1393505 – systemd generates USER_AVCs after selinux-policy update

Bug 1393505 - systemd generates USER_AVCs after selinux-policy update

Summary: systemd generates USER_AVCs after selinux-policy update

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:	1298243 1394715
TreeView+	depends on / blocked

Reported:	2016-11-09 17:27 UTC by Michal Sekletar
Modified:	2017-08-01 15:17 UTC (History)
CC List:	15 users (show)
Fixed In Version:	selinux-policy-3.13.1-108.el7
Doc Type:	Bug Fix
Doc Text:	Cause: Updating systemd on RHEL-7.2 to version from RHEL-7.3 and then as a separate yum command update the selinux policy. Consequence: systemd starts generating USER_AVC denials and will start returning "Access Denied" errors to DBus clients. Fix: Reexec systemd daemon after update selinux-policy package when updating from rhel-7.2 to rhel-7.3 (or higher) Result: After separate update selinux-policy, systemd doesn't generate any AVC denials.
Clone Of:
Clones:	1394715 (view as bug list)
Environment:
Last Closed:	2017-08-01 15:17:42 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:1861	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-08-01 17:50:24 UTC

Description Michal Sekletar 2016-11-09 17:27:27 UTC

Description of problem:
If you update systemd on RHEL-7.2 box to version from RHEL-7.3 and then as a separate yum command update the selinux policy systemd will start generating USER_AVC denials and will start returning "Access Denied" errors to DBus clients. IOW, most systemctl commands (start/stop/status) will return "Access Denied".

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102

How reproducible:
always

Steps to Reproduce:
1. provision RHEL-7.2 box 
2. yum update -y systemd
3. yum update -y selinux-policy
4  systemctl start reboot.target (attempt to reboot the machine)

Actual results:
systemctl returns access denied error.

Expected results:
No error is returned and machine is cleanly rebooted.

Additional info:
Versions before update on RHEL-7.2 systemd-219-19, selinux-policy-3.13.1-60.el7

Note that explicit "systemctl daeamon-rexec" after selinux-policy update mitigates the problem. I think that as a temporary fix we should re-execute systemd from %post installation script in selinux-policy package.

Comment 2 Milos Malik 2016-11-10 09:13:26 UTC

Did you update a RHEL-7.2 machine to RHEL-7.3 without updating selinux-policy* packages? Do I understand the issue correctly?

Comment 3 Milos Malik 2016-11-10 09:29:39 UTC

The only USER_AVC, which appears before reboot, looks this way:
----
type=USER_AVC msg=audit(11/10/2016 04:20:57.006:289) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=root uid=root gid=root path=/usr/lib/systemd/system/reboot.target cmdline="reboot" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----

The more interesting thing is that the machine does not reboot when you run the reboot command as root insteaf of step 4.

Comment 25 errata-xmlrpc 2017-08-01 15:17:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Note You need to log in before you can comment on or make changes to this bug.