1075106 – While updating to rawhide: avc: denied { write } for comm="sa1" path="/run/systemd/sessions/2.ref" dev="tmpfs"

Bug 1075106 - While updating to rawhide: avc: denied { write } for comm="sa1" path="/run/systemd/sessions/2.ref" dev="tmpfs"

Summary: While updating to rawhide: avc: denied { write } for comm="sa1" path="/run...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	cronie
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Marcela Mašláňová
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1091196 (view as bug list)
Depends On:
Blocks:	1017034
TreeView+	depends on / blocked

Reported:	2014-03-11 14:09 UTC by Jakub Jelen
Modified:	2014-04-30 13:05 UTC (History)
CC List:	16 users (show)
Fixed In Version:	cronie-1.4.11-6.fc21
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-04-30 13:05:09 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jakub Jelen 2014-03-11 14:09:07 UTC

Description of problem:
While updating to rawhide from Fedora 20, SELinux produced following message

Follow the steps on https://fedoraproject.org/wiki/Upgrading_Fedora_using_yum#To_rawhide

Message is produced during stage
yum -y --releasever=rawhide distro-sync --nogpgcheck

Version-Release number of selected component (if applicable):
systemd                      x86_64 210-7.fc21                   rawhide
sysstat                      x86_64 10.2.1-1.fc21                rawhide
libselinux                   x86_64 2.2.2-6.fc21                 rawhide
selinux-policy               noarch 3.13.1-30.fc21               rawhide

How reproducible: Deterministic


Steps to Reproduce:
1. Follow the steps in link above.
2. 
3.

Actual results:
type=PATH msg=audit(1394448601.666:803): item=2 name=(null) inode=940855 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
type=PATH msg=audit(1394448601.666:803): item=1 name=(null) inode=918461 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
type=PATH msg=audit(1394448601.666:803): item=0 name="/usr/lib64/sa/sa1" inode=936214 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysstat_exec_t:s0 nametype=NORMAL
type=CWD msg=audit(1394448601.666:803):  cwd="/root"
type=EXECVE msg=audit(1394448601.666:803): argc=4 a0="/bin/sh" a1="/usr/lib64/sa/sa1" a2="1" a3="1"
type=SYSCALL msg=audit(1394448601.666:803): arch=c000003e syscall=59 success=yes exit=0 a0=1a73c30 a1=1a73e50 a2=1a72d40 a3=3f0b27f items=3 ppid=24058 pid=24063 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=(none) comm="sa1" exe="/usr/bin/bash" subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1394448601.666:803): avc:  denied  { write } for  pid=24063 comm="sa1" path="/run/systemd/sessions/2.ref" dev="tmpfs" ino=46179 scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=fifo_file

Expected results:
No AVC denial 

Additional info:

Comment 2 Jakub Jelen 2014-04-18 16:44:36 UTC

I'm back here and I have got deterministic reproducer:
1) Install stable Fedora 20
2) Update to Rawhide (using yum)
3) Install sysstat

Every 10 minutes I have got new AVC:

type=AVC msg=audit(1397835601.713:700): avc:  denied  { write } for  pid=6565 comm="sa1" path="/run/systemd/sessions/14.ref" dev="tmpfs" ino=224051 scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=fifo_file


type=SYSCALL msg=audit(1397835601.713:700): arch=x86_64 syscall=execve success=yes exit=0 a0=a74bf0 a1=a74e10 a2=a73d00 a3=8 items=0 ppid=6551 pid=6565 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=14 comm=sa1 exe=/usr/bin/bash subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null)

I did some more research, but still nothing interesting.

Comment 3 Miroslav Grepl 2014-04-24 13:05:43 UTC

We are going to add dontaudit rules until there is a fix.

Comment 4 Šimon Lukašík 2014-04-24 19:46:57 UTC

Please don't. I have seen Jakub come up with better solution.

Comment 5 Miroslav Grepl 2014-04-25 06:50:00 UTC

(In reply to Šimon Lukašík from comment #4)
> Please don't. I have seen Jakub come up with better solution.

Which one? We just added SELinux workaround. This bug is still opened.

Comment 6 Šimon Lukašík 2014-04-25 08:31:36 UTC

(In reply to Miroslav Grepl from comment #5)
> This bug is still opened.

But it is not bug against selinux. Hold on. Good things sometimes take time.

Comment 7 Miroslav Grepl 2014-04-25 09:16:39 UTC

*** Bug 1091196 has been marked as a duplicate of this bug. ***

Comment 8 Jakub Jelen 2014-04-25 09:22:28 UTC

To understand, what is going on here:

* Cron is acquiring session from pam. It is redirected to systemd and there is returned fd to the above mentioned file (new in Rawhide, it doesn't appear in FC20).
* Cron is doing exec and in this moment, AVC appears, if there is in callee program some system call or so. I can reproduce it with plain sleep call in shell script.

* Cron should close this file descriptor before exec. I can go through all the file descriptors and close them. But simply setting
    fcntl(fd, F_SETFD, FD_CLOEXEC);
works too. So there will be question on systemd colleagues if this shouldn't be there by default - I can't find any documentation about these files.

* I sent patch to cronie-devel list to fix this issue in cron.

Comment 9 Jakub Jelen 2014-04-29 14:45:56 UTC

There is commit that should fix this issue in cronie:

https://git.fedorahosted.org/cgit/cronie.git/commit/?id=b2c8cbcef8c97b5a175d6e71995249b288707b0f

Note You need to log in before you can comment on or make changes to this bug.