Bug 2188640
| Summary: | SELinux is preventing systemd-sleep from 'search' accesses on the directory /var/lib/systemd. | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | zjlin | ||||||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | unspecified | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | 38 | CC: | dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zjlin, zpytela | ||||||||
| Target Milestone: | --- | Keywords: | Triaged | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | x86_64 | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | abrt_hash:8240c22d4fa62146913a25d1bbf7bf48d3fbbb0ea197748c3851d5891968fc57;VARIANT_ID=kde; | ||||||||||
| Fixed In Version: | selinux-policy-38.15-1.fc38 | Doc Type: | If docs needed, set a value | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2023-05-31 17:32:15 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
Created attachment 1958804 [details]
File: description
Created attachment 1958805 [details]
File: os_info
Created attachment 1958806 [details]
File: sleep.log
Hello, Do you happen to know what the service was trying to do? If you can reproduce it, can you switch the system to permissive mode and gather all denials, or use a local policy like this: # cat local_sd_sleep.cil (allow systemd_sleep_t init_var_lib_t (dir (getattr open search))) # semodule -i local_sd_sleep.cil <reproduce> # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today Hi,
I tried to reproduce this. Here is the audit log.
----
type=USER_AVC msg=audit(04/21/2023 21:58:17.652:389) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/user.slice cmdline="" function="bus_unit_method_freezer_generic" scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(04/21/2023 21:58:21.878:390) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/user.slice cmdline="" function="bus_unit_method_freezer_generic" scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(04/21/2023 22:00:51.171:407) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/user.slice cmdline="" function="bus_unit_method_freezer_generic" scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(04/21/2023 22:00:54.818:408) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/user.slice cmdline="" function="bus_unit_method_freezer_generic" scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
Thank you. Just to ensure: no file was requested to read from /var/lib/systemd. (In reply to Zdenek Pytela from comment #6) > Thank you. Just to ensure: no file was requested to read from > /var/lib/systemd. Yes. I also tried `systemctl suspend`, but it didn't report such error. It seams only occur when system tried to suspend using `systemctl suspend-then-hibernate`. You can now try the scratchbuild https://github.com/fedora-selinux/selinux-policy/pull/1716 Checks -> Artifacts -> rpms.zip or wait for a regular build later this week, thank you for cooperation. FEDORA-2023-a19eb5132c has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a19eb5132c FEDORA-2023-a19eb5132c has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a19eb5132c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a19eb5132c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-a19eb5132c has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: An error related to SELinux occurred when the laptop was put to sleep. When entering sleep mode, systemd attempted to read /var/lib/systemd and encountered a permission error. Related log is attated in this report. SELinux is preventing systemd-sleep from 'search' accesses on the directory /var/lib/systemd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-sleep should be allowed search access on the systemd directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep # semodule -X 300 -i my-systemdsleep.pp Additional Information: Source Context system_u:system_r:systemd_sleep_t:s0 Target Context system_u:object_r:init_var_lib_t:s0 Target Objects /var/lib/systemd [ dir ] Source systemd-sleep Source Path systemd-sleep Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages systemd-253.2-1.fc38.x86_64 SELinux Policy RPM selinux-policy-targeted-38.10-1.fc38.noarch Local Policy RPM selinux-policy-targeted-38.10-1.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.2.11-300.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Apr 13 20:27:09 UTC 2023 x86_64 Alert Count 2 First Seen 2023-04-21 21:07:56 CST Last Seen 2023-04-21 21:17:19 CST Local ID 0f2abbf6-535b-46dc-a426-ef017626d676 Raw Audit Messages type=AVC msg=audit(1682083039.747:259): avc: denied { search } for pid=4114 comm="systemd-sleep" name="systemd" dev="dm-0" ino=177930 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=0 Hash: systemd-sleep,systemd_sleep_t,init_var_lib_t,dir,search Version-Release number of selected component: selinux-policy-targeted-38.10-1.fc38.noarch Additional info: reporter: libreport-2.17.9 reason: SELinux is preventing systemd-sleep from 'search' accesses on the directory /var/lib/systemd. package: selinux-policy-targeted-38.10-1.fc38.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.2.11-300.fc38.x86_64 comment: An error related to SELinux occurred when the laptop was put to sleep. When entering sleep mode, systemd attempted to read /var/lib/systemd and encountered a permission error. Related log is attated in this report. component: selinux-policy