1290255 – SELinux is preventing systemd-rfkill from 'write' accesses on the directory rfkill.

Bug 1290255 - SELinux is preventing systemd-rfkill from 'write' accesses on the directory rfkill.

Summary: SELinux is preventing systemd-rfkill from 'write' accesses on the directory r...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	24
Hardware:	x86_64
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:3cdd0c0b446a95c5468c692cb29...
Duplicates (1):	1309839 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-12-09 23:09 UTC by Joachim Frieben
Modified:	2020-03-11 14:55 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-3.13.1-180.fc24
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-04-09 20:17:30 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
journal F24 server alpha 1.6 log (186.17 KB, text/plain) 2016-03-21 03:00 UTC, Chris Murphy	no flags	Details
AVC denials from /var/log/audit/audit.log with enforcing=0 (8.60 KB, text/plain) 2016-03-21 13:50 UTC, Joachim Frieben	no flags	Details
View All

Description Joachim Frieben 2015-12-09 23:09:46 UTC

Description of problem:
SELinux is preventing systemd-rfkill from 'write' accesses on the directory rfkill.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-rfkill should be allowed write access on the rfkill directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-rfkill /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_rfkill_t:s0
Target Context                system_u:object_r:init_var_lib_t:s0
Target Objects                rfkill [ dir ]
Source                        systemd-rfkill
Source Path                   systemd-rfkill
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-162.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.4.0-0.rc4.git0.1.fc24.x86_64 #1
                              SMP Mon Dec 7 15:45:55 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-12-10 00:03:59 CET
Last Seen                     2015-12-10 00:03:59 CET
Local ID                      9caddcab-bd22-4415-922a-2c9760332484

Raw Audit Messages
type=AVC msg=audit(1449702239.54:202): avc:  denied  { write } for  pid=1053 comm="systemd-rfkill" name="rfkill" dev="dm-2" ino=393350 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1


Hash: systemd-rfkill,systemd_rfkill_t,init_var_lib_t,dir,write

Version-Release number of selected component:
selinux-policy-3.13.1-162.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.4.0-0.rc4.git0.1.fc24.x86_64
type:           libreport

Comment 1 Lukas Vrabec 2015-12-10 13:20:21 UTC

Hi Joachim, 

Use restorecon to fix this issue:
#restorecon -R -v /var/lib/systemd/rfkill

Could you confirm if this fixed your issue? 

Thank you!

Comment 2 Joachim Frieben 2015-12-10 15:26:33 UTC

After a fresh install, I have not been able to reproduce this issue. In particular not after installing today's rawhide updates.

Comment 3 Miroslav Grepl 2015-12-20 12:17:40 UTC

(In reply to Joachim Frieben from comment #2)
> After a fresh install, I have not been able to reproduce this issue. In
> particular not after installing today's rawhide updates.

Thank you for testing.

Comment 4 Joachim Frieben 2016-01-10 15:03:38 UTC

Issue appears when booting from today's rawhide live image including package selinux-policy-targeted-3.13.1-165.fc24.

Comment 5 Lukas Vrabec 2016-01-12 14:31:30 UTC

The directory is labeled again as init_var_lib_t?

Comment 6 Joachim Frieben 2016-01-12 19:33:57 UTC

(In reply to Lukas Vrabec from comment #5)

system_u:object_r:init_var_lib_t:s0 rfkill

Comment 7 Andrew Cook 2016-02-18 20:54:00 UTC

*** Bug 1309839 has been marked as a duplicate of this bug. ***

Comment 8 Lukas Vrabec 2016-02-24 13:46:12 UTC

Probably, we need to add transition that init_t can create "rfkill" dir labeled as systemd_rfkill_var_lib_t in init_var_lib_t directory.

Comment 9 Jan Kurik 2016-02-24 15:48:13 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase

Comment 10 Lukas Vrabec 2016-02-26 12:08:22 UTC

commit cbdc7b94f03f05a6825fd823a72a21b1df2d0e40
Author: Lukas Vrabec <lvrabec>
Date:   Thu Feb 25 19:29:06 2016 +0100

    Add filename transition to interface systemd_filetrans_named_content()
    that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t
    instead of init_var_lib_t.
    rhbz #1290255

Comment 11 Chris Murphy 2016-03-21 02:58:38 UTC

This has returned in Fedora 24 Alpha 1.6. Attaching the full journal. But the gist is:

Mar 20 20:49:03 localhost.localdomain systemd[1]: Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.
Mar 20 20:49:03 localhost.localdomain systemd[1]: Starting Load/Save RF Kill Switch Status...
Mar 20 20:49:04 localhost.localdomain audit[705]: AVC avc:  denied  { write } for  pid=705 comm="systemd-rfkill" name="systemd" dev="dm-0" ino=33763955 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=0
Mar 20 20:49:04 localhost.localdomain audit[705]: SYSCALL arch=c000003e syscall=83 success=no exit=-13 a0=55ef484a7407 a1=1ed a2=0 a3=55ef484a7400 items=0 ppid=1 pid=705 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-rfkill" exe="/usr/lib/systemd/systemd-rfkill" subj=system_u:system_r:systemd_rfkill_t:s0 key=(null)
Mar 20 20:49:04 localhost.localdomain audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-rfkill"
Mar 20 20:49:04 localhost.localdomain systemd-rfkill[705]: Failed to create rfkill directory: Permission denied


systemd-229-6.fc24.x86_64
selinux-policy-3.13.1-179.fc24.noarch

Comment 12 Chris Murphy 2016-03-21 03:00:10 UTC

Created attachment 1138396 [details]
journal F24 server alpha 1.6 log

Comment 13 Chris Murphy 2016-03-21 03:08:32 UTC

restorecon -rv / doesn't fix this, it still fails to start and I see this still in the journal

Mar 20 21:02:18 localhost.localdomain kernel: audit: type=1400 audit(1458529338.022:64): avc:  denied  { write } for  pid=702 comm="systemd-rfkill" name="systemd" dev="dm-0" ino=33763955 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=0

Comment 14 Lukas Vrabec 2016-03-21 09:33:12 UTC

Hi, 
Could you run:
$ ls -Z /var/lib/systemd

and attach all AVC msgs in /var/log/audit/audit.log ? 

Thank you.

Comment 15 Joachim Frieben 2016-03-21 13:48:35 UTC

--
enforcing=1
--
# ls -Z /var/lib/systemd
system_u:object_r:init_var_lib_t:s0 backlight
system_u:object_r:init_var_lib_t:s0 catalog
system_u:object_r:init_var_lib_t:s0 coredump
system_u:object_r:init_var_lib_t:s0 random-seed
system_u:object_r:init_var_lib_t:s0 timers

--
enforcing=0
--
# ls -Z /var/lib/systemd
system_u:object_r:init_var_lib_t:s0 backlight
system_u:object_r:init_var_lib_t:s0 catalog
system_u:object_r:init_var_lib_t:s0 coredump
system_u:object_r:init_var_lib_t:s0 random-seed
system_u:object_r:init_var_lib_t:s0 rfkill
system_u:object_r:init_var_lib_t:s0 timers

Comment 16 Joachim Frieben 2016-03-21 13:50:02 UTC

Created attachment 1138608 [details]
AVC denials from /var/log/audit/audit.log with enforcing=0

Comment 17 Lukas Vrabec 2016-03-21 14:33:38 UTC

commit 925b6fc2e41c720ed5124289f934748df0294b45
Author: Lukas Vrabec <lvrabec>
Date:   Mon Mar 21 12:34:29 2016 +0100

    Allow systemd-rfkill to create /var/lib/systemd/rfkill dir. rhbz#1319499

Comment 18 Fedora Update System 2016-03-30 14:07:05 UTC

selinux-policy-3.13.1-180.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffb5ed99b4

Comment 19 Fedora Update System 2016-03-30 22:25:12 UTC

selinux-policy-3.13.1-180.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffb5ed99b4

Comment 20 Fedora Update System 2016-04-09 20:17:14 UTC

selinux-policy-3.13.1-180.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.