Bug 1413047 - Failed at step USER spawning /usr/lib/systemd/systemd: Permission denied
Summary: Failed at step USER spawning /usr/lib/systemd/systemd: Permission denied
Keywords:
Status: CLOSED DUPLICATE of bug 1412750
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-13 13:16 UTC by Lukas Slebodnik
Modified: 2017-01-17 20:57 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2017-01-17 20:57:50 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1412750 0 unspecified CLOSED Multiple services in recent Rawhide fail to start with: Failed at step USER spawning (executable): Permission denied 2021-02-22 00:41:40 UTC

Internal Links: 1412750

Description Lukas Slebodnik 2017-01-13 13:16:58 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
sh$ rpm -q systemd selinux-policy
systemd-232-6.fc26.x86_64
selinux-policy-3.13.1-233.fc26.noarch

How reproducible:
Deterministic

Steps to Reproduce:
1. #Boot rawhide in SELinux Enforcing mode
2. #login as an ordinary user
3. systemctl status --user


Actual results:
Failed to read server status: Input/output error

Expected results:
Displayed all user services

Additional info:
Related part of journal log with disabled dontaudit rules.
I could not see any AVCs by default.


Jan 13 14:06:47 host.example.com audit[4036]: CRED_ACQ pid=4036 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_sss acct="lslebodn" exe="/usr/bin/login" hostname=? addr=? terminal=tty2 res=success'
Jan 13 14:06:47 host.example.com audit[4036]: USER_ROLE_CHANGE pid=4036 uid=0 auid=20728 ses=2 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/bin/login" hostname=? addr=? terminal=tty2 res=success'
Jan 13 14:06:47 host.example.com audit[4036]: AVC avc:  denied  { net_admin } for  pid=4036 comm="login" capability=12  scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability permissive=0
Jan 13 14:06:47 host.example.com audit[4036]: AVC avc:  denied  { net_admin } for  pid=4036 comm="login" capability=12  scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability permissive=0
Jan 13 14:06:47 host.example.com systemd[1]: Created slice User Slice of lslebodn.
Jan 13 14:06:47 host.example.com audit[4133]: AVC avc:  denied  { write } for  pid=4133 comm="(systemd)" path="socket:[14684]" dev="sockfs" ino=14684 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
Jan 13 14:06:47 host.example.com systemd[4133]: user: Failed at step USER spawning /usr/lib/systemd/systemd: Permission denied
Jan 13 14:06:47 host.example.com systemd[1]: Starting User Manager for UID 20728...
Jan 13 14:06:47 host.example.com systemd[1]: Started User Manager for UID 20728.
Jan 13 14:06:47 host.example.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@20728 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 13 14:06:47 host.example.com audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@20728 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 13 14:06:47 host.example.com systemd-logind[1034]: New session 2 of user lslebodn.
Jan 13 14:06:47 host.example.com systemd[1]: Started Session 2 of user lslebodn.


There was access denied to the inode 14684
sh# find /sys/ -inum 14684
/sys/devices/platform/serial8250/tty/ttyS21/dev

sh matchpathcon /sys/devices/platform/serial8250/tty/ttyS21/dev
/sys/devices/platform/serial8250/tty/ttyS21/dev system_u:object_r:sysfs_t:s0

sh# ls -lZ /sys/devices/platform/serial8250/tty/ttyS21/dev
-r--r--r--. 1 root root system_u:object_r:sysfs_t:s0 4096 Jan 13 14:15 /sys/devices/platform/serial8250/tty/ttyS21/dev
Comment 1 Lukas Slebodnik 2017-01-13 13:27:35 UTC 
And few SELinux reports which I saw a second before login
I am not sure which are related and which are caused by disabled dontaudit rule

SELinux is preventing login from using the rlimitinh access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that login should be allowed rlimitinh access on processes labeled local_login_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'login' --raw | audit2allow -M my-login
# semodule -X 300 -i my-login.pp


Additional Information:
Source Context                system_u:system_r:getty_t:s0-s0:c0.c1023
Target Context                system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        login
Source Path                   login
Port                          <Unknown>
Host                          host.example.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-233.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.example.com
Platform                      Linux host.example.com
                              4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49
                              UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-01-13 14:06:42 CET
Last Seen                     2017-01-13 14:06:42 CET
Local ID                      a289469d-e0d2-47a4-84bb-55514a8ee52a

Raw Audit Messages
type=AVC msg=audit(1484312802.410:934): avc:  denied  { rlimitinh } for  pid=4036 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: login,getty_t,local_login_t,process,rlimitinh


SELinux is preventing login from using the siginh access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that login should be allowed siginh access on processes labeled local_login_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'login' --raw | audit2allow -M my-login
# semodule -X 300 -i my-login.pp


Additional Information:
Source Context                system_u:system_r:getty_t:s0-s0:c0.c1023
Target Context                system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        login
Source Path                   login
Port                          <Unknown>
Host                          host.example.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-233.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.example.com
Platform                      Linux host.example.com
                              4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49
                              UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-01-13 14:06:42 CET
Last Seen                     2017-01-13 14:06:42 CET
Local ID                      10f45660-99a6-413c-b502-9aaf2aff560f

Raw Audit Messages
type=AVC msg=audit(1484312802.410:935): avc:  denied  { siginh } for  pid=4036 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: login,getty_t,local_login_t,process,siginh

SELinux is preventing login from using the noatsecure access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that login should be allowed noatsecure access on processes labeled local_login_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'login' --raw | audit2allow -M my-login
# semodule -X 300 -i my-login.pp


Additional Information:
Source Context                system_u:system_r:getty_t:s0-s0:c0.c1023
Target Context                system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        login
Source Path                   login
Port                          <Unknown>
Host                          host.example.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-233.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.example.com
Platform                      Linux host.example.com
                              4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49
                              UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-01-13 14:06:42 CET
Last Seen                     2017-01-13 14:06:42 CET
Local ID                      63541f56-cff2-45d8-b609-2a15a56d3d1d

Raw Audit Messages
type=AVC msg=audit(1484312802.411:936): avc:  denied  { noatsecure } for  pid=4036 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: login,getty_t,local_login_t,process,noatsecure

SELinux is preventing systemd from 'read, write' accesses on the unix_stream_socket unix_stream_socket.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed read write access on the unix_stream_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:kernel_t:s0-s0:c0.c1023
Target Objects                unix_stream_socket [ unix_stream_socket ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          host.example.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-233.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.example.com
Platform                      Linux host.example.com
                              4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49
                              UTC 2017 x86_64 x86_64
Alert Count                   45
First Seen                    2017-01-13 13:51:30 CET
Last Seen                     2017-01-13 14:17:46 CET
Local ID                      fe48d463-6f29-45c3-8a69-f62cb5d5fbee

Raw Audit Messages
type=AVC msg=audit(1484313466.915:974): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[141825]" dev="sockfs" ino=141825 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0


Hash: systemd,init_t,kernel_t,unix_stream_socket,read,write
Comment 2 Lukas Slebodnik 2017-01-13 14:58:02 UTC 
Here are AVCs which I used for fixing the issue with "systemctl status --user"

type=AVC msg=audit(1484313466.915:974): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[141825]" dev="sockfs" ino=141825 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1484315059.928:498): avc:  denied  { write } for  pid=1395 comm="(systemd)" path="socket:[14492]" dev="sockfs" ino=14492 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
Comment 3 Lukas Slebodnik 2017-01-13 17:43:34 UTC 
I do not have a problem with "systemctl status --user" on older kernel 4.8.15-300.fc25.x86_64

The problem is only with 4.8.16-300.fc25.x86_64
Yes; kernel is from f25 and not from rawhide
Comment 4 Lukas Slebodnik 2017-01-13 20:06:39 UTC 
It works well with f25 systemd and f25 kernel

sh$ uname -a
Linux vm-115.example.com 4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

sh$ rpm -q systemd
systemd-231-10.fc25.x86_64



And there is still problem with latest rawhide kernel
sh$ uname -a
Linux vm-118.example.com 4.10.0-0.rc3.git1.1.fc26.x86_64 #1 SMP Tue Jan 10 15:32:37 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

sh$ rpm -q systemd
systemd-232-6.fc26.x86_64
Comment 5 Adam Williamson 2017-01-17 00:52:37 UTC 
Probably the same as https://bugzilla.redhat.com/show_bug.cgi?id=1412750 ?
Comment 6 Adam Williamson 2017-01-17 06:26:18 UTC 
ah, apparently not, says zbyszek.
Comment 7 Lukas Slebodnik 2017-01-17 14:10:02 UTC 
See also bug after change to permissive mode https://bugzilla.redhat.com/show_bug.cgi?id=1413075
Comment 8 Zbigniew Jędrzejewski-Szmek 2017-01-17 20:57:50 UTC 

*** This bug has been marked as a duplicate of bug 1412750 ***
Note You need to log in before you can comment on or make changes to this bug.