Description of problem: SELinux is preventing /usr/lib/systemd/systemd-logind from create access on the file .#nologinoPzXni. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-logind should be allowed create access on the .#nologinoPzXni file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:object_r:var_run_t:s0 Target Objects .#nologinoPzXni [ file ] Source systemd-logind Source Path /usr/lib/systemd/systemd-logind Port <Unknown> Host <Host> Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name <Host> Platform Linux <Host> 4.2.6-300.fc23.x86_64 #1 SMP Tue Nov 10 19:32:21 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-11-20 18:12:50 EET Last Seen 2015-11-20 18:12:50 EET Local ID 2d7bb6c1-cba4-445a-b370-91984605ce0a Raw Audit Messages type=AVC msg=audit(1448035970.231:245): avc: denied { create } for pid=1039 comm="systemd-logind" name=".#nologinoPzXni" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 Version-Release number of selected component (if applicable): selinux-policy-3.13.1-155.fc23.noarch.rpm How reproducible: Everytime I schedule a shutdown or reboot. The command runs as expected, but I keep getting this message. Steps to Reproduce: Schedule a shutdown or reboot with something like shutdown -r +10 Additional info: This started happening right after I installed FEDORA-2015-0d84d6c75f packages, so I'm fairly certain about the selinux-policy version (it didn't happen with 3.13.1-154, but I could not schedule a shutdown with that one).
Where is file ".#nologinoPzXni" stored?
I can't find any of the ".#nologinABCXYZ" files anywhere, but I guess that's to be expected, since systemd-logind is not allowed to create them. In the past couple of days, I haven't had any SELinux alerts pop up, but whenever there is about a minute left on the shutdown, or if I schedule the shutdown in one minute, I get these in the journal: Nov 24 14:49:41 <hostname> systemd[1]: Starting Cleanup of Temporary Directories... Nov 24 14:49:42 <hostname> systemd[1]: Started Cleanup of Temporary Directories. Nov 24 14:49:42 <hostname> audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-tmpfiles-clean comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Nov 24 14:49:42 <hostname> audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-tmpfiles-clean comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Nov 24 14:57:33 <hostname> systemd-logind[993]: Creating /run/nologin, blocking further logins... Nov 24 14:57:33 <hostname> systemd-logind[993]: Failed to create /run/nologin: Permission denied Nov 24 14:57:33 <hostname> audit[993]: AVC avc: denied { create } for pid=993 comm="systemd-logind" name=".#nologinXo434m" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 Nov 24 14:57:33 <hostname> audit[993]: SYSCALL arch=c000003e syscall=2 success=no exit=-13 a0=55accaffa850 a1=800c2 a2=180 a3=0 items=0 ppid=1 pid=993 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null) Nov 24 14:57:33 <hostname> audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-logind"
Thank you for reporting. This is a systemd bug. They need to backport fixes related to nologin labeling.
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
This should be already fixed in systemd-222-10.fc23.x86_64. *** This bug has been marked as a duplicate of bug 1287592 ***
Related fix appeared upstream in the meantime. https://github.com/systemd/systemd/commit/4b51966cf6c06250036e428608da92f8640beb96 However I didn't observe any problems regarding labeling of /run/user/$UID directories on Fedora.
There were follow-up commits, e.g. c3dacc8bbf2dc2f5d498072418289c3ba79160ac. I think we need to backport at least some of them.
All fixes relates to selinux and #nologinXXXXXX files are fixed in F23.