Bug 2386220

Summary: systemd-creds reports protocol error when using cat or list commands
Product: [Fedora] Fedora Reporter: Maksym Hazevych <dpadar>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: ASSIGNED --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: 42CC: daan.j.demeyer, dtardon, dwalsh, fedoraproject, lnykryn, lvrabec, mmalik, msekleta, omosnacek, pkoncity, suraj.ghimire7, systemd-maint, vmojzis, yuwatana, zbyszek, zpytela
Target Milestone: ---Keywords: SELinux
Target Release: ---Flags: zpytela: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Maksym Hazevych 2025-08-03 21:42:06 UTC 
Following instructions at https://systemd.io/CREDENTIALS/, I cannot read the value of a newly created credential using cat or list command, even though I can with the decrypt command.

Relevant instructions:
```
systemd-creds encrypt --name=foobar plaintext.txt ciphertext.cred
systemd-run -P --wait -p LoadCredentialEncrypted=foobar:$(pwd)/ciphertext.cred systemd-creds cat foobar
```



Reproducible: Always

Steps to Reproduce:
1. Run `echo helloworld | sudo systemd-creds encrypt --name=foobar - ciphertext.cred`
2. Run `systemd-run -P --wait -p LoadCredentialEncrypted=foobar:$(pwd)/ciphertext.cred systemd-creds cat foobar`
3. See error: `Main processes terminated with: code=exited, status=243/CREDENTIALS`
4. Look into `journalctl -f` for the following errors:
```
(md-creds)[149701]: run-p149649-i149650.service: Failed to set up credentials: Protocol error
(md-creds)[149701]: run-p149649-i149650.service: Failed at step CREDENTIALS spawning /usr/bin/systemd-creds: Protocol error
```
Actual Results:
Main processes terminated with: code=exited, status=243/CREDENTIALS

Expected Results:
helloworld
Comment 1 David Tardon 2025-08-21 11:49:56 UTC 
I see the following AVC with SELinux in permissive:

AVC avc:  denied  { open } for  pid=41807 comm="(sd-mkdcreds)" path="/tmp/ciphertext.cred" dev="tmpfs" ino=5672 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1
Comment 2 Milos Malik 2025-08-21 12:43:58 UTC 
The following SELinux denial appears when the reproducer is executed inside /tmp directory:
----
type=PROCTITLE msg=audit(08/21/2025 08:41:07.994:445) : proctitle=(sd-mkdcreds) 
type=PATH msg=audit(08/21/2025 08:41:07.994:445) : item=0 name=/tmp/ciphertext.cred inode=28 dev=00:26 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/21/2025 08:41:07.994:445) : cwd=/ 
type=SYSCALL msg=audit(08/21/2025 08:41:07.994:445) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55be7e111900 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=2108 pid=2109 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(sd-mkdcreds) exe=/usr/lib/systemd/systemd-executor subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(08/21/2025 08:41:07.994:445) : avc:  denied  { open } for  pid=2109 comm=(sd-mkdcreds) path=/tmp/ciphertext.cred dev="tmpfs" ino=28 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0 
----
Comment 3 Milos Malik 2025-08-21 12:44:52 UTC 
The following SELinux denial appears in permissive mode:
----
type=PROCTITLE msg=audit(08/21/2025 08:44:11.610:455) : proctitle=(sd-mkdcreds) 
type=PATH msg=audit(08/21/2025 08:44:11.610:455) : item=0 name=/tmp/ciphertext.cred inode=29 dev=00:26 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/21/2025 08:44:11.610:455) : cwd=/ 
type=SYSCALL msg=audit(08/21/2025 08:44:11.610:455) : arch=x86_64 syscall=openat success=yes exit=4 a0=AT_FDCWD a1=0x56268ebb0900 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=2126 pid=2127 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(sd-mkdcreds) exe=/usr/lib/systemd/systemd-executor subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(08/21/2025 08:44:11.610:455) : avc:  denied  { open } for  pid=2127 comm=(sd-mkdcreds) path=/tmp/ciphertext.cred dev="tmpfs" ino=29 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1 
----