Bug 1958819

Summary: using pam_limits nonewprivs causes avc: denied { nnp_transition } for comm="(systemd)"
Product: [Fedora] Fedora Reporter: Allison Karlitskaya <allison.karlitskaya>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 34CC: dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.7-1.fc34 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2039453 (view as bug list) Environment:
Last Closed: 2021-05-16 02:02:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2039453    
Attachments:
Description Flags
journalctl -f none

Description Allison Karlitskaya 2021-05-10 08:32:46 UTC 
Description of problem:

I've been trying to harden my developer workstation a little on the basis of the fact that a good part of my day involves typing (more or less):

 $ git pull
 $ make

I've come some ways there already, including creating a separate admin account (and removing my day-to-day development account from wheel).  I develop in toolbox containers, using Silverblue as the host OS, without layering, and with very few modifications to the config.  I don't often find myself needing to run things as root.

One change I've attempted to make to the configuration of the system is to try the new `nonewprivs` feature of pam_limits on my development user.  Since I don't plan to run anything as sudo or pkexec or so, this seems to make sense to me.  I've run into two major problems there, though.

The first is a selinux fail.  When I login as my locked-down devel user, even from the virtual terminal, I see this:

May 10 09:49:10 fedora systemd[17492]: pam_unix(systemd-user:session): session opened for user lis(uid=1001) by (uid=0)
May 10 09:49:10 fedora audit[17492]: USER_START pid=17492 uid=0 auid=1001 ses=17 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="li>
May 10 09:49:10 fedora audit[17492]: AVC avc:  denied  { nnp_transition } for  pid=17492 comm="(systemd)" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process2 permissive=0
May 10 09:49:10 fedora audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
May 10 09:49:10 fedora systemd[17492]: user: Failed to execute /usr/lib/systemd/systemd: Operation not permitted
May 10 09:49:10 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@1001 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
May 10 09:49:10 fedora systemd[17492]: user: Failed at step EXEC spawning /usr/lib/systemd/systemd: Operation not permitted
May 10 09:49:10 fedora systemd[1]: user: Main process exited, code=exited, status=203/EXEC
May 10 09:49:10 fedora systemd[1]: user: Failed with result 'exit-code'.
May 10 09:49:10 fedora systemd[1]: Failed to start User Manager for UID 1001.



The relevant line in /etc/security/limits.conf is:


  lis              -       nonewprivs      1


Disabling selinux prevents the problem and gets me to a fully-functional GNOME desktop.


Version-Release number of selected component (if applicable):

Fedora 34 Silverblue

libselinux-3.2-1.fc34.x86_64
selinux-policy-34.6-1.fc34.noarch

How reproducible:

100%

Steps to Reproduce:
1. Set nonewprivs for a user in /etc/security/limits.conf (as above)
2. Make sure selinux is enforcing
3. Try to login.  Even from the virtual terminal this fails.
4. Disable selinux and notice that everything is working as expected.


Thanks!
Comment 1 Zdenek Pytela 2021-05-10 13:28:49 UTC 
Hi,

While there is the transition for user domains allowed, nnp_transition is not:

# sesearch -A -s init_t -t unconfined_t -c process -p transition
allow init_t login_userdomain:process transition;
# sesearch -A -s init_t -t unconfined_t -c process2 -p nnp_transition
<>

Needs to be added; just note in my case the user session failed, but user was able to log in using ssh.
$ getenforce
Enforcing
$ systemctl status user@1000 --full
x user - User Manager for UID 1000
     Loaded: loaded (/usr/lib/systemd/system/user@.service; static)
    Drop-In: /usr/lib/systemd/system/user@.service.d
             `-00-uresourced.conf, 10-oomd-user-service-defaults.conf
             /etc/systemd/system.control/user.d
             `-50-CPUWeight.conf, 50-IOWeight.conf, 50-MemoryLow.conf, 50-MemoryMin.conf
     Active: failed (thawing) (Result: exit-code) since Mon 2021-05-10 15:24:12 CEST; 27s ago
       Docs: man:user@.service(5)
    Process: 55004 ExecStart=/usr/lib/systemd/systemd --user (code=exited, status=219/CGROUP)
   Main PID: 55004 (code=exited, status=219/CGROUP)
      Tasks: 0
     Memory: 0B
        CPU: 0
     CGroup: /user.slice/user-1000.slice/user

May 10 15:24:12 fedora systemd[1]: Starting User Manager for UID 1000...
May 10 15:24:12 fedora systemd[1]: user: Main process exited, code=exited, status=219>
May 10 15:24:12 fedora systemd[1]: user: Failed with result 'exit-code'.
May 10 15:24:12 fedora systemd[1]: Failed to start User Manager for UID 1000.

It is different in GUI where such a problem prevents from logging in.
Comment 2 Zdenek Pytela 2021-05-10 14:33:19 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/731
Comment 3 Milos Malik 2021-05-12 07:55:24 UTC 
SELinux denials collected in enforcing mode:
----
type=PROCTITLE msg=audit(05/12/2021 03:51:43.468:313) : proctitle=(systemd) 
type=PATH msg=audit(05/12/2021 03:51:43.468:313) : item=0 name=/usr/lib/systemd/systemd inode=147983 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/12/2021 03:51:43.468:313) : cwd=/ 
type=SYSCALL msg=audit(05/12/2021 03:51:43.468:313) : arch=x86_64 syscall=execve success=no exit=EPERM(Operation not permitted) a0=0x55a0da73bba0 a1=0x55a0da6751e0 a2=0x55a0da818cd0 a3=0x7f98129bae4b items=1 ppid=1 pid=1770 auid=test-user uid=test-user gid=test-user euid=test-user suid=test-user fsuid=test-user egid=test-user sgid=test-user fsgid=test-user tty=(none) ses=4 comm=(systemd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=SELINUX_ERR msg=audit(05/12/2021 03:51:43.468:313) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
type=AVC msg=audit(05/12/2021 03:51:43.468:313) : avc:  denied  { nnp_transition } for  pid=1770 comm=(systemd) scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process2 permissive=0 
----
type=PROCTITLE msg=audit(05/12/2021 03:53:29.096:360) : proctitle=(systemd) 
type=PATH msg=audit(05/12/2021 03:53:29.096:360) : item=0 name=/usr/lib/systemd/systemd inode=147983 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/12/2021 03:53:29.096:360) : cwd=/ 
type=SYSCALL msg=audit(05/12/2021 03:53:29.096:360) : arch=x86_64 syscall=execve success=no exit=EPERM(Operation not permitted) a0=0x55a0da64c780 a1=0x55a0da649170 a2=0x55a0da763810 a3=0x7f98129bae4b items=1 ppid=1 pid=1821 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=6 comm=(systemd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=SELINUX_ERR msg=audit(05/12/2021 03:53:29.096:360) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
type=AVC msg=audit(05/12/2021 03:53:29.096:360) : avc:  denied  { nnp_transition } for  pid=1821 comm=(systemd) scontext=system_u:system_r:init_t:s0 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process2 permissive=0 
----

The problem happens to confined and unconfined users.
Comment 4 Milos Malik 2021-05-12 08:00:25 UTC 
SELinux denials collected in permissive mode:
----
type=PROCTITLE msg=audit(05/12/2021 03:56:53.776:401) : proctitle=(systemd) 
type=PATH msg=audit(05/12/2021 03:56:53.776:401) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=137485 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/12/2021 03:56:53.776:401) : item=0 name=/usr/lib/systemd/systemd inode=147983 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/12/2021 03:56:53.776:401) : cwd=/ 
type=EXECVE msg=audit(05/12/2021 03:56:53.776:401) : argc=2 a0=/usr/lib/systemd/systemd a1=--user 
type=SYSCALL msg=audit(05/12/2021 03:56:53.776:401) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55a0da86f400 a1=0x55a0da6751e0 a2=0x55a0da763810 a3=0x7f98129bae4b items=2 ppid=1 pid=1862 auid=test-user uid=test-user gid=test-user euid=test-user suid=test-user fsuid=test-user egid=test-user sgid=test-user fsgid=test-user tty=(none) ses=8 comm=systemd exe=/usr/lib/systemd/systemd subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/12/2021 03:56:53.776:401) : avc:  denied  { nnp_transition } for  pid=1862 comm=(systemd) scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process2 permissive=1 
----
type=PROCTITLE msg=audit(05/12/2021 03:57:11.736:435) : proctitle=(systemd) 
type=PATH msg=audit(05/12/2021 03:57:11.736:435) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=137485 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/12/2021 03:57:11.736:435) : item=0 name=/usr/lib/systemd/systemd inode=147983 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/12/2021 03:57:11.736:435) : cwd=/ 
type=EXECVE msg=audit(05/12/2021 03:57:11.736:435) : argc=2 a0=/usr/lib/systemd/systemd a1=--user 
type=SYSCALL msg=audit(05/12/2021 03:57:11.736:435) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55a0da743e10 a1=0x55a0da790750 a2=0x55a0da7f23b0 a3=0x7f98129bae4b items=2 ppid=1 pid=1897 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=10 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/12/2021 03:57:11.736:435) : avc:  denied  { nnp_transition } for  pid=1897 comm=(systemd) scontext=system_u:system_r:init_t:s0 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process2 permissive=1 
----

Tested using a SSH login. Login was successful in both enforcing and permissive mode.

# rpm -qa selinux\*
selinux-policy-3.14.8-7.fc35.noarch
selinux-policy-targeted-3.14.8-7.fc35.noarch
#
Comment 5 Zdenek Pytela 2021-05-12 08:52:47 UTC 
Merged in F34 and rawhide.
Comment 6 Milos Malik 2021-05-12 15:32:38 UTC 
Test coverage for this bug exists in a form of PR:
 * https://src.fedoraproject.org/tests/selinux/pull-request/217

The PR waits for review.
Comment 7 Fedora Update System 2021-05-13 19:51:53 UTC 
FEDORA-2021-ec18a84d86 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-ec18a84d86
Comment 8 Fedora Update System 2021-05-14 15:32:29 UTC 
FEDORA-2021-ec18a84d86 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-ec18a84d86`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-ec18a84d86

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2021-05-16 02:02:24 UTC 
FEDORA-2021-ec18a84d86 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 10 Allison Karlitskaya 2021-05-17 17:28:41 UTC 
Not fixed :(

selinux-policy-34.7-1.fc34.noarch
selinux-policy-targeted-34.7-1.fc34.noarch

Here's a log with 'setenforce 0'

May 17 19:25:12 fedora.fritz.box audit[30212]: USER_AUTH pid=30212 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_usertype,pam_localuser,pam_unix acct="allison" exe="/usr/bin/login" hostname=fedora.fritz.box addr=? terminal=/dev/tty3 res=success'
May 17 19:25:12 fedora.fritz.box audit[30212]: USER_ACCT pid=30212 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="allison" exe="/usr/bin/login" hostname=fedora.fritz.box addr=? terminal=/dev/tty3 res=success'
May 17 19:25:12 fedora.fritz.box audit[30212]: AVC avc:  denied  { search } for  pid=30212 comm="login" name="allison" dev="nvme0n1p3" ino=893879 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
May 17 19:25:12 fedora.fritz.box audit[30212]: CRED_ACQ pid=30212 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix acct="allison" exe="/usr/bin/login" hostname=fedora.fritz.box addr=? terminal=/dev/tty3 res=success'
May 17 19:25:12 fedora.fritz.box audit[30212]: USER_ROLE_CHANGE pid=30212 uid=0 auid=1000 ses=26 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/bin/login" hostname=fedora.fritz.box addr=? terminal=/dev/tty3 res=success'
May 17 19:25:12 fedora.fritz.box systemd[1]: Created slice User Slice of UID 1000.
May 17 19:25:12 fedora.fritz.box systemd[1]: Starting User Runtime Directory /run/user/1000...
May 17 19:25:12 fedora.fritz.box systemd-logind[851]: New session 26 of user allison.
May 17 19:25:12 fedora.fritz.box systemd[1]: Finished User Runtime Directory /run/user/1000.
May 17 19:25:12 fedora.fritz.box audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user-runtime-dir@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
May 17 19:25:12 fedora.fritz.box systemd[1]: Starting User Manager for UID 1000...
May 17 19:25:12 fedora.fritz.box audit[30244]: USER_ACCT pid=30244 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="allison" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
May 17 19:25:12 fedora.fritz.box audit[30244]: CRED_ACQ pid=30244 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:setcred grantors=? acct="allison" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
May 17 19:25:12 fedora.fritz.box audit[30244]: USER_ROLE_CHANGE pid=30244 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
May 17 19:25:12 fedora.fritz.box systemd[30244]: pam_unix(systemd-user:session): session opened for user allison(uid=1000) by (uid=0)
May 17 19:25:12 fedora.fritz.box audit[30244]: USER_START pid=30244 uid=0 auid=1000 ses=27 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="allison" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
May 17 19:25:12 fedora.fritz.box audit: BPF prog-id=96 op=LOAD
May 17 19:25:12 fedora.fritz.box audit: BPF prog-id=96 op=UNLOAD
May 17 19:25:12 fedora.fritz.box uresourced[886]: Setting resources on user.slice (MemoryMin: 262144000, MemoryLow: 0, CPUWeight: -, IOWeight: -)
May 17 19:25:12 fedora.fritz.box uresourced[886]: Setting resources on user-1000.slice (MemoryMin: 262144000, MemoryLow: 0, CPUWeight: 500, IOWeight: 500)
May 17 19:25:12 fedora.fritz.box uresourced[886]: Setting resources on user (MemoryMin: 0, MemoryLow: 0, CPUWeight: 100, IOWeight: 100)
May 17 19:25:12 fedora.fritz.box systemd[30244]: Queued start job for default target Main User Target.
May 17 19:25:12 fedora.fritz.box systemd[30244]: Created slice User Application Slice.
May 17 19:25:12 fedora.fritz.box systemd[30244]: Started Mark boot as successful after the user session has run 2 minutes.
May 17 19:25:12 fedora.fritz.box systemd[30244]: Started Daily Cleanup of User's Temporary Directories.
May 17 19:25:12 fedora.fritz.box systemd[30244]: Reached target Paths.
May 17 19:25:12 fedora.fritz.box systemd[30244]: Reached target Timers.
May 17 19:25:12 fedora.fritz.box systemd[30244]: Starting D-Bus User Message Bus Socket.
May 17 19:25:12 fedora.fritz.box systemd[30244]: Listening on PipeWire PulseAudio.
May 17 19:25:12 fedora.fritz.box systemd[30244]: Listening on Multimedia System.
May 17 19:25:12 fedora.fritz.box systemd[30244]: Starting Create User's Volatile Files and Directories...
May 17 19:25:12 fedora.fritz.box systemd[30244]: Listening on D-Bus User Message Bus Socket.
May 17 19:25:12 fedora.fritz.box systemd[30244]: Reached target Sockets.
May 17 19:25:12 fedora.fritz.box systemd[30244]: Finished Create User's Volatile Files and Directories.
May 17 19:25:12 fedora.fritz.box systemd[30244]: Reached target Basic System.
May 17 19:25:12 fedora.fritz.box systemd[30244]: Reached target Main User Target.
May 17 19:25:12 fedora.fritz.box systemd[30244]: Startup finished in 90ms.
May 17 19:25:12 fedora.fritz.box systemd[1]: Started User Manager for UID 1000.
May 17 19:25:12 fedora.fritz.box audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
May 17 19:25:12 fedora.fritz.box systemd[1]: Started Session 26 of user allison.
May 17 19:25:12 fedora.fritz.box login[30212]: pam_unix(login:session): session opened for user allison(uid=1000) by LOGIN(uid=0)
May 17 19:25:12 fedora.fritz.box audit[30212]: USER_START pid=30212 uid=0 auid=1000 ses=26 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask,pam_lastlog acct="allison" exe="/usr/bin/login" hostname=fedora.fritz.box addr=? terminal=/dev/tty3 res=success'
May 17 19:25:12 fedora.fritz.box audit[30212]: CRED_REFR pid=30212 uid=0 auid=1000 ses=26 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix acct="allison" exe="/usr/bin/login" hostname=fedora.fritz.box addr=? terminal=/dev/tty3 res=success'
May 17 19:25:12 fedora.fritz.box audit[30212]: USER_LOGIN pid=30212 uid=0 auid=1000 ses=26 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/bin/login" hostname=fedora.fritz.box addr=? terminal=tty3 res=success'
May 17 19:25:12 fedora.fritz.box login[30212]: LOGIN ON tty3 BY allison
May 17 19:25:12 fedora.fritz.box audit[30257]: AVC avc:  denied  { nnp_transition } for  pid=30257 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process2 permissive=1
Comment 11 Zdenek Pytela 2021-05-17 18:36:54 UTC 
Will be addressed in the next build:
https://github.com/fedora-selinux/selinux-policy/pull/745
Comment 12 Allison Karlitskaya 2021-05-28 07:18:09 UTC 
hi,

Still not there yet, unfortunately.  Logins with GNOME are completely failing.

Logins at the console get this:

fedora login: allison
Password:

Last login: Fri May 28 09:10:45 on tty2
 -- allison: /var/home/allison: change directory failed: Permission denied
Logging in with home = "/".
[allison@fedora /]$

See attached for the complete journal fragment, but it boils down to:

fedora login: allison
Password:

May 28 09:11:56 fedora.fritz.box audit[1769]: AVC avc:  denied  { search } for  pid=1769 comm="login" name="allison" dev="nvme0n1p3" ino=893879 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
May 28 09:11:56 fedora.fritz.box audit[1832]: AVC avc:  denied  { search } for  pid=1832 comm="login" name="allison" dev="nvme0n1p3" ino=893879 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0

Thanks!
Comment 13 Allison Karlitskaya 2021-05-28 07:18:38 UTC 
Created attachment 1787778 [details]
journalctl -f
Comment 14 Allison Karlitskaya 2021-05-28 07:21:44 UTC 
I notice that the three users on my system have three different labels on their homedirs:

unconfined_u:object_r:user_home_dir_t:s0 /home/admin/
        system_u:object_r:unlabeled_t:s0 /home/allison/
    system_u:object_r:user_home_dir_t:s0 /home/lis/

I have no idea how that happened, but it all works fine without the nonewprivs stuff.
Comment 15 Allison Karlitskaya 2021-05-28 07:26:21 UTC 
After a restorecon I can login at the console without trouble.  Cool!

But a normal GNOME login is still very much broken.  These ones looks a bit more familiar, though:

May 28 09:24:05 fedora.fritz.box systemd[1]: Started Session 20 of user allison.
May 28 09:24:05 fedora.fritz.box gdm-password][4473]: pam_unix(gdm-password:session): session opened for user allison(uid=1000) by (uid=0)
May 28 09:24:05 fedora.fritz.box audit[4501]: AVC avc:  denied  { nnp_transition } for  pid=4501 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process2 permissive=0
May 28 09:24:05 fedora.fritz.box audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 newcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
May 28 09:24:05 fedora.fritz.box gdm-password][4501]: gkr-pam: couldn't run gnome-keyring-daemon: Operation not permitted
May 28 09:24:05 fedora.fritz.box gdm-password][4473]: gkr-pam: gnome-keyring-daemon didn't start properly
May 28 09:24:05 fedora.fritz.box audit[4473]: USER_START pid=4473 uid=0 auid=1000 ses=20 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring,pam_umask acct="allison" exe="/usr/libexec/gdm-session-worker" hostname=fedora.fritz.box addr=? terminal=/dev/tty7 res=success'
May 28 09:24:05 fedora.fritz.box audit[4505]: AVC avc:  denied  { nnp_transition } for  pid=4505 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process2 permissive=0
May 28 09:24:05 fedora.fritz.box audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 newcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
May 28 09:24:05 fedora.fritz.box gdm-password][4473]: Gdm: Unable to run script: Failed to execute child process “/etc/gdm/PreSession/Default” (Operation not permitted)
May 28 09:24:05 fedora.fritz.box audit[4506]: AVC avc:  denied  { nnp_transition } for  pid=4506 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process2 permissive=0
May 28 09:24:05 fedora.fritz.box audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 newcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Comment 16 Allison Karlitskaya 2021-06-04 15:14:51 UTC 
ping?
Comment 17 Zdenek Pytela 2021-11-02 18:50:28 UTC 
I've submitted a Fedora PR to address the latest reported issue:
https://github.com/fedora-selinux/selinux-policy/pull/931

For new problems, please open a new bugzilla, or use needinfo for getting a proper attention.