Bug 1197886 - SELinux policy change not not visible to systemd until daemon-reexec
Summary: SELinux policy change not not visible to systemd until daemon-reexec
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: rawhide
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
: 1660141 (view as bug list)
Depends On:
Blocks: 1075806
TreeView+ depends on / blocked
Reported: 2015-03-02 21:31 UTC by Sebastian Dyroff
Modified: 2020-07-09 08:50 UTC (History)
11 users (show)

Fixed In Version: systemd-246~rc1-1.fc33
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2020-07-09 08:50:08 UTC
Type: Bug

Attachments (Terms of Use)
Files needed to reproduce (selinux policy, unit files, service directory) (70.00 KB, application/x-tar)
2015-03-02 21:31 UTC, Sebastian Dyroff
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1195330 0 high CLOSED systemd is sending wrong audit event 2021-02-22 00:41:40 UTC

Internal Links: 1195330

Description Sebastian Dyroff 2015-03-02 21:31:58 UTC
Created attachment 997245 [details]
Files needed to reproduce (selinux policy, unit files, service directory)

Description of problem:

When systemd creates a new socket for socket activation it does not set the right selinux label on the created socket.

Steps to Reproduce:
1. See my example selinux policy module (install it)
2. Install my lala.service and lala.socket systemd unit files
3. Create a directory /lala
4. Check if ls -lahZ /lala shows the lala_t label for /lala
5. If not run restorecon on /lala
6. Start the lala.socket service with systemctl start lala.socket
7. Check if /lala/lala.sock has the lala_t label:
     It has not!!! <- bug?
8. Restart service lala.socket with systemctl restart lala.socket
9. Check if /lala/lala.sock has the lala_t label:
     It has! <- This should have happened in the first place

Comment 1 Jan Synacek 2015-03-04 09:45:29 UTC
I can't compile a module from the files that you've provided.

# checkmodule -o lala.mod lala.te 
checkmodule:  loading policy configuration from lala.te
lala.te:1:ERROR 'syntax error' at token 'policy_module' on line 1:

checkmodule:  error(s) encountered while parsing configuration

Comment 2 Sebastian Dyroff 2015-03-04 10:10:02 UTC
I used make -f /usr/share/selinux/devel/Makefile in the selinux module directory to compile the module. See: https://fedoraproject.org/wiki/PackagingDrafts/SELinux

Comment 3 Jan Synacek 2015-03-05 12:30:30 UTC
Ok, I can reproduce this on the latest upstream version from git (commit 9a71b1122c6e49dd9227f82b2f53837c7ea13019).

Comment 4 Sebastian Dyroff 2015-03-05 12:39:32 UTC
Do we need to create an upstream ticket?

Comment 5 Jan Synacek 2015-03-05 13:14:51 UTC
I'm not sure. After I rebooted the machine, the socket is always created with the correct label...

Comment 6 Zbigniew Jędrzejewski-Szmek 2015-03-05 13:44:34 UTC
Maybe we do not reload the policy correctly? It would be good to test the patch from https://bugzilla.redhat.com/show_bug.cgi?id=1195330 along with this.

Comment 7 Jan Synacek 2015-03-05 14:06:57 UTC
So I managed to reproduce this again by disabling the lala policy, rebooting and enabling it again.

So yes, it looks like the policy is not correctly reloaded. In shared/selinux-util.c, in mac_selinux_bind() this line

selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK)

sets fcon to system_u:object_r:default_t:s0. The problem is re-reproducible by stopping the lala.socket service, removing /lala/lala.sock and starting the socket again.

Comment 8 Fedora End Of Life 2015-11-04 15:32:44 UTC
This message is a reminder that Fedora 21 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 21. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '21'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 21 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 9 Fedora End Of Life 2015-12-02 09:38:59 UTC
Fedora 21 changed to end-of-life (EOL) status on 2015-12-01. Fedora 21 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 10 Zbigniew Jędrzejewski-Szmek 2015-12-02 13:15:38 UTC
Not sure if this is still a problem...

Comment 11 Arjen Heidinga 2016-08-22 09:21:00 UTC
I can confirm this still is a bug on CentOS7.

Comment 12 James Le Cuirot 2016-11-21 15:30:25 UTC
I've been facing this problem for a long time on CentOS 7. I thought I was doing something wrong.

Comment 13 Zbigniew Jędrzejewski-Szmek 2020-02-28 12:44:22 UTC
systemctl daemon-reload will now also reload the selinux policy (https://github.com/systemd/systemd/commit/a9dfac21ec, in v245).
As a work-around, calling daemon-reload after installing a policy module should be enough.
I'll leave this open though, since we should make this automatic.

Comment 14 Zbigniew Jędrzejewski-Szmek 2020-03-01 13:08:41 UTC
*** Bug 1660141 has been marked as a duplicate of this bug. ***

Comment 15 Zbigniew Jędrzejewski-Szmek 2020-03-01 13:10:14 UTC
A better fix is being discussed in https://github.com/systemd/systemd/pull/14781. I hope we can make this work.

Comment 16 Zbigniew Jędrzejewski-Szmek 2020-07-09 08:50:08 UTC
Built in rawhide.

Note You need to log in before you can comment on or make changes to this bug.