Bug 1276601 - systemd-logind AVC's while shutting down system
Summary: systemd-logind AVC's while shutting down system
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 23
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-30 09:25 UTC by Stef Walter
Modified: 2018-06-01 10:34 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-18 12:39:28 UTC
Type: Bug
Embargoed:
stefw: needinfo-

Attachments (Terms of Use)

Description Stef Walter 2015-10-30 09:25:24 UTC 
Description of problem:

In the Cockpit test suite we see these AVC's while systemd-logind is running a system shutdown:

Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { create } for  pid=571 comm="systemd-logind" name=".#scheduledVKawcY" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { read write open } for  pid=571 comm="systemd-logind" path="/run/systemd/shutdown/.#scheduledVKawcY" dev="tmpfs" ino=18735 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: SYSCALL arch=c000003e syscall=2 success=yes exit=19 a0=55ad25fddb70 a1=800c2 a2=180 a3=0 items=0 ppid=1 pid=571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
Oct 29 22:11:39 f3 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-logind"
Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { setattr } for  pid=571 comm="systemd-logind" name=".#scheduledVKawcY" dev="tmpfs" ino=18735 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: SYSCALL arch=c000003e syscall=91 success=yes exit=0 a0=13 a1=1a4 a2=0 a3=55ad25fdbdf0 items=0 ppid=1 pid=571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
Oct 29 22:11:39 f3 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-logind"
Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { getattr } for  pid=571 comm="systemd-logind" path="/run/systemd/shutdown/.#scheduledVKawcY" dev="tmpfs" ino=18735 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: SYSCALL arch=c000003e syscall=5 success=yes exit=0 a0=13 a1=7fff57273750 a2=7fff57273750 a3=55ad25d239f0 items=0 ppid=1 pid=571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
Oct 29 22:11:39 f3 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-logind"
Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { rename } for  pid=571 comm="systemd-logind" name=".#scheduledVKawcY" dev="tmpfs" ino=18735 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: SYSCALL arch=c000003e syscall=82 success=yes exit=0 a0=55ad25fddb70 a1=55ad25d23990 a2=0 a3=7f2358b708c0 items=0 ppid=1 pid=571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
Oct 29 22:11:39 f3 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-logind"
Oct 29 22:11:39 f3 cockpit-bridge[1127]: Shutdown scheduled for Thu 2015-10-29 18:11:39 EDT, use 'shutdown -c' to cancel.
Oct 29 22:11:39 f3 systemd-logind[571]: Creating /run/nologin, blocking further logins...
Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { create } for  pid=571 comm="systemd-logind" name=".#nologinD0cdvj" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { read write open } for  pid=571 comm="systemd-logind" path="/run/.#nologinD0cdvj" dev="tmpfs" ino=18743 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: SYSCALL arch=c000003e syscall=2 success=yes exit=19 a0=55ad25fdd6f0 a1=800c2 a2=180 a3=0 items=0 ppid=1 pid=571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
Oct 29 22:11:39 f3 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-logind"
Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { setattr } for  pid=571 comm="systemd-logind" name=".#nologinD0cdvj" dev="tmpfs" ino=18743 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: SYSCALL arch=c000003e syscall=91 success=yes exit=0 a0=13 a1=1a4 a2=0 a3=55ad25fdbaa0 items=0 ppid=1 pid=571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
Oct 29 22:11:39 f3 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-logind"
Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { getattr } for  pid=571 comm="systemd-logind" path="/run/.#nologinD0cdvj" dev="tmpfs" ino=18743 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: SYSCALL arch=c000003e syscall=5 success=yes exit=0 a0=13 a1=7fff572740a0 a2=7fff572740a0 a3=55ad25fdbaa0 items=0 ppid=1 pid=571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
Oct 29 22:11:39 f3 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-logind"
Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { rename } for  pid=571 comm="systemd-logind" name=".#nologinD0cdvj" dev="tmpfs" ino=18743 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: SYSCALL arch=c000003e syscall=82 success=yes exit=0 a0=55ad25fdd6f0 a1=55ad25d14d14 a2=0 a3=7f2358b708c0 items=0 ppid=1 pid=571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)

Version-Release number of selected component (if applicable):

systemd-222-8.fc23.x86_64
selinux-policy-targeted-3.13.1-151.fc23.noarch

Full log: http://files.cockpit-project.org/logs/pull-3068-0c94ef09-fedora-23-x86_64/TestShutdownRestart-testBasic-10.111.112.103-FAIL.log

There are many such examples, that's just one of the logs. More can be provided, including full journal contents.
Comment 1 Miroslav Grepl 2016-01-22 09:24:48 UTC 
There mislabeled dirs for a reason.

Could you try to run

# restorecon -R -v /run/systemd
Comment 2 Dominik Gronkiewicz 2016-02-28 02:36:40 UTC 
I have the same problem. I really want to go to enforced mode but I'm afraid as long as this alert occurs.
Comment 3 Lukas Vrabec 2016-03-15 18:31:34 UTC 
Is it possible to reproduce this issue? I add some fixes, so I believe this is fixed now.
Note You need to log in before you can comment on or make changes to this bug.