This may be a policy decision rather than a bug, but if so I'd like to know how I should handle this situation. I want to let users use systemctl --user to talk to systemd --user to launch things at boot time. My normal users are user_r, and the unconfined module is disabled. Running "/usr/bin/systemctl --user status" as such a user with dontaudit off and setenforce 0 gives: type=AVC msg=audit(1480961161.434:45524): avc: denied { rlimitinh } for pid=30186 comm="unix_chkpwd" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1 type=AVC msg=audit(1480961161.434:45525): avc: denied { siginh } for pid=30186 comm="unix_chkpwd" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1 type=AVC msg=audit(1480961161.435:45526): avc: denied { noatsecure } for pid=30186 comm="unix_chkpwd" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1 type=AVC msg=audit(1480961161.445:45530): avc: denied { net_admin } for pid=30185 comm="crond" capability=12 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability permissive=1 type=USER_AVC msg=audit(1480961161.473:45531): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1480961161.500:45532): avc: denied { read write } for pid=1 comm="systemd" path="socket:[833929]" dev="sockfs" ino=833929 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1480961161.504:45533): avc: denied { wake_alarm } for pid=340 comm="systemd-udevd" capability=35 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability2 permissive=1 type=AVC msg=audit(1480961161.545:45534): avc: denied { rlimitinh } for pid=30189 comm="unix_chkpwd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=process permissive=1 type=AVC msg=audit(1480961161.545:45535): avc: denied { siginh } for pid=30189 comm="unix_chkpwd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=process permissive=1 type=AVC msg=audit(1480961161.546:45536): avc: denied { noatsecure } for pid=30189 comm="unix_chkpwd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=process permissive=1 type=AVC msg=audit(1480961161.615:45541): avc: denied { wake_alarm } for pid=340 comm="systemd-udevd" capability=35 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability2 permissive=1 type=AVC msg=audit(1480961161.619:45542): avc: denied { rlimitinh } for pid=30187 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process permissive=1 type=AVC msg=audit(1480961161.619:45543): avc: denied { siginh } for pid=30187 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process permissive=1 type=AVC msg=audit(1480961161.650:45544): avc: denied { wake_alarm } for pid=340 comm="systemd-udevd" capability=35 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability2 permissive=1 type=AVC msg=audit(1480961161.737:45548): avc: denied { rlimitinh } for pid=30218 comm="sh" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process permissive=1 type=AVC msg=audit(1480961161.737:45549): avc: denied { siginh } for pid=30218 comm="sh" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process permissive=1 type=AVC msg=audit(1480961161.738:45550): avc: denied { noatsecure } for pid=30218 comm="sh" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process permissive=1 type=AVC msg=audit(1480961161.749:45552): avc: denied { net_admin } for pid=30185 comm="crond" capability=12 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability permissive=1 type=AVC msg=audit(1480961161.851:45555): avc: denied { read write } for pid=1 comm="systemd" path="socket:[833989]" dev="sockfs" ino=833989 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1480961163.135:45556): avc: denied { execute } for pid=30240 comm="bash" name="systemctl" dev="vda2" ino=271798 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1480961163.136:45557): avc: denied { read open } for pid=30240 comm="bash" path="/usr/bin/systemctl" dev="vda2" ino=271798 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1480961163.136:45558): avc: denied { execute_no_trans } for pid=30240 comm="bash" path="/usr/bin/systemctl" dev="vda2" ino=271798 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1 Let me know what the correct solution is. Thanks.
Hi, Could you try this local policy? $ cat user_systemd.cil (allow user_t systemd_systemctl_exec_t (file execute execute_no_trans open read)) Please let me know. Thanks.
I'm sorry, I've never used cil before, so my apologies if I'm doing something dumb, but: rlpowell@vrici> sudo semodule -i /tmp/user_systemd.cil Invalid syntax Bad class-permissions Problem filling class-permissions list Bad allow rule at /var/lib/selinux/targeted/tmp/modules/400/user_systemd/cil:1 /sbin/semodule: Failed!
Just in case: rlpowell@vrici> cat /tmp/user_systemd.cil (allow user_t systemd_systemctl_exec_t (file execute execute_no_trans open read))
Ah, I figured it out. Yes, this: rlpowell@vrici> sudo semodule -i /tmp/user_systemd.cil rlpowell@vrici> cat /tmp/user_systemd.cil (allow user_t systemd_systemctl_exec_t (file (execute execute_no_trans open read))) seems to work.
(note that the problem before was "(file execute ...)" instead of "(file (execute ...))")
selinux-policy-3.13.1-225.6.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-66d634473a
selinux-policy-3.13.1-225.6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-66d634473a
Please build this also for f26/rawhide as this is where I observe something pretty similar.
In fact, with selinux-policy-3.13.1-231.fc26.noarch, the main problem I have is that with enforcing SELinux, I am receiving: $ su -c "systemctl status --no-pager -l user@$(id -u)" > ● user - User Manager for UID 1000 > Loaded: loaded (/usr/lib/systemd/system/user@.service; static; vendor preset: disabled) > Active: inactive (dead) > > Jan 10 22:17:42 betenoire systemd[1]: Starting User Manager for UID 1000... > Jan 10 22:17:42 betenoire systemd[1167]: user: Failed at step USER spawning > /usr/lib/systemd/systemd: Permission denied > Jan 10 22:17:42 betenoire systemd[1]: Started User Manager for UID 1000. whereas after setting to permissive and relogin, it works. I am not sure if it's a material for a separate bug, but the workaround from [comment 1] does not seem to help with this prerequisite (at least I think it is a hard prerequisite for "systemctl --user" to succeed).
selinux-policy-3.13.1-225.6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
OK, received update up to selinux-policy-3.13-1.233.fc26 and it did not help for issue detailed in [comment 9], will file a separate bug for that with details.
This seems to mostly work; the only problem I'm having is that "/bin/systemctl --user status" doesn't show logs; my local hack is: logging_list_logs(user_t) logging_read_generic_logs(user_t) init_script_file_entry_type(user_t)