Bug 2121734
| Summary: | AVCs when runtime directory for the user is cleaned up on session exit | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | NEW --- | QA Contact: | Milos Malik <mmalik> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 9.0 | CC: | lvrabec, mmalik, nknazeko |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 9.3 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
We will consider this bz for RHEL 9.3 and assign a separate type for systemd-user-runtime-dir. |
Description of problem: When `systemd-logind` executes `/usr/lib/systemd/systemd-user-runtime-dir` to clean up the user's session on exit, AVCs can be seen when the latter cannot delete files due to their label, e.g.: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- type=PROCTITLE msg=audit(08/26/2022 14:54:01.976:473) : proctitle=/usr/lib/systemd/systemd-user-runtime-dir stop 1000 type=SYSCALL msg=audit(08/26/2022 14:54:01.976:473) : arch=x86_64 syscall=unlinkat success=no exit=EACCES(Permission denied) a0=0x3 a1=0x558372fa6d03 a2=0x0 a3=0x9b items=0 ppid=1 pid=2633 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-ru exe=/usr/lib/systemd/systemd-user-runtime-dir subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(08/26/2022 14:54:01.976:473) : avc: denied { unlink } for pid=2633 comm=systemd-user-ru name=foo dev="tmpfs" ino=18 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- This kind of AVCs should be hidden or a transition to some new context should be created to allow `/usr/lib/systemd/systemd-user-runtime-dir` to delete everything it wants in that directory. Version-Release number of selected component (if applicable): selinux-policy-34.1.29-1.el9_0.2.noarch How reproducible: Always Steps to Reproduce: 1. Create a user on the system # useradd user # echo "redhat" | passwd --stdin user 2. Login as the user and create a file in its runtime directory # ssh user@localhost ... $ touch /run/user/$(id -u)/foo $ chcon -t container_file_t /run/user/$(id -u)/foo 3. Exit and wait for session to be cleaned up (10 seconds by default) $ exit 4. Checks audit log for AVCs # ausearch -i -m avc -ts recent Actual results: type=PROCTITLE msg=audit(08/26/2022 14:54:01.976:473) : proctitle=/usr/lib/systemd/systemd-user-runtime-dir stop 1000 type=SYSCALL msg=audit(08/26/2022 14:54:01.976:473) : arch=x86_64 syscall=unlinkat success=no exit=EACCES(Permission denied) a0=0x3 a1=0x558372fa6d03 a2=0x0 a3=0x9b items=0 ppid=1 pid=2633 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-ru exe=/usr/lib/systemd/systemd-user-runtime-dir subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(08/26/2022 14:54:01.976:473) : avc: denied { unlink } for pid=2633 comm=systemd-user-ru name=foo dev="tmpfs" ino=18 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 Expected results: No AVC Additional info: Files disappear anyway because the runtime directory is tmpfs and gets unmounted, so it's harmless.