1412165 – user@.service (systemd --user) silently fails on being started by systemd with enforcing SELinux

Bug 1412165 - user@.service (systemd --user) silently fails on being started by systemd with enforcing SELinux

Summary: user@.service (systemd --user) silently fails on being started by systemd wit...

Keywords:
Status:	CLOSED DUPLICATE of bug 1412750
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-01-11 12:23 UTC by Jan Pokorný [poki]
Modified:	2017-02-07 17:23 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-02-07 17:23:40 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	systemd systemd issues 5000	None	None	None	2017-01-12 16:54:24 UTC
Red Hat Bugzilla	1401625	low	CLOSED	user_r can't run systemctl --user	2021-02-22 00:41:40 UTC
Red Hat Bugzilla	1412750	unspecified	CLOSED	Multiple services in recent Rawhide fail to start with: Failed at step USER spawning (executable): Permission denied	2021-02-22 00:41:40 UTC

Internal Links: 1401625 1412750

Description Jan Pokorný [poki] 2017-01-11 12:23:49 UTC

This was initially mentioned at [bug 1401625 comment 9], but is orthogonal
to that very bug.

After disabling dontaudit rules and subsequent user relogin, I observe:

type=AVC msg=audit(1484136253.411:210): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[35285]" dev="sockfs" ino=35285 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1484136255.877:213): avc:  denied  { rlimitinh } for  pid=1613 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136255.877:214): avc:  denied  { siginh } for  pid=1613 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136255.878:215): avc:  denied  { noatsecure } for  pid=1613 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136255.884:217): avc:  denied  { rlimitinh } for  pid=1614 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136255.884:218): avc:  denied  { siginh } for  pid=1614 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136255.884:219): avc:  denied  { noatsecure } for  pid=1614 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136256.987:221): avc:  denied  { rlimitinh } for  pid=1615 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136256.987:222): avc:  denied  { siginh } for  pid=1615 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136256.987:223): avc:  denied  { noatsecure } for  pid=1615 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136257.000:226): avc:  denied  { rlimitinh } for  pid=1616 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136257.000:227): avc:  denied  { siginh } for  pid=1616 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136257.000:228): avc:  denied  { noatsecure } for  pid=1616 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136257.034:233): avc:  denied  { net_admin } for  pid=1613 comm="login" capability=12  scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability permissive=0
type=AVC msg=audit(1484136257.034:234): avc:  denied  { net_admin } for  pid=1613 comm="login" capability=12  scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability permissive=0
type=AVC msg=audit(1484136257.044:235): avc:  denied  { write } for  pid=1617 comm="(systemd)" path="socket:[16693]" dev="sockfs" ino=16693 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1484136257.050:241): avc:  denied  { siginh } for  pid=1618 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136257.050:242): avc:  denied  { noatsecure } for  pid=1618 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1484136336.182:255): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[31397]" dev="sockfs" ino=31397 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1484136336.182:256): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[31398]" dev="sockfs" ino=31398 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0

This is overapproximation what needs to be looked at, but "systemd" process
is the most suitable candidate AFAICT.

systemd-232-6.fc26.x86_64
selinux-policy-3.13.1-233.fc26.noarch

Comment 1 Jan Pokorný [poki] 2017-01-11 12:25:34 UTC

Note that no such symptom is exhibited after turning SELinux to permissive.

Comment 2 Jan Pokorný [poki] 2017-01-12 16:56:46 UTC

As an aside, there's an upstream request to make this sort of execution
failures more self-explanatory:
https://github.com/systemd/systemd/issues/5000#issuecomment-271899678

Comment 3 Jan Pokorný [poki] 2017-02-07 17:23:40 UTC

This is working correctly again after updating to
selinux-policy-3.13.1-236.fc26.

Looking at the changelog, I think this was in fact a forerunner
of [bug 1412750].

*** This bug has been marked as a duplicate of bug 1412750 ***

Note You need to log in before you can comment on or make changes to this bug.