Bug 1800927
| Summary: | SELinux is preventing /usr/lib/systemd/systemd-journald from 'read' accesses on the lnk_file /run/user/1000/systemd/units/invocation:dbus-:1.2-org.fedoraproject.Setroubleshootd@0.service. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mikhail <mikhail.v.gavrilov> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 32 | CC: | awilliam, dwalsh, grepl.miroslav, hdegoede, kparal, lvrabec, plautrba, stransky, ttomasz, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:481ca6e5756fbb5dfdd2515a735c14d9e9f6c018a089d28b950a984b3778e671;VARIANT_ID=workstation; | ||
| Fixed In Version: | selinux-policy-3.14.5-32.fc32 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-30 00:17:04 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1812955 | ||
| Bug Blocks: | |||
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle. Changing version to 32. *** Bug 1801121 has been marked as a duplicate of this bug. *** *** Bug 1802677 has been marked as a duplicate of this bug. *** Similar problem has been detected: I just upgraded to Fedora 32 and I'm spammed with these SELinux alerts right after boot. hashmarkername: setroubleshoot kernel: 5.6.0-0.rc3.git0.1.fc32.x86_64 package: selinux-policy-3.14.5-28.fc32.noarch reason: SELinux is preventing /usr/lib/systemd/systemd-journald from 'read' accesses on the lnk_file /run/user/1000/systemd/units/invocation:gnome-shell-x11.service. type: libreport I had about 300 occurrences of this alert in the last few days. This is by far the most frequent source of "New SELinux security alert" popups. Can we please do something about this? It's extremely frequent. *** Bug 1809993 has been marked as a duplicate of this bug. *** Kamil, I understand it needs to be addressed soon. commit 64e6995beda26de512045d73159054e274427a1a (HEAD -> rawhide, origin/rawhide)
Author: Lukas Vrabec <lvrabec>
Date: Mon Mar 23 14:56:22 2020 +0100
Allow systemd-journald to read user_tmp_t symlinks
Resolves: rhbz#1800927
Similar problem has been detected: Not sure what specifically triggered this. Just found it when checking AVCs in my current boot. I've just booted to Workstation and done usual desktop-y stuff. hashmarkername: setroubleshoot kernel: 5.6.0-0.rc5.git0.2.fc32.x86_64 package: selinux-policy-3.14.5-31.fc32.noarch reason: SELinux is preventing systemd-journal from 'read' accesses on the lnk_file /run/user/1001/systemd/units/invocation:gnome-shell-wayland.service. type: libreport Similar problem has been detected: This SELinux Alert started to show after I upgraded my F31 KDE to F32. hashmarkername: setroubleshoot kernel: 5.6.0-0.rc7.git0.2.fc32.x86_64 package: selinux-policy-3.14.5-31.fc32.noarch reason: SELinux is preventing /usr/lib/systemd/systemd-journald from 'read' accesses on the lnk_file /run/user/1000/systemd/units/invocation:dbus-:1.2-org.fedoraproject.Setroubleshootd. type: libreport FEDORA-2020-32711482f7 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-32711482f7` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-32711482f7 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-32711482f7 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. I can confirm the update fixes this problem. Thanks Kamil for testing. |
Description of problem: SELinux is preventing /usr/lib/systemd/systemd-journald from 'read' accesses on the lnk_file /run/user/1000/systemd/units/invocation:dbus-:1.2-org.fedoraproject.Setroubleshootd. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /run/user/1000/systemd/units/invocation:dbus-:1.2-org.fedoraproject.Setroubleshootd default label should be session_dbusd_tmp_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /run/user/1000/systemd/units/invocation:dbus-:1.2-org.fedoraproject.Setroubleshootd ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that systemd-journald should be allowed read access on the invocation:dbus-:1.2-org.fedoraproject.Setroubleshootd lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-journal' --raw | audit2allow -M my-systemdjournal # semodule -X 300 -i my-systemdjournal.pp Additional Information: Source Context system_u:system_r:syslogd_t:s0 Target Context unconfined_u:object_r:user_tmp_t:s0 Target Objects /run/user/1000/systemd/units/invocation:dbus-:1.2- org.fedoraproject.Setroubleshootd [ lnk_file ] Source systemd-journal Source Path /usr/lib/systemd/systemd-journald Port <Unknown> Host (removed) Source RPM Packages systemd-245~rc1-1.fc32.x86_64 Target RPM Packages Policy RPM selinux-policy-3.14.5-24.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.6.0-0.rc0.git5.1.fc32.x86_64 #1 SMP Fri Feb 7 17:00:23 UTC 2020 x86_64 x86_64 Alert Count 14 First Seen 2020-02-09 13:53:32 +05 Last Seen 2020-02-09 13:55:48 +05 Local ID b02c481f-5356-4776-9edc-ff28cabd75f5 Raw Audit Messages type=AVC msg=audit(1581238548.450:480): avc: denied { read } for pid=771 comm="systemd-journal" name="invocation:dbus-:1.2-org.fedoraproject.Setroubleshootd" dev="tmpfs" ino=81353 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 type=SYSCALL msg=audit(1581238548.450:480): arch=x86_64 syscall=readlinkat success=yes exit=EPIPE a0=ffffff9c a1=564120fb8ea0 a2=564120fb4e70 a3=1000 items=1 ppid=1 pid=771 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-journal exe=/usr/lib/systemd/systemd-journald subj=system_u:system_r:syslogd_t:s0 key=(null) type=CWD msg=audit(1581238548.450:480): cwd=/ type=PATH msg=audit(1581238548.450:480): item=0 name=/run/user/1000/systemd/units/invocation:dbus-:1.2-org.fedoraproject.Setroubleshootd inode=81353 dev=00:2a mode=0120777 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Hash: systemd-journal,syslogd_t,user_tmp_t,lnk_file,read Version-Release number of selected component: selinux-policy-3.14.5-24.fc32.noarch Additional info: component: selinux-policy reporter: libreport-2.12.0 hashmarkername: setroubleshoot kernel: 5.6.0-0.rc0.git5.1.fc32.x86_64 type: libreport