Bug 1878094

Summary:	SELinux prevents systemd from creating objects in /run/user/1001/systemd/inaccessible
Product:	[Fedora] Fedora	Reporter:	Milos Malik <mmalik>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	high
Version:	34	CC:	dwalsh, fedoraproject, filbranden, flepied, grepl.miroslav, lnykryn, lvrabec, mmalik, msekleta, omosnace, plautrba, ssahani, s, systemd-maint, vmojzis, yuwatana, zbyszek, zpytela, z
Target Milestone:	---	Keywords:	Triaged
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-34.23-1.fc34	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-01-11 01:54:08 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1812955
Bug Blocks:

Description Milos Malik 2020-09-11 10:10:24 UTC

Description of problem:
 * confined users can log in successfully
 * SELinux denials appear I don't see any negative effect

Version-Release number of selected component (if applicable):
selinux-policy-3.14.6-25.fc33.noarch
selinux-policy-devel-3.14.6-25.fc33.noarch
selinux-policy-targeted-3.14.6-25.fc33.noarch
systemd-246.4-1.fc33.x86_64
systemd-bootchart-233-7.fc33.x86_64
systemd-container-246.4-1.fc33.x86_64
systemd-journal-remote-246.4-1.fc33.x86_64
systemd-libs-246.4-1.fc33.x86_64
systemd-pam-246.4-1.fc33.x86_64
systemd-rpm-macros-246.4-1.fc33.noarch
systemd-udev-246.4-1.fc33.x86_64

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 33 machine (targeted policy is active)
2. create some confined users (at least user_u, staff_u)
3. log in as the confined user via console or ssh
4. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(09/11/2020 12:04:17.031:697) : proctitle=(systemd) 
type=PATH msg=audit(09/11/2020 12:04:17.031:697) : item=1 name=/run/user/1002/systemd/inaccessible nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/11/2020 12:04:17.031:697) : item=0 name=/run/user/1002/systemd/ inode=130566 dev=00:2d mode=dir,755 ouid=user-user ogid=user-user rdev=00:00 obj=user_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/11/2020 12:04:17.031:697) : cwd=/ 
type=SYSCALL msg=audit(09/11/2020 12:04:17.031:697) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x5612d623b470 a1=0755 a2=0x3 a3=0x0 items=2 ppid=1 pid=1520 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=5 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(09/11/2020 12:04:17.031:697) : avc:  denied  { create } for  pid=1520 comm=systemd name=inaccessible scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 
----

Expected results:
 * either allow the access or dontaudit the SELinux denials

Additional info: seen in the journal
Sep 11 12:04:17 localhost.localdomain systemd[1520]: Failed to allocate manager object: Permission denied

Comment 1 Milos Malik 2020-09-11 10:20:07 UTC

When logged in as staff_u:
----
type=PROCTITLE msg=audit(09/11/2020 12:10:39.886:785) : proctitle=(systemd) 
type=PATH msg=audit(09/11/2020 12:10:39.886:785) : item=1 name=/run/user/1001/systemd/inaccessible/chr nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/11/2020 12:10:39.886:785) : item=0 name=/run/user/1001/systemd/inaccessible/ inode=139748 dev=00:2d mode=dir,755 ouid=staff-user ogid=staff-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/11/2020 12:10:39.886:785) : cwd=/ 
type=SYSCALL msg=audit(09/11/2020 12:10:39.886:785) : arch=x86_64 syscall=mknod success=no exit=EACCES(Permission denied) a0=0x55800059f470 a1=character,000 a2=0x0 a3=0x0 items=2 ppid=1 pid=1648 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=8 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/11/2020 12:10:39.886:785) : avc:  denied  { create } for  pid=1648 comm=systemd name=chr scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=0 
----

Comment 2 Zdenek Pytela 2020-09-11 11:39:59 UTC

Confirming for unconfined_u and sysadm_u it should work:

policy/modules/system/systemd.te:userdom_manage_user_tmp_chr_files(systemd_logind_t)
policy/modules/roles/sysadm.te:userdom_manage_user_tmp_chr_files(sysadm_t)

Comment 3 Milos Malik 2020-09-11 13:20:40 UTC

Unfortunately, audit2allow says:

#============= user_t ==============

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#	constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#	Possible cause is the source user (user_u) and target user (system_u) are different.
allow user_t user_tmp_t:dir create;

Comment 4 Milos Malik 2020-09-11 13:55:26 UTC

Following SELinux denials appear when user_u and staff_u log into the machine in permissive mode:
----
type=PROCTITLE msg=audit(09/11/2020 15:50:22.999:1865) : proctitle=(systemd) 
type=PATH msg=audit(09/11/2020 15:50:22.999:1865) : item=1 name=/run/user/1001/systemd/inaccessible/chr inode=372206 dev=00:2b mode=character,000 ouid=staff-user ogid=staff-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/11/2020 15:50:22.999:1865) : item=0 name=/run/user/1001/systemd/inaccessible/ inode=372201 dev=00:2b mode=dir,755 ouid=staff-user ogid=staff-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/11/2020 15:50:22.999:1865) : cwd=/ 
type=SYSCALL msg=audit(09/11/2020 15:50:22.999:1865) : arch=x86_64 syscall=mknod success=yes exit=0 a0=0x56279d2ae470 a1=character,000 a2=0x0 a3=0x0 items=2 ppid=1 pid=2863 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=28 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/11/2020 15:50:22.999:1865) : avc:  denied  { create } for  pid=2863 comm=systemd name=chr scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 
----
type=PROCTITLE msg=audit(09/11/2020 15:50:55.258:1888) : proctitle=(systemd) 
type=OBJ_PID msg=audit(09/11/2020 15:50:55.258:1888) : opid=2937 oauid=staff-user ouid=staff-user oses=28 obj=staff_u:staff_r:mount_t:s0-s0:c0.c1023 ocomm=fusermount3 
type=SYSCALL msg=audit(09/11/2020 15:50:55.258:1888) : arch=x86_64 syscall=kill success=yes exit=0 a0=0xb79 a1=SIGTERM a2=0x3 a3=0xd83128119570932f items=0 ppid=1 pid=2863 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=28 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/11/2020 15:50:55.258:1888) : avc:  denied  { signal } for  pid=2863 comm=systemd scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:mount_t:s0-s0:c0.c1023 tclass=process permissive=1 
----
type=PROCTITLE msg=audit(09/11/2020 15:50:57.342:1902) : proctitle=(systemd) 
type=PATH msg=audit(09/11/2020 15:50:57.342:1902) : item=1 name=/run/user/1002/systemd/inaccessible inode=374613 dev=00:2b mode=dir,755 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/11/2020 15:50:57.342:1902) : item=0 name=/run/user/1002/systemd/ inode=374611 dev=00:2b mode=dir,755 ouid=user-user ogid=user-user rdev=00:00 obj=user_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/11/2020 15:50:57.342:1902) : cwd=/ 
type=SYSCALL msg=audit(09/11/2020 15:50:57.342:1902) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x5629f104a470 a1=0755 a2=0x3 a3=0x0 items=2 ppid=1 pid=2943 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=30 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(09/11/2020 15:50:57.342:1902) : avc:  denied  { create } for  pid=2943 comm=systemd name=inaccessible scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(09/11/2020 15:50:57.345:1903) : proctitle=(systemd) 
type=PATH msg=audit(09/11/2020 15:50:57.345:1903) : item=1 name=/run/user/1002/systemd/inaccessible/reg inode=374614 dev=00:2b mode=file,000 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/11/2020 15:50:57.345:1903) : item=0 name=/run/user/1002/systemd/inaccessible/ inode=374613 dev=00:2b mode=dir,755 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/11/2020 15:50:57.345:1903) : cwd=/ 
type=SYSCALL msg=audit(09/11/2020 15:50:57.345:1903) : arch=x86_64 syscall=mknod success=yes exit=0 a0=0x5629f104a470 a1=file,000 a2=0x0 a3=0x0 items=2 ppid=1 pid=2943 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=30 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(09/11/2020 15:50:57.345:1903) : avc:  denied  { create } for  pid=2943 comm=systemd name=reg scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(09/11/2020 15:50:57.346:1904) : proctitle=(systemd) 
type=PATH msg=audit(09/11/2020 15:50:57.346:1904) : item=1 name=/run/user/1002/systemd/inaccessible/fifo inode=374616 dev=00:2b mode=fifo,000 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/11/2020 15:50:57.346:1904) : item=0 name=/run/user/1002/systemd/inaccessible/ inode=374613 dev=00:2b mode=dir,755 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/11/2020 15:50:57.346:1904) : cwd=/ 
type=SYSCALL msg=audit(09/11/2020 15:50:57.346:1904) : arch=x86_64 syscall=mknod success=yes exit=0 a0=0x5629f10af2b0 a1=fifo,000 a2=0x0 a3=0x0 items=2 ppid=1 pid=2943 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=30 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(09/11/2020 15:50:57.346:1904) : avc:  denied  { create } for  pid=2943 comm=systemd name=fifo scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=fifo_file permissive=1 
----
type=PROCTITLE msg=audit(09/11/2020 15:50:57.347:1905) : proctitle=(systemd) 
type=PATH msg=audit(09/11/2020 15:50:57.347:1905) : item=1 name=/run/user/1002/systemd/inaccessible/sock inode=374617 dev=00:2b mode=socket,000 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/11/2020 15:50:57.347:1905) : item=0 name=/run/user/1002/systemd/inaccessible/ inode=374613 dev=00:2b mode=dir,755 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/11/2020 15:50:57.347:1905) : cwd=/ 
type=SYSCALL msg=audit(09/11/2020 15:50:57.347:1905) : arch=x86_64 syscall=mknod success=yes exit=0 a0=0x5629f10af2b0 a1=socket,000 a2=0x0 a3=0x0 items=2 ppid=1 pid=2943 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=30 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(09/11/2020 15:50:57.347:1905) : avc:  denied  { create } for  pid=2943 comm=systemd name=sock scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(09/11/2020 15:50:57.348:1906) : proctitle=(systemd) 
type=PATH msg=audit(09/11/2020 15:50:57.348:1906) : item=1 name=/run/user/1002/systemd/inaccessible/chr inode=374618 dev=00:2b mode=character,000 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/11/2020 15:50:57.348:1906) : item=0 name=/run/user/1002/systemd/inaccessible/ inode=374613 dev=00:2b mode=dir,755 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/11/2020 15:50:57.348:1906) : cwd=/ 
type=SYSCALL msg=audit(09/11/2020 15:50:57.348:1906) : arch=x86_64 syscall=mknod success=yes exit=0 a0=0x5629f104a470 a1=character,000 a2=0x0 a3=0x0 items=2 ppid=1 pid=2943 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=30 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(09/11/2020 15:50:57.348:1906) : avc:  denied  { create } for  pid=2943 comm=systemd name=chr scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 
----

Comment 5 Zdenek Pytela 2020-09-23 12:44:55 UTC

Switching the component based on discussion with Michal. Particular note the problem is in the user part of the context, not type: user_u vs system_u.

The problem currently seems to be in the user-runtime-dir@ service.

As a workaround (e. g. for testing), a static chcon command can be added for a particular user as an additional ExecStart line.# 

This command can be used to check the mapping between linux users and SELinux users:

  # semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
staffuser            staff_u              s0-s0:c0.c1023       *
useruser             user_u               s0                   *

Comment 7 Zbigniew Jędrzejewski-Szmek 2020-11-11 14:03:00 UTC

Creation of the "inaccessible" nodes was moved from user-runtime-dir@.service to pid1.
That patch is also present in v246.4. So I don't think that user-runtime-dir@.service
is relevant. The avcs all mention proctitle=(systemd).

> Particular note the problem is in the user part of the context, not type: user_u vs system_u.

I think those labels match the configuration. On my machine:
$ ls -lZ /run/user/1000/systemd/inaccessible/
c---------. 1 test test system_u:object_r:user_tmp_t:s0 0, 0 Nov  9 19:06 chr
d---------. 2 test test system_u:object_r:user_tmp_t:s0   40 Nov  9 19:06 dir
p---------. 1 test test system_u:object_r:user_tmp_t:s0    0 Nov  9 19:06 fifo
----------. 1 test test system_u:object_r:user_tmp_t:s0    0 Nov  9 19:06 reg
s---------. 1 test test system_u:object_r:user_tmp_t:s0    0 Nov  9 19:06 sock

Maybe the policy needs to be adjusted to assign different labels there.

Comment 8 Milos Malik 2020-11-27 09:46:40 UTC

This issue appears in many automated tests. Especially in those where confined users log into localhost via ssh.

Comment 9 Milos Malik 2021-02-08 15:33:55 UTC

Our automated TCs, which typically involve 3 confined users (user_u, staff_u, sysadm_u), used to trigger multiple SELinux denials for user_u and staff_u. Now, they trigger only 1 SELinux denial:
----
type=PROCTITLE msg=audit(02/08/2021 09:44:28.292:683) : proctitle=(systemd) 
type=PATH msg=audit(02/08/2021 09:44:28.292:683) : item=1 name=/run/user/1000/systemd/inaccessible/chr nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/08/2021 09:44:28.292:683) : item=0 name=/run/user/1000/systemd/inaccessible/ inode=3 dev=00:2c mode=dir,755 ouid=user20469 ogid=user20469 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/08/2021 09:44:28.292:683) : cwd=/ 
type=SYSCALL msg=audit(02/08/2021 09:44:28.292:683) : arch=x86_64 syscall=mknodat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x563afbd8a680 a2=0000 a3=0x0 items=2 ppid=1 pid=138043 auid=user20469 uid=user20469 gid=user20469 euid=user20469 suid=user20469 fsuid=user20469 egid=user20469 sgid=user20469 fsgid=user20469 tty=(none) ses=7 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(02/08/2021 09:44:28.292:683) : avc:  denied  { create } for  pid=138043 comm=systemd name=chr scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=0
----

After applying this workaround, the automated TCs (with confined users) pass:

# cat mypolicy.cil 
( allow staff_t user_tmp_t ( chr_file ( create )))
# semodule -i mypolicy.cil

Comment 10 Milos Malik 2021-03-04 14:48:45 UTC

I see the same picture on Fedora 34 and RHEL-9.0:

After logging in as user_u user:
========
$ id
uid=1001(user-user) gid=1001(user-user) groups=1001(user-user) context=user_u:user_r:user_t:s0
$ ls -aZ /run/user/1001
system_u:object_r:user_tmp_t:s0 .  system_u:object_r:user_tmp_t:s0 ..
$ ls -aZ /run/user/1001/systemd
ls: cannot access '/run/user/1001/systemd': No such file or directory
$ ls -aZ /run/user/1001/systemd/inaccessible
ls: cannot access '/run/user/1001/systemd/inaccessible': No such file or directory
$ 

After logging in as staff_u user:
========
$ id
uid=1000(staff-user) gid=1000(staff-user) groups=1000(staff-user) context=staff_u:staff_r:staff_t:s0-s0:c0.c1023
$ ls -Z /run/user/1000/systemd/inaccessible
system_u:object_r:user_tmp_t:s0 chr   system_u:object_r:user_tmp_t:s0 reg
system_u:object_r:user_tmp_t:s0 dir   system_u:object_r:user_tmp_t:s0 sock
system_u:object_r:user_tmp_t:s0 fifo
$ 

Following policy module fixes the SELinux denials generated by the staff_u processes:

# cat mypolicy.cil 
( allow staff_t user_tmp_t ( chr_file ( create getattr )))
( allow user_t user_tmp_t ( dir ( create )))
#

but it does NOT fix the SELinux denials generated by user_u processes, because:

#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#	constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#	Possible cause is the source user (user_u) and target user (system_u) are different.
allow user_t user_tmp_t:dir create;

and here are details of the problematic AVC:
----
type=PROCTITLE msg=audit(03/04/2021 08:45:20.296:1994) : proctitle=(systemd) 
type=PATH msg=audit(03/04/2021 08:45:20.296:1994) : item=1 name=/run/user/1001/systemd nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(03/04/2021 08:45:20.296:1994) : item=0 name=/run/user/1001/ inode=1 dev=00:2b mode=dir,700 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/04/2021 08:45:20.296:1994) : cwd=/ 
type=SYSCALL msg=audit(03/04/2021 08:45:20.296:1994) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x7ffddba512b0 a1=0755 a2=0x0 a3=0x0 items=2 ppid=1 pid=34939 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=56 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(03/04/2021 08:45:20.296:1994) : avc:  denied  { create } for  pid=34939 comm=systemd name=systemd scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 
----

# rpm -qa selinux\* systemd\* | sort
selinux-policy-3.14.7-22.fc34.noarch
selinux-policy-targeted-3.14.7-22.fc34.noarch
systemd-247.3-3.fc34.x86_64
systemd-libs-247.3-3.fc34.x86_64
systemd-networkd-247.3-3.fc34.x86_64
systemd-oomd-defaults-247.3-3.fc34.x86_64
systemd-pam-247.3-3.fc34.x86_64
systemd-rpm-macros-247.3-3.fc34.noarch
systemd-udev-247.3-3.fc34.x86_64
#

Comment 12 Petr Lautrbach 2021-06-07 18:21:01 UTC

It turned out to be selinux policy bug, see https://github.com/systemd/systemd/pull/19825

There's also a comment which suggest that refpolicy uses user_runtime_t type instead of user_tmp_t for /run/user

Comment 13 Petr Lautrbach 2021-06-09 06:05:01 UTC

*** Bug 1931131 has been marked as a duplicate of this bug. ***

Comment 14 Zdenek Pytela 2021-12-23 18:09:37 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/973

Comment 15 Fedora Update System 2022-01-07 08:25:32 UTC

FEDORA-2022-8e1e2c866c has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2022-8e1e2c866c

Comment 16 Fedora Update System 2022-01-08 01:09:15 UTC

FEDORA-2022-8e1e2c866c has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-8e1e2c866c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-8e1e2c866c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 17 Fedora Update System 2022-01-11 01:54:08 UTC

FEDORA-2022-8e1e2c866c has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.