Bug 614574

Summary: tracker : SELinux policy for Systemd
Product: [Fedora] Fedora Reporter: Bill Nottingham <notting>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: carlg, contribs, drjohnson1, dwalsh, jeff, lpoetter, metherid, mschmidt, orion, rvokal, tmraz, vonbrand
Target Milestone: ---Keywords: Tracking
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-26 20:15:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bill Nottingham 2010-07-14 19:15:04 UTC 
Description of problem:

At least, I can't log in in enforcing mode. If I'm not in enforcing mode,
my login shell ends up being unconfined_u:system_r:abrt_helper_t, which is very wrong.

Version-Release number of selected component (if applicable):

systemd-3-3
selinux-policy-targeted-3.8.6-3.fc14

How reproducible:

100%
Comment 1 Jeffrey C. Ollie 2010-07-14 20:52:13 UTC 
Same problem here for me, same versions of systemd and selinux policy.  I can log in if I disable selinux and switch to permissive mode.  I tried doing a full relabel of the FS but it didn't help.
Comment 2 Lennart Poettering 2010-07-14 21:01:55 UTC 
Hmm, I thought we had fixed the policy already. Reassigning to the policy package.
Comment 3 Daniel Walsh 2010-07-15 13:10:36 UTC 
Labeling is fixed in selinux-policy-3_8_7-1_fc14

But I will leave this bug open for a while since lots of other changes need to be made to systemd to get it to work properly with SELinux.

Lennart we are going to have to either make systemd impersonate services or setup proper labeling on things like sockets, when doing autostart.
Comment 4 Orion Poplawski 2010-07-16 22:44:19 UTC 
My current messages:

type=AVC msg=audit(1279341708.897:8): avc:  denied  { accept } for  pid=713 comm="dbus-daemon" path="/var/run/dbus/system_bus_socket" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1279341708.897:9): avc:  denied  { getattr } for  pid=713 comm="dbus-daemon" path="/var/run/dbus/system_bus_socket" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1279341708.897:10): avc:  denied  { getopt } for  pid=713 comm="dbus-daemon" path="/var/run/dbus/system_bus_socket" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket

Does not boot in enforcing.
Comment 5 Carl G. 2010-07-17 02:38:05 UTC 
Please open a new bug report, this bug report is for tracking bug & change required for SELinux to work with Systemd.

Thanks.

---

Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 6 Lennart Poettering 2010-07-17 13:47:44 UTC 
*** Bug 614710 has been marked as a duplicate of this bug. ***
Comment 7 Daniel Walsh 2010-07-20 18:00:08 UTC 
selinux-policy-3.8.8-1.fc14 policy should allow you to boot systemd in enforcing mode.  I had to hack policy to allow messagebus and avahi to work.  We need to change systemd to properly impersonate those services.  Currently the first app that tries to communicate with avahi or dbus ends up with an avc requiring.

allow telepathy_msn_t init_t:unix_stream_socket connectto;


Since init_t creates the socket.  systemd should have setsockcreatecon("system_u:system_r:dbusd_t:s0")

Then the avc would have been solved with the allow rule. 

allow telepathy_msn_t dbusd_t:unix_stream_socket connectto;
Comment 8 François Cami 2010-07-30 19:22:47 UTC 
Err, reverting. sorry.