Bug 1769228

Summary: systemd triggers SELinux denials when confined users run systemctl --user status
Product: [Fedora] Fedora Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 31CC: dwalsh, lvrabec, mgrepl, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.4-43.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-11 02:05:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1767779    

Description Milos Malik 2019-11-06 08:26:04 UTC 
Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-3.14.4-40.fc31.noarch
selinux-policy-devel-3.14.4-40.fc31.noarch
selinux-policy-targeted-3.14.4-40.fc31.noarch
systemd-243-2.gitfab6f01.fc31.x86_64
systemd-bootchart-233-5.fc31.x86_64
systemd-libs-243-2.gitfab6f01.fc31.x86_64
systemd-pam-243-2.gitfab6f01.fc31.x86_64
systemd-rpm-macros-243-2.gitfab6f01.fc31.noarch
systemd-udev-243-2.gitfab6f01.fc31.x86_64

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 31 machine (targeted policy is active)
2. create new users based on confined users (for exmaple: user_u, staff_u)
3. log in as the confined user via ssh
4. run systemctl --user status
5. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(11/06/2019 03:11:49.466:378) : proctitle=(systemd) 
type=SYSCALL msg=audit(11/06/2019 03:11:49.466:378) : arch=x86_64 syscall=bpf success=no exit=EACCES(Permission denied) a0=BPF_PROG_LOAD a1=0x7ffd9d07c470 a2=0x70 a3=0x55e9cdc18ec0 items=0 ppid=1 pid=22822 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=5 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/06/2019 03:11:49.466:378) : avc:  denied  { prog_load } for  pid=22822 comm=systemd scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=bpf permissive=0 
----
type=PROCTITLE msg=audit(11/06/2019 03:12:09.995:388) : proctitle=(systemd) 
type=PATH msg=audit(11/06/2019 03:12:09.995:388) : item=0 name=/etc/adjtime inode=143258 dev=fc:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:adjtime_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/06/2019 03:12:09.995:388) : cwd=/ 
type=SYSCALL msg=audit(11/06/2019 03:12:09.995:388) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f187f83e0dd a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=22822 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=5 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/06/2019 03:12:09.995:388) : avc:  denied  { read } for  pid=22822 comm=systemd name=adjtime dev="vda1" ino=143258 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(11/06/2019 03:14:02.774:427) : proctitle=(systemd) 
type=SYSCALL msg=audit(11/06/2019 03:14:02.774:427) : arch=x86_64 syscall=bpf success=no exit=EACCES(Permission denied) a0=BPF_PROG_LOAD a1=0x7ffcf27e59e0 a2=0x70 a3=0x5561f450aa40 items=0 ppid=1 pid=22879 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=7 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(11/06/2019 03:14:02.774:427) : avc:  denied  { prog_load } for  pid=22879 comm=systemd scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=bpf permissive=0 
----
type=PROCTITLE msg=audit(11/06/2019 03:14:11.271:437) : proctitle=(systemd) 
type=PATH msg=audit(11/06/2019 03:14:11.271:437) : item=0 name=/etc/adjtime inode=143258 dev=fc:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:adjtime_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/06/2019 03:14:11.271:437) : cwd=/ 
type=SYSCALL msg=audit(11/06/2019 03:14:11.271:437) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7fca060e60dd a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=22879 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=7 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(11/06/2019 03:14:11.271:437) : avc:  denied  { read } for  pid=22879 comm=systemd name=adjtime dev="vda1" ino=143258 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=0 
----

Expected results:
 * no SELinux denials

Additional info:
 * there are no SELinux denials when the same scenario is executed under sysadm_u
Comment 1 Lukas Vrabec 2019-11-06 09:31:01 UTC 
commit b1f64ef6da0d4cd5fa6f34358c945bf1e29c0780 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Wed Nov 6 10:20:12 2019 +0100

    Allow users using template userdom_unpriv_user_template() to run bpf
    tool
    
    Resolves: rhbz#1769228

commit e9956387f9a8d905ab8d2408a866119f932dcb52 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Wed Nov 6 10:29:08 2019 +0100

    Allow x_userdomain to read adjtime_t files
    
    Resolves: rhbz#1769228
Comment 2 Zdenek Pytela 2019-11-06 09:38:07 UTC 
Note the bpf-class denial is rather related to logging in, cf #1767714
Comment 3 Fedora Update System 2019-11-22 16:17:23 UTC 
FEDORA-2019-fefda9dd5e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
Comment 4 Fedora Update System 2019-11-23 02:39:11 UTC 
selinux-policy-3.14.4-42.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
Comment 5 Fedora Update System 2019-12-06 18:02:28 UTC 
FEDORA-2019-fefda9dd5e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
Comment 6 Fedora Update System 2019-12-07 03:38:20 UTC 
container-selinux-2.123.0-2.fc31, selinux-policy-3.14.4-43.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
Comment 7 Fedora Update System 2019-12-11 02:05:49 UTC 
container-selinux-2.123.0-2.fc31, selinux-policy-3.14.4-43.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.