Bug 1290255 - SELinux is preventing systemd-rfkill from 'write' accesses on the directory rfkill.
SELinux is preventing systemd-rfkill from 'write' accesses on the directory r...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
24
x86_64 Unspecified
high Severity high
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
abrt_hash:3cdd0c0b446a95c5468c692cb29...
: Reopened
: 1309839 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-09 18:09 EST by Joachim Frieben
Modified: 2016-04-09 16:17 EDT (History)
8 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-180.fc24
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-09 16:17:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
journal F24 server alpha 1.6 log (186.17 KB, text/plain)
2016-03-20 23:00 EDT, Chris Murphy
no flags Details
AVC denials from /var/log/audit/audit.log with enforcing=0 (8.60 KB, text/plain)
2016-03-21 09:50 EDT, Joachim Frieben
no flags Details

  None (edit)
Description Joachim Frieben 2015-12-09 18:09:46 EST
Description of problem:
SELinux is preventing systemd-rfkill from 'write' accesses on the directory rfkill.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-rfkill should be allowed write access on the rfkill directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-rfkill /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_rfkill_t:s0
Target Context                system_u:object_r:init_var_lib_t:s0
Target Objects                rfkill [ dir ]
Source                        systemd-rfkill
Source Path                   systemd-rfkill
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-162.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.4.0-0.rc4.git0.1.fc24.x86_64 #1
                              SMP Mon Dec 7 15:45:55 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-12-10 00:03:59 CET
Last Seen                     2015-12-10 00:03:59 CET
Local ID                      9caddcab-bd22-4415-922a-2c9760332484

Raw Audit Messages
type=AVC msg=audit(1449702239.54:202): avc:  denied  { write } for  pid=1053 comm="systemd-rfkill" name="rfkill" dev="dm-2" ino=393350 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=1


Hash: systemd-rfkill,systemd_rfkill_t,init_var_lib_t,dir,write

Version-Release number of selected component:
selinux-policy-3.13.1-162.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.4.0-0.rc4.git0.1.fc24.x86_64
type:           libreport
Comment 1 Lukas Vrabec 2015-12-10 08:20:21 EST
Hi Joachim, 

Use restorecon to fix this issue:
#restorecon -R -v /var/lib/systemd/rfkill

Could you confirm if this fixed your issue? 

Thank you!
Comment 2 Joachim Frieben 2015-12-10 10:26:33 EST
After a fresh install, I have not been able to reproduce this issue. In particular not after installing today's rawhide updates.
Comment 3 Miroslav Grepl 2015-12-20 07:17:40 EST
(In reply to Joachim Frieben from comment #2)
> After a fresh install, I have not been able to reproduce this issue. In
> particular not after installing today's rawhide updates.

Thank you for testing.
Comment 4 Joachim Frieben 2016-01-10 10:03:38 EST
Issue appears when booting from today's rawhide live image including package selinux-policy-targeted-3.13.1-165.fc24.
Comment 5 Lukas Vrabec 2016-01-12 09:31:30 EST
The directory is labeled again as init_var_lib_t?
Comment 6 Joachim Frieben 2016-01-12 14:33:57 EST
(In reply to Lukas Vrabec from comment #5)

system_u:object_r:init_var_lib_t:s0 rfkill
Comment 7 Andrew Cook 2016-02-18 15:54:00 EST
*** Bug 1309839 has been marked as a duplicate of this bug. ***
Comment 8 Lukas Vrabec 2016-02-24 08:46:12 EST
Probably, we need to add transition that init_t can create "rfkill" dir labeled as systemd_rfkill_var_lib_t in init_var_lib_t directory.
Comment 9 Jan Kurik 2016-02-24 10:48:13 EST
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 10 Lukas Vrabec 2016-02-26 07:08:22 EST
commit cbdc7b94f03f05a6825fd823a72a21b1df2d0e40
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Thu Feb 25 19:29:06 2016 +0100

    Add filename transition to interface systemd_filetrans_named_content()
    that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t
    instead of init_var_lib_t.
    rhbz #1290255
Comment 11 Chris Murphy 2016-03-20 22:58:38 EDT
This has returned in Fedora 24 Alpha 1.6. Attaching the full journal. But the gist is:

Mar 20 20:49:03 localhost.localdomain systemd[1]: Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.
Mar 20 20:49:03 localhost.localdomain systemd[1]: Starting Load/Save RF Kill Switch Status...
Mar 20 20:49:04 localhost.localdomain audit[705]: AVC avc:  denied  { write } for  pid=705 comm="systemd-rfkill" name="systemd" dev="dm-0" ino=33763955 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=0
Mar 20 20:49:04 localhost.localdomain audit[705]: SYSCALL arch=c000003e syscall=83 success=no exit=-13 a0=55ef484a7407 a1=1ed a2=0 a3=55ef484a7400 items=0 ppid=1 pid=705 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-rfkill" exe="/usr/lib/systemd/systemd-rfkill" subj=system_u:system_r:systemd_rfkill_t:s0 key=(null)
Mar 20 20:49:04 localhost.localdomain audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-rfkill"
Mar 20 20:49:04 localhost.localdomain systemd-rfkill[705]: Failed to create rfkill directory: Permission denied


systemd-229-6.fc24.x86_64
selinux-policy-3.13.1-179.fc24.noarch
Comment 12 Chris Murphy 2016-03-20 23:00 EDT
Created attachment 1138396 [details]
journal F24 server alpha 1.6 log
Comment 13 Chris Murphy 2016-03-20 23:08:32 EDT
restorecon -rv / doesn't fix this, it still fails to start and I see this still in the journal

Mar 20 21:02:18 localhost.localdomain kernel: audit: type=1400 audit(1458529338.022:64): avc:  denied  { write } for  pid=702 comm="systemd-rfkill" name="systemd" dev="dm-0" ino=33763955 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:object_r:init_var_lib_t:s0 tclass=dir permissive=0
Comment 14 Lukas Vrabec 2016-03-21 05:33:12 EDT
Hi, 
Could you run:
$ ls -Z /var/lib/systemd

and attach all AVC msgs in /var/log/audit/audit.log ? 

Thank you.
Comment 15 Joachim Frieben 2016-03-21 09:48:35 EDT
--
enforcing=1
--
# ls -Z /var/lib/systemd
system_u:object_r:init_var_lib_t:s0 backlight
system_u:object_r:init_var_lib_t:s0 catalog
system_u:object_r:init_var_lib_t:s0 coredump
system_u:object_r:init_var_lib_t:s0 random-seed
system_u:object_r:init_var_lib_t:s0 timers

--
enforcing=0
--
# ls -Z /var/lib/systemd
system_u:object_r:init_var_lib_t:s0 backlight
system_u:object_r:init_var_lib_t:s0 catalog
system_u:object_r:init_var_lib_t:s0 coredump
system_u:object_r:init_var_lib_t:s0 random-seed
system_u:object_r:init_var_lib_t:s0 rfkill
system_u:object_r:init_var_lib_t:s0 timers
Comment 16 Joachim Frieben 2016-03-21 09:50 EDT
Created attachment 1138608 [details]
AVC denials from /var/log/audit/audit.log with enforcing=0
Comment 17 Lukas Vrabec 2016-03-21 10:33:38 EDT
commit 925b6fc2e41c720ed5124289f934748df0294b45
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Mar 21 12:34:29 2016 +0100

    Allow systemd-rfkill to create /var/lib/systemd/rfkill dir. rhbz#1319499
Comment 18 Fedora Update System 2016-03-30 10:07:05 EDT
selinux-policy-3.13.1-180.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffb5ed99b4
Comment 19 Fedora Update System 2016-03-30 18:25:12 EDT
selinux-policy-3.13.1-180.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffb5ed99b4
Comment 20 Fedora Update System 2016-04-09 16:17:14 EDT
selinux-policy-3.13.1-180.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.