Bug 1412165 - user@.service (systemd --user) silently fails on being started by systemd with enforcing SELinux
Summary: user@.service (systemd --user) silently fails on being started by systemd wit...
Keywords:
Status: CLOSED DUPLICATE of bug 1412750
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-11 12:23 UTC by Jan Pokorný [poki]
Modified: 2017-02-07 17:23 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-07 17:23:40 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github systemd systemd issues 5000 0 None None None 2017-01-12 16:54:24 UTC
Red Hat Bugzilla 1401625 0 low CLOSED user_r can't run systemctl --user 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1412750 0 unspecified CLOSED Multiple services in recent Rawhide fail to start with: Failed at step USER spawning (executable): Permission denied 2021-02-22 00:41:40 UTC

Internal Links: 1401625 1412750

Description Jan Pokorný [poki] 2017-01-11 12:23:49 UTC
This was initially mentioned at [bug 1401625 comment 9], but is orthogonal
to that very bug.

After disabling dontaudit rules and subsequent user relogin, I observe:

type=AVC msg=audit(1484136253.411:210): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[35285]" dev="sockfs" ino=35285 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1484136255.877:213): avc:  denied  { rlimitinh } for  pid=1613 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136255.877:214): avc:  denied  { siginh } for  pid=1613 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136255.878:215): avc:  denied  { noatsecure } for  pid=1613 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136255.884:217): avc:  denied  { rlimitinh } for  pid=1614 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136255.884:218): avc:  denied  { siginh } for  pid=1614 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136255.884:219): avc:  denied  { noatsecure } for  pid=1614 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136256.987:221): avc:  denied  { rlimitinh } for  pid=1615 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136256.987:222): avc:  denied  { siginh } for  pid=1615 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136256.987:223): avc:  denied  { noatsecure } for  pid=1615 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136257.000:226): avc:  denied  { rlimitinh } for  pid=1616 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136257.000:227): avc:  denied  { siginh } for  pid=1616 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136257.000:228): avc:  denied  { noatsecure } for  pid=1616 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136257.034:233): avc:  denied  { net_admin } for  pid=1613 comm="login" capability=12  scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability permissive=0
type=AVC msg=audit(1484136257.034:234): avc:  denied  { net_admin } for  pid=1613 comm="login" capability=12  scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability permissive=0
type=AVC msg=audit(1484136257.044:235): avc:  denied  { write } for  pid=1617 comm="(systemd)" path="socket:[16693]" dev="sockfs" ino=16693 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1484136257.050:241): avc:  denied  { siginh } for  pid=1618 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136257.050:242): avc:  denied  { noatsecure } for  pid=1618 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136336.182:255): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[31397]" dev="sockfs" ino=31397 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1484136336.182:256): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[31398]" dev="sockfs" ino=31398 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0

This is overapproximation what needs to be looked at, but "systemd" process
is the most suitable candidate AFAICT.

systemd-232-6.fc26.x86_64
selinux-policy-3.13.1-233.fc26.noarch

Comment 1 Jan Pokorný [poki] 2017-01-11 12:25:34 UTC
Note that no such symptom is exhibited after turning SELinux to permissive.

Comment 2 Jan Pokorný [poki] 2017-01-12 16:56:46 UTC
As an aside, there's an upstream request to make this sort of execution
failures more self-explanatory:
https://github.com/systemd/systemd/issues/5000#issuecomment-271899678

Comment 3 Jan Pokorný [poki] 2017-02-07 17:23:40 UTC
This is working correctly again after updating to
selinux-policy-3.13.1-236.fc26.

Looking at the changelog, I think this was in fact a forerunner
of [bug 1412750].

*** This bug has been marked as a duplicate of bug 1412750 ***


Note You need to log in before you can comment on or make changes to this bug.