Bug 1959068

Summary: SELinux is preventing sssd from 'watch' accesses on the directory /run/systemd.
Product: [Fedora] Fedora Reporter: Dominik 'Rathann' Mierzejewski <dominik>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 34CC: amessina, dwalsh, grepl.miroslav, ivanov17, lvrabec, mmalik, nouveau, omosnace, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: aarch64   
OS: Unspecified   
Whiteboard: abrt_hash:60d123f9c6174d86c898382c02efa2d3ecd673add5a62ecfb56d820ff534a15e;VARIANT_ID=matecompiz;
Fixed In Version: selinux-policy-34.12-1.fc34 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-30 03:15:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dominik 'Rathann' Mierzejewski 2021-05-10 16:40:08 UTC 
Description of problem:
This occurred on fresh F34 installation after dnf update && reboot.
SELinux is preventing sssd from 'watch' accesses on the directory /run/systemd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sssd should be allowed watch access on the systemd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sssd' --raw | audit2allow -M my-sssd
# semodule -X 300 -i my-sssd.pp

Additional Information:
Source Context                system_u:system_r:sssd_t:s0
Target Context                system_u:object_r:init_var_run_t:s0
Target Objects                /run/systemd [ dir ]
Source                        sssd
Source Path                   sssd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.6-1.fc34.noarch
Local Policy RPM              selinux-policy-targeted-34.6-1.fc34.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.11.18-300.fc34.aarch64 #1 SMP
                              Mon May 3 14:50:38 UTC 2021 aarch64 aarch64
Alert Count                   69
First Seen                    2021-05-10 14:33:33 CEST
Last Seen                     2021-05-10 14:44:53 CEST
Local ID                      b471c2a5-2f02-4ca4-b890-dd04c6fd7760

Raw Audit Messages
type=AVC msg=audit(1620650693.889:735): avc:  denied  { watch } for  pid=1402 comm="sssd" path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0


Hash: sssd,sssd_t,init_var_run_t,dir,watch

Version-Release number of selected component:
selinux-policy-targeted-34.6-1.fc34.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.14.0
hashmarkername: setroubleshoot
kernel:         5.11.18-300.fc34.aarch64
type:           libreport
Comment 1 Roy 2021-06-18 13:32:07 UTC 
Can confirm on 5.12.10-300.fc34.x86_64 . For what it's worth, this is thus not limited to aarch64
Comment 2 Zdenek Pytela 2021-06-18 16:39:08 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/785
Comment 3 Fedora Update System 2021-06-24 15:28:06 UTC 
FEDORA-2021-3df7370a94 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-3df7370a94
Comment 4 Fedora Update System 2021-06-24 16:55:51 UTC 
FEDORA-2021-3df7370a94 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-3df7370a94`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-3df7370a94

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2021-06-30 03:15:40 UTC 
FEDORA-2021-3df7370a94 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.