Bug 2000039

Summary: AVC failures seen with : denied { create } comm="systemd"
Product: Red Hat Enterprise Linux 9 Reporter: anuja <amore>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: high    
Version: 9.0CC: hewang, jchecahi, jstodola, lvrabec, mmalik, mvarun, sgoveas, ssekidde, ssidhaye, xiliang
Target Milestone: rcKeywords: Triaged
Target Release: 9.0Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.24-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 15:49:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1942219    

Description anuja 2021-09-01 09:11:10 UTC 
Description of problem:

Following AVC denial seen during bash tests with latest IPA build for RHEL9.0
----
time->Thu Aug 26 14:18:02 2021
type=PROCTITLE msg=audit(1630001882.660:2737): proctitle="(systemd)"
type=SYSCALL msg=audit(1630001882.660:2737): arch=c000003e syscall=83 success=no exit=-13 a0=561de90da280 a1=1ed a2=561888d331ea a3=0 items=0 ppid=1 pid=21494 auid=725801116 uid=725801116 gid=725801116 euid=725801116 suid=725801116 fsuid=725801116 egid=725801116 sgid=725801116 fsgid=725801116 tty=(none) ses=48 comm="systemd" exe="/usr/lib/systemd/systemd" subj=user_u:user_r:user_t:s0 key=(null)
type=AVC msg=audit(1630001882.660:2737): avc:  denied  { create } for  pid=21494 comm="systemd" name="systemd" scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
----
time->Thu Aug 26 14:18:02 2021
type=PROCTITLE msg=audit(1630001882.683:2739): proctitle="(systemd)"
type=SYSCALL msg=audit(1630001882.683:2739): arch=c000003e syscall=83 success=no exit=-13 a0=7ffe9ce11910 a1=1ed a2=561888d3325a a3=0 items=0 ppid=1 pid=21494 auid=725801116 uid=725801116 gid=725801116 euid=725801116 suid=725801116 fsuid=725801116 egid=725801116 sgid=725801116 fsgid=725801116 tty=(none) ses=48 comm="systemd" exe="/usr/lib/systemd/systemd" subj=user_u:user_r:user_t:s0 key=(null)
type=AVC msg=audit(1630001882.683:2739): avc:  denied  { create } for  pid=21494 comm="systemd" name="systemd" scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=0

Version-Release number of selected component (if applicable):
selinux-policy-34.1.13-1.el9.noarch
ipa-server-4.9.6-5.el9.x86_64.rpm 

Actual results:
AVC denial seen 

Expected results:
No AVC denial should be there.
Comment 2 Zdenek Pytela 2021-09-01 10:02:13 UTC 
This permission actually is allowed:

# sesearch -A -s user_t -t user_tmp_t -c dir -p create
allow user_t user_home_type:dir { add_name create getattr ioctl link lock open read relabelfrom relabelto remove_name rename reparent rmdir search setattr unlink watch watch_reads write };
allow user_usertype user_tmp_type:dir { add_name create getattr ioctl link lock mounton open read relabelfrom relabelto remove_name rename reparent rmdir search setattr unlink watch watch_reads write };

but I suppose we are hitting a clone of bz#1878094.
Comment 5 Zdenek Pytela 2022-01-05 17:11:55 UTC 
To backport:
commit 925e0fcfc3747fa0d8bae5c6f266b4f2d754b6f5 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Tue Dec 14 20:40:40 2021 +0100

    Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling
Comment 16 Zdenek Pytela 2022-02-08 12:46:05 UTC 
*** Bug 2051852 has been marked as a duplicate of this bug. ***
Comment 17 Zdenek Pytela 2022-02-08 16:11:19 UTC 
*** Bug 2052065 has been marked as a duplicate of this bug. ***
Comment 18 Zdenek Pytela 2022-02-08 18:49:02 UTC 
*** Bug 2052102 has been marked as a duplicate of this bug. ***
Comment 21 Zdenek Pytela 2022-02-10 09:49:32 UTC 
*** Bug 2052912 has been marked as a duplicate of this bug. ***
Comment 22 Zdenek Pytela 2022-02-10 12:34:21 UTC 
*** Bug 2052998 has been marked as a duplicate of this bug. ***
Comment 24 Milos Malik 2022-02-22 09:26:30 UTC 
*** Bug 2056754 has been marked as a duplicate of this bug. ***
Comment 26 errata-xmlrpc 2022-05-17 15:49:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: selinux-policy), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3918