Bug 1276601 - systemd-logind AVC's while shutting down system [NEEDINFO]
systemd-logind AVC's while shutting down system
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
23
Unspecified Unspecified
high Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-30 05:25 EDT by Stef Walter
Modified: 2016-08-18 08:39 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-08-18 08:39:28 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
mgrepl: needinfo? (stefw)


Attachments (Terms of Use)

  None (edit)
Description Stef Walter 2015-10-30 05:25:24 EDT
Description of problem:

In the Cockpit test suite we see these AVC's while systemd-logind is running a system shutdown:

Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { create } for  pid=571 comm="systemd-logind" name=".#scheduledVKawcY" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { read write open } for  pid=571 comm="systemd-logind" path="/run/systemd/shutdown/.#scheduledVKawcY" dev="tmpfs" ino=18735 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: SYSCALL arch=c000003e syscall=2 success=yes exit=19 a0=55ad25fddb70 a1=800c2 a2=180 a3=0 items=0 ppid=1 pid=571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
Oct 29 22:11:39 f3 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-logind"
Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { setattr } for  pid=571 comm="systemd-logind" name=".#scheduledVKawcY" dev="tmpfs" ino=18735 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: SYSCALL arch=c000003e syscall=91 success=yes exit=0 a0=13 a1=1a4 a2=0 a3=55ad25fdbdf0 items=0 ppid=1 pid=571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
Oct 29 22:11:39 f3 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-logind"
Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { getattr } for  pid=571 comm="systemd-logind" path="/run/systemd/shutdown/.#scheduledVKawcY" dev="tmpfs" ino=18735 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: SYSCALL arch=c000003e syscall=5 success=yes exit=0 a0=13 a1=7fff57273750 a2=7fff57273750 a3=55ad25d239f0 items=0 ppid=1 pid=571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
Oct 29 22:11:39 f3 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-logind"
Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { rename } for  pid=571 comm="systemd-logind" name=".#scheduledVKawcY" dev="tmpfs" ino=18735 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: SYSCALL arch=c000003e syscall=82 success=yes exit=0 a0=55ad25fddb70 a1=55ad25d23990 a2=0 a3=7f2358b708c0 items=0 ppid=1 pid=571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
Oct 29 22:11:39 f3 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-logind"
Oct 29 22:11:39 f3 cockpit-bridge[1127]: Shutdown scheduled for Thu 2015-10-29 18:11:39 EDT, use 'shutdown -c' to cancel.
Oct 29 22:11:39 f3 systemd-logind[571]: Creating /run/nologin, blocking further logins...
Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { create } for  pid=571 comm="systemd-logind" name=".#nologinD0cdvj" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { read write open } for  pid=571 comm="systemd-logind" path="/run/.#nologinD0cdvj" dev="tmpfs" ino=18743 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: SYSCALL arch=c000003e syscall=2 success=yes exit=19 a0=55ad25fdd6f0 a1=800c2 a2=180 a3=0 items=0 ppid=1 pid=571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
Oct 29 22:11:39 f3 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-logind"
Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { setattr } for  pid=571 comm="systemd-logind" name=".#nologinD0cdvj" dev="tmpfs" ino=18743 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: SYSCALL arch=c000003e syscall=91 success=yes exit=0 a0=13 a1=1a4 a2=0 a3=55ad25fdbaa0 items=0 ppid=1 pid=571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
Oct 29 22:11:39 f3 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-logind"
Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { getattr } for  pid=571 comm="systemd-logind" path="/run/.#nologinD0cdvj" dev="tmpfs" ino=18743 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: SYSCALL arch=c000003e syscall=5 success=yes exit=0 a0=13 a1=7fff572740a0 a2=7fff572740a0 a3=55ad25fdbaa0 items=0 ppid=1 pid=571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
Oct 29 22:11:39 f3 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-logind"
Oct 29 22:11:39 f3 audit[571]: AVC avc:  denied  { rename } for  pid=571 comm="systemd-logind" name=".#nologinD0cdvj" dev="tmpfs" ino=18743 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Oct 29 22:11:39 f3 audit[571]: SYSCALL arch=c000003e syscall=82 success=yes exit=0 a0=55ad25fdd6f0 a1=55ad25d14d14 a2=0 a3=7f2358b708c0 items=0 ppid=1 pid=571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)

Version-Release number of selected component (if applicable):

systemd-222-8.fc23.x86_64
selinux-policy-targeted-3.13.1-151.fc23.noarch

Full log: http://files.cockpit-project.org/logs/pull-3068-0c94ef09-fedora-23-x86_64/TestShutdownRestart-testBasic-10.111.112.103-FAIL.log

There are many such examples, that's just one of the logs. More can be provided, including full journal contents.
Comment 1 Miroslav Grepl 2016-01-22 04:24:48 EST
There mislabeled dirs for a reason.

Could you try to run

# restorecon -R -v /run/systemd
Comment 2 Dominik Gronkiewicz 2016-02-27 21:36:40 EST
I have the same problem. I really want to go to enforced mode but I'm afraid as long as this alert occurs.
Comment 3 Lukas Vrabec 2016-03-15 14:31:34 EDT
Is it possible to reproduce this issue? I add some fixes, so I believe this is fixed now.

Note You need to log in before you can comment on or make changes to this bug.