Bug 1268520 - selinux is blocking essentially all systemctl actions
selinux is blocking essentially all systemctl actions
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
22
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-02 20:25 EDT by Andy Lutomirski
Modified: 2015-10-04 14:04 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-04 14:04:58 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andy Lutomirski 2015-10-02 20:25:04 EDT
My log is full of junk like this:

audit[1]: <audit-1107> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/firewalld.service" cmdline="systemctl status firewalld" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:firewalld_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

This is manifestly bogus.  uid 0 with type unconfined_t should *not* be denied access to systemd.

This is Fedora 22, fully up-to-date.

# rpm -qa \*selinux\* \*polkit\* \*Policy\* \*dbus\*
python3-dbus-1.2.0-7.fc22.x86_64
libselinux-python3-2.3-10.fc22.x86_64
dbus-1.8.20-1.fc22.x86_64
selinux-policy-targeted-3.13.1-128.13.fc22.noarch
polkit-0.113-4.fc22.x86_64
qt-qdbusviewer-4.8.6-30.fc22.x86_64
libselinux-devel-2.3-10.fc22.x86_64
dbusmenu-qt-0.9.3-0.10.20150604.fc22.x86_64
polkit-qt-0.112.0-3.fc22.x86_64
rpm-plugin-selinux-4.12.0.1-12.fc22.x86_64
polkit-docs-0.113-4.fc22.noarch
selinux-policy-doc-3.13.1-128.13.fc22.noarch
selinux-policy-devel-3.13.1-128.13.fc22.noarch
libselinux-debuginfo-2.2.1-6.fc20.x86_64
polkit-qt5-1-0.112.0-3.fc22.x86_64
libselinux-2.3-10.fc22.x86_64
python3-slip-dbus-0.6.4-1.fc22.noarch
abrt-dbus-2.6.1-5.fc22.x86_64
dbus-devel-1.8.20-1.fc22.x86_64
dbus-x11-1.8.20-1.fc22.x86_64
selinux-policy-3.13.1-128.13.fc22.noarch
polkit-devel-0.113-4.fc22.x86_64
libselinux-python-2.3-10.fc22.x86_64
libselinux-2.3-10.fc22.i686
dbus-glib-devel-0.104-1.fc22.x86_64
libdbusmenu-12.10.2-8.fc22.x86_64
dbus-libs-1.8.20-1.fc22.i686
dbusmenu-qt5-0.9.3-0.10.20150604.fc22.x86_64
libdbusmenu-gtk3-12.10.2-8.fc22.x86_64
kf5-kdbusaddons-5.13.0-1.fc22.x86_64
dbus-glib-0.104-1.fc22.x86_64
polkit-gnome-0.105-7.fc22.x86_64
libselinux-utils-2.3-10.fc22.x86_64
dbus-python-1.2.0-7.fc22.x86_64
dleyna-connector-dbus-0.2.0-4.fc22.x86_64
python-slip-dbus-0.6.4-1.fc22.noarch
dbus-libs-1.8.20-1.fc22.x86_64
polkit-pkla-compat-0.1-5.fc22.x86_64
polkit-libs-0.113-4.fc22.x86_64
selinux-policy-sandbox-3.13.1-128.13.fc22.noarch

audit2why says:

type=USER_AVC msg=audit(1443831631.319:2498): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/firewalld.service" cmdline="systemctl status firewalld" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:firewalld_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
	Was caused by:
		Unknown - would be allowed by active policy
		Possible mismatch between this policy and the one under which the audit message was generated.

		Possible mismatch between current in-memory boolean settings vs. permanent ones.

which suggests that something is rather broken internally.  I haven't done anything explicit to my selinux setup except to setenforce 0 briefly so I could actually use my system.
Comment 1 Daniel Walsh 2015-10-03 06:34:58 EDT
I think 

systemctl daemon-reexec 

Fixes this problem.  This is a known issue which is being worked on.
Comment 2 Robin Powell 2015-10-03 16:18:49 EDT
In case it helps: I hit this by updating from 3.13.1-128.6.fc22 to 3.13.1-128.13.fc22
Comment 3 Andy Lutomirski 2015-10-03 19:08:20 EDT
This just happened to my laptop, and systemctl daemon-reexec fixed it for me.
Comment 4 Robin Powell 2015-10-03 19:51:40 EDT
Oh, yes, I can confirm the workaround as well.
Comment 5 Miroslav Grepl 2015-10-04 14:04:58 EDT
Yes, this is known issue and we have this workaround in the policy update.

It is a part of selinux-policy-3.13.1-128.16.fc22 so you would also update your system.

Note You need to log in before you can comment on or make changes to this bug.