log is spammed with: type=AVC msg=audit(1552550628.422:5188): avc: denied { read } for pid=95952 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=605557 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1552550628.423:5189): avc: denied { read } for pid=95952 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=605557 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0 Expected results: Nothing like this should show up Additional info: journald log shows: Mar 14 08:03:49 undercloud.localdomain setroubleshoot[95890]: SELinux is preventing /usr/lib/systemd/systemd-user-runtime-dir from read access on the directory dbus-1. For complete SELinux messages run: sealert -l d74972a4-9c79-48f7-83b3-> Mar 14 08:03:49 undercloud.localdomain platform-python[95890]: SELinux is preventing /usr/lib/systemd/systemd-user-runtime-dir from read access on the directory dbus-1. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-user-runtime-dir should be allowed read access on the dbus-1 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-user-ru' --raw | audit2allow -M my-systemduserru # semodule -X 300 -i my-systemduserru.pp The policy looks like: allow init_t session_dbusd_tmp_t:dir read; I'm not sure we won't need write or other rights (will test on my own and report update here). Thank you for your support! Cheers, C.