Bug 1752826
| Summary: | SELinux is preventing systemd-logind from 'read' accesses on the directory entries. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Villy Kruse <ppywlkiqletw> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 31 | CC: | dwalsh, kmansoft, lvrabec, mgrepl, nknazeko, plautrba, zpytela |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:bf1da28a3c331d7f4781444ddbb4fb5d417cb7c90cb0086862fc148112528c4d; | ||
| Fixed In Version: | selinux-policy-3.14.4-39.fc31 selinux-policy-3.14.4-40.fc31 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-13 10:06:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi Villy, Do you have any functionality issues related to this SELinux denial? Or you just saw this SELinux denial setroubleshoot tool ? Thanks, Nikola. (In reply to nknazeko from comment #1) > Hi Villy, > > Do you have any functionality issues related to this SELinux denial? Or you > just saw this SELinux denial setroubleshoot tool ? > > Thanks, Nikola. As I always run SELinux in permissive mod I don't have functionality issue. I suspect it has something to do with a new feature as described in https://github.com/systemd/systemd/issues/9896. I can't say much more, except I noticed it occurs with LXDE environment when doing a reboot from the GUI interface. PR for Fedora: https://github.com/fedora-selinux/selinux-policy/pull/286 commit 626598424d91ec84dba4e27684c57828f704899a (HEAD -> rawhide, origin/rawhide)
Author: Nikola Knazekova <nknazeko>
Date: Fri Oct 4 17:21:06 2019 +0200
Allow systemd_logind to read dosfs files & dirs
Allow systemd-logind - a system service that manages user logins, to read files and list dirs on a DOS filesystem
Fixed Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1751766
https://bugzilla.redhat.com/show_bug.cgi?id=1752826
FEDORA-2019-7ef1fde499 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7ef1fde499 selinux-policy-3.14.4-38.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7ef1fde499 FEDORA-2019-7d65c50fd6 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6 selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6 (In reply to Lukas Vrabec from comment #4) > commit 626598424d91ec84dba4e27684c57828f704899a (HEAD -> rawhide, > origin/rawhide) > Author: Nikola Knazekova <nknazeko> > Date: Fri Oct 4 17:21:06 2019 +0200 > > Allow systemd_logind to read dosfs files & dirs > Allow systemd-logind - a system service that manages user logins, to > read files and list dirs on a DOS filesystem > > Fixed Bugzilla: > https://bugzilla.redhat.com/show_bug.cgi?id=1751766 > https://bugzilla.redhat.com/show_bug.cgi?id=1752826 As far as I can see, this commit is not (yet as of 27 October) ported to the f31 branch of selinux-policy. Villy,
You're right. Sorry I forgot to back port it from Rawhide.
commit 4431fb750c8ccc8e2204325588de9d5e02b62a8d (HEAD -> f31, origin/f31)
Author: Nikola Knazekova <nknazeko>
Date: Fri Oct 4 17:21:06 2019 +0200
Allow systemd_logind to read dosfs files & dirs
Allow systemd-logind - a system service that manages user logins, to read files and list dirs on a DOS filesystem
Fixed Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1751766
https://bugzilla.redhat.com/show_bug.cgi?id=1752826
selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. I think we need a new build for f31 before closing this report. Still an issue with
selinux-policy-3.14.4-39.fc31.noarch
systemd-243-4.gitef67743.fc31.x86_64
Fedora 31, XFCE
Please reopen
-----
SELinux is preventing systemd-logind from read access on the directory entries.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that systemd-logind should be allowed read access on the entries directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-logind' --raw | audit2allow -M my-systemdlogind
# semodule -X 300 -i my-systemdlogind.pp
Additional Information:
Source Context system_u:system_r:systemd_logind_t:s0
Target Context system_u:object_r:dosfs_t:s0
Target Objects entries [ dir ]
Source systemd-logind
Source Path systemd-logind
Port <Unknown>
Host frida
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.4-39.fc31.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name frida
Platform Linux frida 5.3.8-300.fc31.x86_64 #1 SMP Tue Oct
29 14:28:41 UTC 2019 x86_64 x86_64
Alert Count 4
First Seen 2019-11-01 20:17:31 MSK
Last Seen 2019-11-02 09:41:18 MSK
Local ID e734bfc4-cb08-4ebd-858e-da2c45be65eb
Raw Audit Messages
type=AVC msg=audit(1572676878.418:203): avc: denied { read } for pid=937 comm="systemd-logind" name="entries" dev="sda1" ino=116 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=0
Hash: systemd-logind,systemd_logind_t,dosfs_t,dir,read
FEDORA-2019-aec8f7ab50 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-aec8f7ab50 selinux-policy-3.14.4-40.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-aec8f7ab50 selinux-policy-3.14.4-40.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: systemd-logind sometimes wants to inspect the configuration files used by systemd-bootd. In particular it is looking for the files in /boot/efi/loader/entries. These files does only exist if you disable grub2 and use systemd-bootd. SELinux is preventing systemd-logind from 'read' accesses on the directory entries. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-logind should be allowed read access on the entries directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-logind' --raw | audit2allow -M my-systemdlogind # semodule -X 300 -i my-systemdlogind.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:object_r:dosfs_t:s0 Target Objects entries [ dir ] Source systemd-logind Source Path systemd-logind Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.4-32.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.3.0-0.rc6.git0.1.fc31.x86_64 #1 SMP Mon Aug 26 13:01:25 UTC 2019 x86_64 x86_64 Alert Count 1 First Seen 2019-09-14 11:54:25 CEST Last Seen 2019-09-14 11:54:25 CEST Local ID 468beb2e-1819-431e-874d-c33fd744b96e Raw Audit Messages type=AVC msg=audit(1568454865.144:246): avc: denied { read } for pid=419 comm="systemd-logind" name="entries" dev="vdb1" ino=17 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1 Hash: systemd-logind,systemd_logind_t,dosfs_t,dir,read Version-Release number of selected component: selinux-policy-3.14.4-32.fc31.noarch Additional info: component: selinux-policy reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.3.0-0.rc6.git0.1.fc31.x86_64 type: libreport