Bug 1797324
| Summary: | SELinux is preventing (fwupd) from 'mounton' accesses on the directory /run/systemd/unit-root/run/motd.d. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Michael <michael.scheiffler> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 31 | CC: | dwalsh, grepl.miroslav, lvrabec, mario_limonciello, plautrba, rhbz, rhughes, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:7a9c33049d29b7970df230e89093904df03f20a26e19c06333cdb2989cdd3382;VARIANT_ID=workstation; | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-02-13 15:04:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
more detailed logs, from systemd-analyze log-level debug: Successfully mounted /run/systemd/inaccessible/dir to /run/systemd/unit-root/home Applying namespace mount on /run/systemd/unit-root/proc Applying namespace mount on /run/systemd/unit-root/root Successfully mounted /run/systemd/inaccessible/dir to /run/systemd/unit-root/root Applying namespace mount on /run/systemd/unit-root/run/motd.d Followed source symlinks /run/motd.d → /run/motd.d. Failed to mount /run/motd.d to /run/systemd/unit-root/run/motd.d: Permission denied fwupd.service: Failed to set up mount namespacing: /run/systemd/unit-root/run/motd.d: Permission denied fwupd.service: Failed at step NAMESPACE spawning /usr/libexec/fwupd/fwupd: Permission denied I believe that this is because /run/motd.d is marked as pam_var_run_t, which systemd does not have mounton access to. Because of how systemd sandboxing works, it needs to mount /run/motd.d into the sandbox of fwupd (/run/systemd/unit-root/). https://github.com/fwupd/fwupd/commit/d81ea2e3fc0de9cf73a63fcd9f7360e54e03ed31 commit introducing new required access permissions for fwupd The daemon writes into a folder in the per-service systemd runtime directory, but I don't know why that's being labelled pam_var_run_t. Because selinux fails the call to set up the mount namespacing, fwupd.service fails to start and there's a 30s timeout for all clients, which includes gnome-software which is started by default on all workstation installs. Hi Richard, This permission set is granted in the current version of policy: $ rpm -q selinux-policy --changelog|more * Fri Feb 07 2020 Zdenek Pytela <zpytela> - 3.14.4-47 - Allow ipa_custodia_t create and use netlink_route_socket sockets. - Allow networkmanager_t transition to setfiles_t - Create init_create_dirs boolean to allow init create directories - Create files_create_non_security_dirs() interface Please update the selinux-policy package. Closing, feel free to reopen the bugzilla if the issue persists. |
Description of problem: dnf upgrade SELinux is preventing (fwupd) from 'mounton' accesses on the directory /run/systemd/unit-root/run/motd.d. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /run/systemd/unit-root/run/motd.d default label should be init_var_run_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /run/systemd/unit-root/run/motd.d ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that (fwupd) should be allowed mounton access on the motd.d directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(fwupd)' --raw | audit2allow -M my-fwupd # semodule -X 300 -i my-fwupd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:pam_var_run_t:s0 Target Objects /run/systemd/unit-root/run/motd.d [ dir ] Source (fwupd) Source Path (fwupd) Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.4-45.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.4.15-200.fc31.x86_64 #1 SMP Tue Jan 28 09:08:32 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-02-02 17:18:25 CET Last Seen 2020-02-02 17:18:25 CET Local ID 9f7e2402-6ce3-4396-9d72-3c4db8d95d1d Raw Audit Messages type=AVC msg=audit(1580660305.557:300): avc: denied { mounton } for pid=8712 comm="(fwupd)" path="/run/systemd/unit-root/run/motd.d" dev="tmpfs" ino=13035 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=dir permissive=0 Hash: (fwupd),init_t,pam_var_run_t,dir,mounton Version-Release number of selected component: selinux-policy-3.14.4-45.fc31.noarch Additional info: component: selinux-policy reporter: libreport-2.11.3 hashmarkername: setroubleshoot kernel: 5.4.15-200.fc31.x86_64 type: libreport