Bug 2188640
Summary: | SELinux is preventing systemd-sleep from 'search' accesses on the directory /var/lib/systemd. | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | zjlin | ||||||||
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
Severity: | unspecified | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | 38 | CC: | dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zjlin, zpytela | ||||||||
Target Milestone: | --- | Keywords: | Triaged | ||||||||
Target Release: | --- | ||||||||||
Hardware: | x86_64 | ||||||||||
OS: | Unspecified | ||||||||||
Whiteboard: | abrt_hash:8240c22d4fa62146913a25d1bbf7bf48d3fbbb0ea197748c3851d5891968fc57;VARIANT_ID=kde; | ||||||||||
Fixed In Version: | selinux-policy-38.15-1.fc38 | Doc Type: | If docs needed, set a value | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2023-05-31 17:32:15 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
zjlin
2023-04-21 13:36:39 UTC
Created attachment 1958804 [details]
File: description
Created attachment 1958805 [details]
File: os_info
Created attachment 1958806 [details]
File: sleep.log
Hello, Do you happen to know what the service was trying to do? If you can reproduce it, can you switch the system to permissive mode and gather all denials, or use a local policy like this: # cat local_sd_sleep.cil (allow systemd_sleep_t init_var_lib_t (dir (getattr open search))) # semodule -i local_sd_sleep.cil <reproduce> # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today Hi, I tried to reproduce this. Here is the audit log. ---- type=USER_AVC msg=audit(04/21/2023 21:58:17.652:389) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/user.slice cmdline="" function="bus_unit_method_freezer_generic" scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(04/21/2023 21:58:21.878:390) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/user.slice cmdline="" function="bus_unit_method_freezer_generic" scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(04/21/2023 22:00:51.171:407) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/user.slice cmdline="" function="bus_unit_method_freezer_generic" scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(04/21/2023 22:00:54.818:408) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/user.slice cmdline="" function="bus_unit_method_freezer_generic" scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' Thank you. Just to ensure: no file was requested to read from /var/lib/systemd. (In reply to Zdenek Pytela from comment #6) > Thank you. Just to ensure: no file was requested to read from > /var/lib/systemd. Yes. I also tried `systemctl suspend`, but it didn't report such error. It seams only occur when system tried to suspend using `systemctl suspend-then-hibernate`. You can now try the scratchbuild https://github.com/fedora-selinux/selinux-policy/pull/1716 Checks -> Artifacts -> rpms.zip or wait for a regular build later this week, thank you for cooperation. FEDORA-2023-a19eb5132c has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a19eb5132c FEDORA-2023-a19eb5132c has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a19eb5132c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a19eb5132c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-a19eb5132c has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. |