Bug 1860443

Summary: AVC denial init_t home_bin_t when systemd ExecStart executable in user's home bin directory
Product: Red Hat Enterprise Linux 8 Reporter: Anthony Zone <azone>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Amith <apeetham>
Severity: medium Docs Contact: Khushbu Borole <kborole>
Priority: medium    
Version: 8.2CC: cww, fedoraproject, gfialova, jafiala, jaykim, kborole, lmanasko, lvrabec, mjahoda, mmalik, plautrba, rmetrich, ssekidde, tscherf, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: 8.6   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-82.el8 Doc Type: Bug Fix
Doc Text:
.`systemd` can now execute files from `/home/_user_/bin` Previously, `systemd` services could not execute files from the `/home/_user_/bin/` directory because the SELinux policy did not include the policy rules that allow such access. Consequently, the `systemd` services failed and eventually logged the Access Vector Cache (AVC) denial Audit messages. This update adds the missing SELinux rules that allow access, and `systemd` services can now correctly execute commands from `/home/_user_/bin/`.
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 15:14:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anthony Zone 2020-07-24 15:16:33 UTC
Description of problem:

When an executable is in /home/user/bin and a systemd unit file attempts to run it, we fail with AVC denial:

# ausearch -i -m avc,user_avc
----
type=AVC msg=audit(07/24/2020 10:40:46.402:762) : avc:  denied  { execute } for  pid=5221 comm=(test.sh) name=test.sh dev="dm-0" ino=8424005 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:home_bin_t:s0 tclass=file permissive=0

Version-Release number of selected component (if applicable):

RHEL 8

How reproducible:

Every time


Steps to Reproduce:
1. mkdir /home/user/bin
2. Create executable:

    # cat /home/vagrant/bin/test.sh 
    #!/bin/bash

    echo 'test'

3. Create systemd unit file:

    # cat /etc/systemd/system/test.service 
    [Service]
    ExecStart=/home/vagrant/bin/test.sh

4. systemd daemon-reload; systemd start test.service

Actual results:

AVC denial:

    type=AVC msg=audit(07/24/2020 10:40:46.402:762) : avc:  denied  { execute } for  pid=5221 comm=(test.sh) name=test.sh dev="dm-0" ino=8424005 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:home_bin_t:s0 tclass=file permissive=0

Expected results:

systemd should be able to run an executable in a user's bin home without AVC.

Additional info:

This can be worked around by wrapping the executable in a shell so it's bin_t instead of init_t:

    # cat /etc/systemd/system/test.service 
    [Service]
    ExecStart=/bin/sh -c '/home/vagrant/bin/test.sh'

Comment 19 Zdenek Pytela 2021-10-18 13:49:38 UTC
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/918

Comment 20 Zdenek Pytela 2021-10-20 16:29:07 UTC
To backport:
commit 6cd3803e9bf80bce715ab4e84afb00c68b3708c7
Author: Zdenek Pytela <zpytela>
Date:   Mon Oct 18 15:48:07 2021 +0200

    Allow systemd execute user bin files

Comment 32 errata-xmlrpc 2022-05-10 15:14:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995