Bug 1835630

Summary: some confined users cannot successfully run userdbctl because of SELinux
Product: [Fedora] Fedora Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Richard Fiľo <rfilo>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 32CC: dwalsh, grepl.miroslav, lvrabec, plautrba, rfilo, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.5-43.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-31 15:50:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1812955    
Bug Blocks:    

Description Milos Malik 2020-05-14 08:23:30 UTC 
Description of problem:
 * I'm not sure if all confined users should be able to run userdbctl

Version-Release number of selected component (if applicable):
selinux-policy-3.14.5-38.fc32.noarch
selinux-policy-devel-3.14.5-38.fc32.noarch
selinux-policy-doc-3.14.5-38.fc32.noarch
selinux-policy-targeted-3.14.5-38.fc32.noarch
systemd-245.4-1.fc32.x86_64
systemd-libs-245.4-1.fc32.x86_64
systemd-pam-245.4-1.fc32.x86_64
systemd-rpm-macros-245.4-1.fc32.noarch
systemd-udev-245.4-1.fc32.x86_64

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 32 machine (targeted policy is active)
2. create confined users (guest_u, xguest_u)
3. log into the machine as each of the confined users
4. run "userdbctl user" or "userdbctl group" as each of the confined users
5. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(05/14/2020 09:41:37.709:1214) : proctitle=userdbctl user 
type=PATH msg=audit(05/14/2020 09:41:37.709:1214) : item=0 name=/run/systemd/userdb/io.systemd.Multiplexer inode=20688 dev=00:18 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_userdbd_runtime_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/14/2020 09:41:37.709:1214) : cwd=/home/user8288 
type=SOCKADDR msg=audit(05/14/2020 09:41:37.709:1214) : saddr={ saddr_fam=local path=/run/systemd/userdb/io.systemd.Multiplexer } 
type=SYSCALL msg=audit(05/14/2020 09:41:37.709:1214) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffeea292db0 a2=0x2d a3=0x64 items=1 ppid=36693 pid=36694 auid=user7455 uid=user7455 gid=user7455 euid=user7455 suid=user7455 fsuid=user7455 egid=user7455 sgid=user7455 fsgid=user7455 tty=pts2 ses=29 comm=userdbctl exe=/usr/bin/userdbctl subj=xguest_u:xguest_r:xguest_t:s0 key=(null) 
type=AVC msg=audit(05/14/2020 09:41:37.709:1214) : avc:  denied  { write } for  pid=36694 comm=userdbctl name=io.systemd.Multiplexer dev="tmpfs" ino=20688 scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=0 
----

Expected results:
 * no SELinux denials (appropriate allow or dontaudit rule is present in the SELinux policy)

Additional info:
userdbctl executed by confined users produces error messages like these:
Failed to enumerate groups: Permission denied
Failed to open /run/systemd/userdb/: Permission denied
Comment 1 Zdenek Pytela 2020-08-12 13:38:09 UTC 
Looks like something has changed, I cannot confirm the bug as described neither in F32 nor F33.
I was checking this while working on bz#1862686 and bz#1865748.

systemd-245.6-2.fc32.x86_64
systemd-246~rc1-1.fc33.x86_64
no related rules added to selinux-policy
Comment 2 Richard Fiľo 2020-08-24 09:52:05 UTC 
I propose this fix:

PR: https://github.com/fedora-selinux/selinux-policy/pull/414

Link to scratch build: https://download.copr.fedorainfracloud.org/results/rfilo/Selinux-policy-f32/fedora-32-x86_64/01629806-selinux-policy/
Comment 3 Lukas Vrabec 2020-08-24 12:49:36 UTC 
commit 5e9918310dccf6d6dd1da52c19ce2a2927d0a96e (HEAD -> rawhide, origin/rawhide)
Author: Richard Filo <rfilo>
Date:   Mon Aug 24 10:55:10 2020 +0200

    Allow all users to connect to systemd-userdbd with a unix socket
    
    Add interface systemd_userdbd_stream_connect() to allow communication using userdb sockets.
    
    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1835630
Comment 4 Fedora Update System 2020-08-27 21:10:37 UTC 
FEDORA-2020-740de661da has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-740de661da
Comment 5 Fedora Update System 2020-08-28 14:55:09 UTC 
FEDORA-2020-740de661da has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-740de661da`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-740de661da

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2020-08-31 15:50:02 UTC 
FEDORA-2020-740de661da has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.