Bug 1285019 - SELinux is preventing systemd-logind from 'create' accesses on the file .#nologinDUxFTb.
SELinux is preventing systemd-logind from 'create' accesses on the file .#nol...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
x86_64 Unspecified
high Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
abrt_hash:41c659030036e40b5782668201c...
:
: 1305567 1315477 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-24 11:57 EST by Vinicius Reis
Modified: 2016-03-14 04:01 EDT (History)
10 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-158.9.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-05 01:22:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vinicius Reis 2015-11-24 11:57:25 EST
Description of problem:
Typed on a terminal window "sudo shutdown -h 15:00", while SELinux is in Enforcing mode.  
selinux-policy-3.13.1-155.fc23.noarch
SELinux is preventing systemd-logind from 'create' accesses on the file .#nologinDUxFTb.

*****  Plugin catchall (100. confidence) suggests   **************************

If você acredita que o systemd-logind deva ser permitido acesso de create em .#nologinDUxFTb file  por default.
Then você precisa reportar este como um erro.
Você pode gerar um módulo de política local para permitir este acesso.
Do
permitir este acesso agora executando:
# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_logind_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                .#nologinDUxFTb [ file ]
Source                        systemd-logind
Source Path                   systemd-logind
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-155.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.6-300.fc23.x86_64 #1 SMP Tue
                              Nov 10 19:32:21 UTC 2015 x86_64 x86_64
Alert Count                   6
First Seen                    2015-11-22 05:25:00 BRST
Last Seen                     2015-11-24 14:55:16 BRST
Local ID                      1ad8b651-3406-4c9a-a8b1-426d8f8c7259

Raw Audit Messages
type=AVC msg=audit(1448384116.310:594): avc:  denied  { create } for  pid=740 comm="systemd-logind" name=".#nologinDUxFTb" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0


Hash: systemd-logind,systemd_logind_t,var_run_t,file,create

Version-Release number of selected component:
selinux-policy-3.13.1-155.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.6-300.fc23.x86_64
type:           libreport
Comment 1 Wolfgang Rupprecht 2015-11-28 06:36:11 EST
Description of problem:
shutdown -r

Version-Release number of selected component:
selinux-policy-3.13.1-155.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.6-301.fc23.x86_64
type:           libreport
Comment 2 Stef Walter 2015-12-14 07:54:21 EST
We see this sporadically in the Cockpit integration tests.

For example: https://fedorapeople.org/groups/cockpit/logs/pull-3327-9b09bfed-fedora-23/log.html
Comment 3 Stef Walter 2015-12-14 07:56:59 EST
Cockpit is now working around this bug in its integration tests by ignoring the AVC: https://github.com/cockpit-project/cockpit/pull/3328
Comment 4 Daniel Walsh 2015-12-14 16:22:23 EST
Currently systemd-logind is only allowed to create nologin file in /run,  We should open it up transition on any file.
Comment 5 Miroslav Grepl 2015-12-15 08:09:13 EST
There is github discussion about this issue. The point is it is about a generic transition in /run vs. filename transitions which can not be applied here because of .#nologinDUxFTb.

There are systemd fixes in systemd code to label these files correctly according the policy context.

We can try to add a generic transition to rawhide to see if it works correctly.
Comment 6 Daniel Walsh 2015-12-15 08:28:12 EST
Or get systemd-logind to claim a directory /run/logind/ or something
Comment 7 Lukas Vrabec 2015-12-15 10:17:18 EST
I like idea to store this in /run/logind or /run/systemd/. This should be best for us. 

Mirek, could you attach link with the discussion? 

Thank you.
Comment 8 Miroslav Grepl 2015-12-20 05:56:15 EST
Lets have this bug opened and have a discussion in

https://github.com/systemd/systemd/pull/2100


Basically it will be fixed by systemd code changes. If we find a better solution we will remove these systemd code changes.
Comment 9 Miroslav Grepl 2016-01-04 15:08:21 EST
As we discussed it with Dominick if we get all proper confinements we can revert systemd SELinux code changes.
Comment 10 adalsaady 2016-02-08 10:26:16 EST
*** Bug 1305567 has been marked as a duplicate of this bug. ***
Comment 11 Lukas Vrabec 2016-02-25 11:43:31 EST
To be honest, I'm not sure what is solution here after github discussion. Can I make generic transition that systemd_logind_t can create any file in /run labeled as system_logind_var_run_t ? 

Mirek, 
What is your opinion?
Comment 12 Miroslav Grepl 2016-02-25 12:35:18 EST
Yes, I would go with this suggested solution from Dominick here.
Comment 13 Lukas Vrabec 2016-02-25 12:44:04 EST
Yes, I also agree with this solution. 

Thank you.
Comment 14 Fedora Update System 2016-02-27 08:50:00 EST
selinux-policy-3.13.1-158.9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
Comment 15 Fedora Update System 2016-02-28 08:53:55 EST
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
Comment 16 Fedora Update System 2016-03-05 01:21:36 EST
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 17 Daniel 2016-03-07 15:53:54 EST
*** Bug 1315477 has been marked as a duplicate of this bug. ***
Comment 18 Stef Walter 2016-03-14 04:01:52 EDT
This is happening again on Fedora 24 with different AVC's, but essentially the same problem:

https://bugzilla.redhat.com/show_bug.cgi?id=1317389

Note You need to log in before you can comment on or make changes to this bug.