1285019 – SELinux is preventing systemd-logind from 'create' accesses on the file .#nologinDUxFTb.

Bug 1285019 - SELinux is preventing systemd-logind from 'create' accesses on the file .#nologinDUxFTb.

Summary: SELinux is preventing systemd-logind from 'create' accesses on the file .#nol...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	23
Hardware:	x86_64
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:41c659030036e40b5782668201c...
Duplicates (2):	1305567 1315477 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-11-24 16:57 UTC by Vinicius Reis
Modified:	2016-03-14 08:01 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-3.13.1-158.9.fc23
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-03-05 06:22:30 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1277987	0	unspecified	CLOSED	SELinux is preventing systemd-logind from 'rename' accesses on the file .#scheduledhAaMOb.	2021-02-22 00:41:40 UTC

Internal Links: 1277987

Description Vinicius Reis 2015-11-24 16:57:25 UTC

Description of problem:
Typed on a terminal window "sudo shutdown -h 15:00", while SELinux is in Enforcing mode.  
selinux-policy-3.13.1-155.fc23.noarch
SELinux is preventing systemd-logind from 'create' accesses on the file .#nologinDUxFTb.

*****  Plugin catchall (100. confidence) suggests   **************************

If você acredita que o systemd-logind deva ser permitido acesso de create em .#nologinDUxFTb file  por default.
Then você precisa reportar este como um erro.
Você pode gerar um módulo de política local para permitir este acesso.
Do
permitir este acesso agora executando:
# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_logind_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                .#nologinDUxFTb [ file ]
Source                        systemd-logind
Source Path                   systemd-logind
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-155.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.6-300.fc23.x86_64 #1 SMP Tue
                              Nov 10 19:32:21 UTC 2015 x86_64 x86_64
Alert Count                   6
First Seen                    2015-11-22 05:25:00 BRST
Last Seen                     2015-11-24 14:55:16 BRST
Local ID                      1ad8b651-3406-4c9a-a8b1-426d8f8c7259

Raw Audit Messages
type=AVC msg=audit(1448384116.310:594): avc:  denied  { create } for  pid=740 comm="systemd-logind" name=".#nologinDUxFTb" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0


Hash: systemd-logind,systemd_logind_t,var_run_t,file,create

Version-Release number of selected component:
selinux-policy-3.13.1-155.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.6-300.fc23.x86_64
type:           libreport

Comment 1 Wolfgang Rupprecht 2015-11-28 11:36:11 UTC

Description of problem:
shutdown -r

Version-Release number of selected component:
selinux-policy-3.13.1-155.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.6-301.fc23.x86_64
type:           libreport

Comment 2 Stef Walter 2015-12-14 12:54:21 UTC

We see this sporadically in the Cockpit integration tests.

For example: https://fedorapeople.org/groups/cockpit/logs/pull-3327-9b09bfed-fedora-23/log.html

Comment 3 Stef Walter 2015-12-14 12:56:59 UTC

Cockpit is now working around this bug in its integration tests by ignoring the AVC: https://github.com/cockpit-project/cockpit/pull/3328

Comment 4 Daniel Walsh 2015-12-14 21:22:23 UTC

Currently systemd-logind is only allowed to create nologin file in /run,  We should open it up transition on any file.

Comment 5 Miroslav Grepl 2015-12-15 13:09:13 UTC

There is github discussion about this issue. The point is it is about a generic transition in /run vs. filename transitions which can not be applied here because of .#nologinDUxFTb.

There are systemd fixes in systemd code to label these files correctly according the policy context.

We can try to add a generic transition to rawhide to see if it works correctly.

Comment 6 Daniel Walsh 2015-12-15 13:28:12 UTC

Or get systemd-logind to claim a directory /run/logind/ or something

Comment 7 Lukas Vrabec 2015-12-15 15:17:18 UTC

I like idea to store this in /run/logind or /run/systemd/. This should be best for us. 

Mirek, could you attach link with the discussion? 

Thank you.

Comment 8 Miroslav Grepl 2015-12-20 10:56:15 UTC

Lets have this bug opened and have a discussion in

https://github.com/systemd/systemd/pull/2100


Basically it will be fixed by systemd code changes. If we find a better solution we will remove these systemd code changes.

Comment 9 Miroslav Grepl 2016-01-04 20:08:21 UTC

As we discussed it with Dominick if we get all proper confinements we can revert systemd SELinux code changes.

Comment 10 adalsaady 2016-02-08 15:26:16 UTC

*** Bug 1305567 has been marked as a duplicate of this bug. ***

Comment 11 Lukas Vrabec 2016-02-25 16:43:31 UTC

To be honest, I'm not sure what is solution here after github discussion. Can I make generic transition that systemd_logind_t can create any file in /run labeled as system_logind_var_run_t ? 

Mirek, 
What is your opinion?

Comment 12 Miroslav Grepl 2016-02-25 17:35:18 UTC

Yes, I would go with this suggested solution from Dominick here.

Comment 13 Lukas Vrabec 2016-02-25 17:44:04 UTC

Yes, I also agree with this solution. 

Thank you.

Comment 14 Fedora Update System 2016-02-27 13:50:00 UTC

selinux-policy-3.13.1-158.9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870

Comment 15 Fedora Update System 2016-02-28 13:53:55 UTC

selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870

Comment 16 Fedora Update System 2016-03-05 06:21:36 UTC

selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Daniel 2016-03-07 20:53:54 UTC

*** Bug 1315477 has been marked as a duplicate of this bug. ***

Comment 18 Stef Walter 2016-03-14 08:01:52 UTC

This is happening again on Fedora 24 with different AVC's, but essentially the same problem:

https://bugzilla.redhat.com/show_bug.cgi?id=1317389

Note You need to log in before you can comment on or make changes to this bug.