Bug 1393505 - systemd generates USER_AVCs after selinux-policy update
Summary: systemd generates USER_AVCs after selinux-policy update
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks: 1298243 1394715
TreeView+ depends on / blocked
 
Reported: 2016-11-09 17:27 UTC by Michal Sekletar
Modified: 2017-08-01 15:17 UTC (History)
15 users (show)

Fixed In Version: selinux-policy-3.13.1-108.el7
Doc Type: Bug Fix
Doc Text:
Cause: Updating systemd on RHEL-7.2 to version from RHEL-7.3 and then as a separate yum command update the selinux policy. Consequence: systemd starts generating USER_AVC denials and will start returning "Access Denied" errors to DBus clients. Fix: Reexec systemd daemon after update selinux-policy package when updating from rhel-7.2 to rhel-7.3 (or higher) Result: After separate update selinux-policy, systemd doesn't generate any AVC denials.
Clone Of:
: 1394715 (view as bug list)
Environment:
Last Closed: 2017-08-01 15:17:42 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 0 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC

Description Michal Sekletar 2016-11-09 17:27:27 UTC
Description of problem:
If you update systemd on RHEL-7.2 box to version from RHEL-7.3 and then as a separate yum command update the selinux policy systemd will start generating USER_AVC denials and will start returning "Access Denied" errors to DBus clients. IOW, most systemctl commands (start/stop/status) will return "Access Denied".

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102

How reproducible:
always

Steps to Reproduce:
1. provision RHEL-7.2 box 
2. yum update -y systemd
3. yum update -y selinux-policy
4  systemctl start reboot.target (attempt to reboot the machine)

Actual results:
systemctl returns access denied error.

Expected results:
No error is returned and machine is cleanly rebooted.

Additional info:
Versions before update on RHEL-7.2 systemd-219-19, selinux-policy-3.13.1-60.el7

Note that explicit "systemctl daeamon-rexec" after selinux-policy update mitigates the problem. I think that as a temporary fix we should re-execute systemd from %post installation script in selinux-policy package.

Comment 2 Milos Malik 2016-11-10 09:13:26 UTC
Did you update a RHEL-7.2 machine to RHEL-7.3 without updating selinux-policy* packages? Do I understand the issue correctly?

Comment 3 Milos Malik 2016-11-10 09:29:39 UTC
The only USER_AVC, which appears before reboot, looks this way:
----
type=USER_AVC msg=audit(11/10/2016 04:20:57.006:289) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=root uid=root gid=root path=/usr/lib/systemd/system/reboot.target cmdline="reboot" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----

The more interesting thing is that the machine does not reboot when you run the reboot command as root insteaf of step 4.

Comment 25 errata-xmlrpc 2017-08-01 15:17:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861


Note You need to log in before you can comment on or make changes to this bug.