Bug 2186821

Summary: systemd tries to load SELinux policy when reexecuting
Product: [Fedora] Fedora Reporter: Ondrej Mosnacek <omosnace>
Component: systemdAssignee: systemd-maint
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: dominik, fedoraproject, filbranden, lnykryn, mikhail.v.gavrilov, msekleta, ryncsn, systemd-maint, todoleza, yuwatana, zbyszek, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-12 08:53:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ondrej Mosnacek 2023-04-14 15:16:14 UTC 
Description of problem:
Latest systemd in Rawhide calls initialize_security()/mac_selinux_setup() when reexecuting, while it did not do so before (I only checked Fedora 37, not sure which version started doing it). Looking at the current upstream code, it seems it is not intended (going by the skip_setup variable and early_skip_setup_check() in src/core/main.c).

Doing mac_selinux_setup() while reexecuting triggers SELinux denials, since it is normally only called on early boot before policy is loaded and thus the policy wasn't being updated to allow init_t to do it for some time.

Version-Release number of selected component (if applicable):
systemd-253.2-1.fc39.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. systemctl daemon-reexec

Actual results:
dmesg contains "systemd[1]: Failed to load new SELinux policy. Continuing with old policy." and there are SELinux denials in audit log.

Expected results:
No attempts to load SELinux policy by systemd on reexec.
Comment 1 Ondrej Mosnáček 2023-04-29 19:56:47 UTC 
*** Bug 2189416 has been marked as a duplicate of this bug. ***
Comment 2 Zdenek Pytela 2023-05-02 14:39:40 UTC 
See https://bugzilla.redhat.com/show_bug.cgi?id=2189416#c3
Comment 3 Zdenek Pytela 2023-05-15 09:55:27 UTC 
*** Bug 2203332 has been marked as a duplicate of this bug. ***
Comment 4 Zdenek Pytela 2023-05-15 09:57:57 UTC 
*** Bug 2203329 has been marked as a duplicate of this bug. ***
Comment 5 Zbigniew Jędrzejewski-Szmek 2023-05-15 11:05:25 UTC 
There were various fixes in this area recently, in particular
https://github.com/systemd/systemd/commit/4f44d2c4f7.
It's possible that we messed something up in the logic.
Comment 6 Zdenek Pytela 2023-05-15 11:27:24 UTC 
(In reply to Zbigniew Jędrzejewski-Szmek from comment #5)
> There were various fixes in this area recently, in particular
> https://github.com/systemd/systemd/commit/4f44d2c4f7.
> It's possible that we messed something up in the logic.

Changing streq() to startswith() is at least a good start, so I just think this commit hasn't made it into rawhide and F38 before reporting.

Still present in rawhide and F38
f38# rpm -q systemd
systemd-253.4-1.fc38.x86_64
rawhide# rpm -q systemd
systemd-253.4-1.fc39.x86_64
Comment 7 Ondrej Mosnacek 2023-07-12 08:53:24 UTC 
This doesn't seem to occur any more with systemd-253.5-6.fc39 (but probably was fixed earlier).