Bug 1401625 - user_r can't run systemctl --user
Summary: user_r can't run systemctl --user
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 25
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-05 18:07 UTC by Robin Powell
Modified: 2017-02-01 01:34 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-225.6.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-11 07:23:38 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1412165 0 unspecified CLOSED user@.service (systemd --user) silently fails on being started by systemd with enforcing SELinux 2021-02-22 00:41:40 UTC

Internal Links: 1412165

Description Robin Powell 2016-12-05 18:07:27 UTC
This may be a policy decision rather than a bug, but if so I'd like to know how I should handle this situation.

I want to let users use systemctl --user to talk to systemd --user to launch things at boot time.  My normal users are user_r, and the unconfined module is disabled.

Running "/usr/bin/systemctl --user status" as such a user with dontaudit off and setenforce 0 gives:



type=AVC msg=audit(1480961161.434:45524): avc:  denied  { rlimitinh } for  pid=30186 comm="unix_chkpwd" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1480961161.434:45525): avc:  denied  { siginh } for  pid=30186 comm="unix_chkpwd" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1480961161.435:45526): avc:  denied  { noatsecure } for  pid=30186 comm="unix_chkpwd" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1480961161.445:45530): avc:  denied  { net_admin } for  pid=30185 comm="crond" capability=12  scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability permissive=1
type=USER_AVC msg=audit(1480961161.473:45531): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1480961161.500:45532): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[833929]" dev="sockfs" ino=833929 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1480961161.504:45533): avc:  denied  { wake_alarm } for  pid=340 comm="systemd-udevd" capability=35  scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability2 permissive=1
type=AVC msg=audit(1480961161.545:45534): avc:  denied  { rlimitinh } for  pid=30189 comm="unix_chkpwd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1480961161.545:45535): avc:  denied  { siginh } for  pid=30189 comm="unix_chkpwd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1480961161.546:45536): avc:  denied  { noatsecure } for  pid=30189 comm="unix_chkpwd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1480961161.615:45541): avc:  denied  { wake_alarm } for  pid=340 comm="systemd-udevd" capability=35  scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability2 permissive=1
type=AVC msg=audit(1480961161.619:45542): avc:  denied  { rlimitinh } for  pid=30187 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1480961161.619:45543): avc:  denied  { siginh } for  pid=30187 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1480961161.650:45544): avc:  denied  { wake_alarm } for  pid=340 comm="systemd-udevd" capability=35  scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability2 permissive=1
type=AVC msg=audit(1480961161.737:45548): avc:  denied  { rlimitinh } for  pid=30218 comm="sh" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1480961161.737:45549): avc:  denied  { siginh } for  pid=30218 comm="sh" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1480961161.738:45550): avc:  denied  { noatsecure } for  pid=30218 comm="sh" scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1480961161.749:45552): avc:  denied  { net_admin } for  pid=30185 comm="crond" capability=12  scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability permissive=1
type=AVC msg=audit(1480961161.851:45555): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[833989]" dev="sockfs" ino=833989 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1480961163.135:45556): avc:  denied  { execute } for  pid=30240 comm="bash" name="systemctl" dev="vda2" ino=271798 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1480961163.136:45557): avc:  denied  { read open } for  pid=30240 comm="bash" path="/usr/bin/systemctl" dev="vda2" ino=271798 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1480961163.136:45558): avc:  denied  { execute_no_trans } for  pid=30240 comm="bash" path="/usr/bin/systemctl" dev="vda2" ino=271798 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1


Let me know what the correct solution is.  Thanks.

Comment 1 Lukas Vrabec 2016-12-06 16:42:10 UTC
Hi, 

Could you try this local policy?

$ cat user_systemd.cil 
(allow user_t systemd_systemctl_exec_t (file execute execute_no_trans open read))

Please let me know. 
Thanks.

Comment 2 Robin Powell 2016-12-28 07:18:59 UTC
I'm sorry, I've never used cil before, so my apologies if I'm doing something dumb, but:

rlpowell@vrici> sudo semodule -i /tmp/user_systemd.cil
Invalid syntax
Bad class-permissions
Problem filling class-permissions list
Bad allow rule at /var/lib/selinux/targeted/tmp/modules/400/user_systemd/cil:1
/sbin/semodule:  Failed!

Comment 3 Robin Powell 2016-12-28 07:19:38 UTC
Just in case:

rlpowell@vrici> cat /tmp/user_systemd.cil
(allow user_t systemd_systemctl_exec_t (file execute execute_no_trans open read))

Comment 4 Robin Powell 2016-12-28 07:22:18 UTC
Ah, I figured it out.  Yes, this:

rlpowell@vrici> sudo semodule -i /tmp/user_systemd.cil
rlpowell@vrici> cat /tmp/user_systemd.cil
(allow user_t systemd_systemctl_exec_t (file (execute execute_no_trans open read)))

seems to work.

Comment 5 Robin Powell 2016-12-28 07:25:54 UTC
(note that the problem before was "(file execute ...)" instead of "(file (execute ...))")

Comment 6 Fedora Update System 2017-01-08 22:21:56 UTC
selinux-policy-3.13.1-225.6.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-66d634473a

Comment 7 Fedora Update System 2017-01-10 03:25:30 UTC
selinux-policy-3.13.1-225.6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-66d634473a

Comment 8 Jan Pokorný [poki] 2017-01-10 22:23:01 UTC
Please build this also for f26/rawhide as this is where I observe
something pretty similar.

Comment 9 Jan Pokorný [poki] 2017-01-10 22:39:11 UTC
In fact, with selinux-policy-3.13.1-231.fc26.noarch, the main problem I have
is that with enforcing SELinux, I am receiving:

$ su -c "systemctl status --no-pager -l user@$(id -u)"
> ● user@1000.service - User Manager for UID 1000
>    Loaded: loaded (/usr/lib/systemd/system/user@.service; static; vendor preset: disabled)
>    Active: inactive (dead)
>
> Jan 10 22:17:42 betenoire systemd[1]: Starting User Manager for UID 1000...
> Jan 10 22:17:42 betenoire systemd[1167]: user@1000.service: Failed at step USER spawning
> /usr/lib/systemd/systemd: Permission denied
> Jan 10 22:17:42 betenoire systemd[1]: Started User Manager for UID 1000.

whereas after setting to permissive and relogin, it works.

I am not sure if it's a material for a separate bug, but the workaround from
[comment 1] does not seem to help with this prerequisite (at least I think
it is a hard prerequisite for "systemctl --user" to succeed).

Comment 10 Fedora Update System 2017-01-11 07:23:38 UTC
selinux-policy-3.13.1-225.6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Jan Pokorný [poki] 2017-01-11 10:35:29 UTC
OK, received update up to selinux-policy-3.13-1.233.fc26 and it did not
help for issue detailed in [comment 9], will file a separate bug for
that with details.

Comment 12 Robin Powell 2017-02-01 01:34:27 UTC
This seems to mostly work; the only problem I'm having is that "/bin/systemctl --user status" doesn't show logs; my local hack is:

logging_list_logs(user_t)
logging_read_generic_logs(user_t)
init_script_file_entry_type(user_t)


Note You need to log in before you can comment on or make changes to this bug.