Description of problem: Snapper is not allowed to perform some actions: Snapper timer services (crond replacement in systemd) are not allowed to communicate with snapperd daemon. In enforcing mode I see this message in a timer service log: systemd-helper[2994]: Failure (org.freedesktop.DBus.Error.AccessDenied). this can be seen in audit.log type=USER_AVC msg=audit(1459779311.778:484): pid=3020 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.opensuse.Snapper member=ListConfigs dest=org.opensuse.Snapper spid=3128 tpid=3130 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' I guess it's caused by timer sevices executing /usr/lib/snapper/systemd-helper which result in processes being in init_t domain? Version-Release number of selected component (if applicable): snapper-0.2.8-2.fc24.x86_64 selinux-policy-targeted-3.13.1-180.fc25.noarch kernel-4.6.0-0.rc1.git0.1.fc25.x86_64 How reproducible: always Steps to Reproduce: Enable and/or manually start snapper-timeline service while snapper is configured to snapshot some mounted volume
Also snapperd seems to be restricted from performing few ioctl calls, but I will need a help on how to debug it properly. The only lines I see in audit.log wrt to blocked ioctls are: type=AVC msg=audit(1459782391.281:764): avc: denied { sys_admin } for pid=3573 comm="snapperd" capability=21 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=capability permissive=0 and ioctl syscal returns 'Operation not permitted' snapperd seems to be unable lower the priority background threads: type=AVC msg=audit(1459782360.278:758): avc: denied { setsched } for pid=3560 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0 Let me know If you want me to create separate bug for it...
Hello Ondrej, I fixed your first issue with this change: # chcon -t snapperd_exec_t /usr/lib/snapper/systemd-helper Could you test it also, if we can add snapperd_exec_t file context for /usr/lib/snapper/systemd-helper? Do you have some reproducer for AVCs in comment 1 ? Thank you.
(In reply to Lukas Vrabec from comment #2) > Hello Ondrej, > > I fixed your first issue with this change: > # chcon -t snapperd_exec_t /usr/lib/snapper/systemd-helper Yup, that fixed it for me. Thanks! With regard to others: 1) ioctls issued by snapperd while performing actions on btrfs backend: (optional: if you want to see snapperd debug messages edit /usr/share/dbus-1/system-services/org.opensuse.Snapper.service and add "-d" option to Exec= value) 1) create and mount btrfs on /mnt/btrfs 2) create snapper config: snapper -c btrfs create-config /mnt/btrfs 3) now perform restorecon -R /mnt/btrfs (selinux support is not yet merged in snapper) 4) invoke background comparison in snapper daemon by: snapper -c btrfs create -t pre-post --command "touch /mnt/btrfs/some_file" It'll generate denied ioctl on /mnt/btrfs directory (subvolume). 2) Also it'll cause denied setpriority() for snapperd thread with param prio = 20 (which is general issue for any snapper backend not only btrfs) (obviously 2nd denial is not so big deal)
"ausearch -m avc,user_avc -ts recent" output for the reproduce above: type=AVC msg=audit(1460409569.810:14537): avc: denied { rlimitinh } for pid=7137 comm="snapperd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- time->Mon Apr 11 23:19:29 2016 type=AVC msg=audit(1460409569.813:14538): avc: denied { siginh } for pid=7137 comm="snapperd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- time->Mon Apr 11 23:19:29 2016 type=AVC msg=audit(1460409569.813:14539): avc: denied { noatsecure } for pid=7137 comm="snapperd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- time->Mon Apr 11 23:19:29 2016 type=AVC msg=audit(1460409569.952:14540): avc: denied { read write } for pid=1 comm="systemd" path="socket:[208448]" dev="sockfs" ino=208448 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ---- time->Mon Apr 11 23:19:29 2016 type=AVC msg=audit(1460409569.952:14541): avc: denied { read write } for pid=1 comm="systemd" path="socket:[208450]" dev="sockfs" ino=208450 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ---- time->Mon Apr 11 23:19:30 2016 type=AVC msg=audit(1460409570.150:14542): avc: denied { setsched } for pid=7140 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- time->Mon Apr 11 23:19:30 2016 type=AVC msg=audit(1460409570.150:14543): avc: denied { setsched } for pid=7140 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- time->Mon Apr 11 23:19:30 2016 type=AVC msg=audit(1460409570.150:14544): avc: denied { sys_admin } for pid=7140 comm="snapperd" capability=21 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=capability permissive=0
OK, I push fixes with labeling /usr/lib/snapper/systemd-helper. commit cdd71e4d94be7e60bbeedfb65e8e6150f866ce38 Author: Lukas Vrabec <lvrabec> Date: Fri Apr 22 14:26:00 2016 +0200 Label /usr/lib/snapper/systemd-helper as snapperd_exec_t. rhbz#1323732
Could you reproduce your issue with following test policy? $ cat snapperd_test.te policy_module(snapperd_test, 1.0) require { type snapperd_t; class process setsched; class capability sys_admin; } #============= snapperd_t ============== allow snapperd_t self:capability sys_admin; allow snapperd_t self:process setsched; $ make -f /usr/share/selinux/devel/Makefile snapperd_test.pp # semodule -i snapperd_test.pp Thank you.
Yup, works for me. Both errors are gone, thanks!
selinux-policy-3.13.1-184.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e163032315
selinux-policy-3.13.1-184.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.