SELinux is preventing sssd from 'read, write' accesses on the file config.ldb. So SELINUX block systemctl starting of SSSD : sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/sssd.service.d └─journal.conf Active: failed (Result: exit-code) since Wed 2017-05-03 18:28:48 CEST; 10s ago Process: 6992 ExecStart=/usr/sbin/sssd -i -f (code=exited, status=4) Main PID: 6992 (code=exited, status=4) mai 03 18:28:48 (removed) systemd[1]: Starting System Security Services Daemon... mai 03 18:28:48 (removed) sssd[6992]: SSSD couldn't load the configuration database [5]: Input/output error. mai 03 18:28:48 (removed) systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION mai 03 18:28:48 (removed) systemd[1]: Failed to start System Security Services Daemon. mai 03 18:28:48 (removed) systemd[1]: sssd.service: Unit entered failed state. mai 03 18:28:48 (removed) systemd[1]: sssd.service: Failed with result 'exit-code'. SELINUX alert : ***** Plugin catchall (100. confidence) suggests ************************** If vous pensez que sssd devrait être autorisé à accéder read write sur config.ldb file par défaut. Then vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Do allow this access for now by executing: # ausearch -c 'sssd' --raw | audit2allow -M my-sssd # semodule -X 300 -i my-sssd.pp Additional Information: Source Context system_u:system_r:sssd_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects config.ldb [ file ] Source sssd Source Path sssd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-251.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.11.0-0.rc8.git0.1.fc26.x86_64 #1 SMP Mon Apr 24 15:42:54 UTC 2017 x86_64 x86_64 Alert Count 6 First Seen 2017-05-03 17:54:06 CEST Last Seen 2017-05-03 18:28:48 CEST Local ID f0ee373d-18bc-4aeb-94c3-51187ffaa56b Raw Audit Messages type=AVC msg=audit(1493828928.626:1860): avc: denied { read write } for pid=6992 comm="sssd" name="config.ldb" dev="sdc4" ino=151066 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Hash: sssd,sssd_t,unlabeled_t,file,read,write
Same isse with rpm -q selinux-policy selinux-policy-3.13.1-257.fc26.noarch sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: Drop-In: /etc/systemd/system/sssd.service.d └─journal.conf Active: failed (Result: exit-code) since Fri 2017-06-23 13:44:33 CEST; 43min Main PID: 680 (code=exited, status=4) juin 23 13:44:33 dada systemd[1]: Starting System Security Services Daemon... juin 23 13:44:33 dada sssd[680]: SSSD couldn't load the configuration database [ juin 23 13:44:33 dada systemd[1]: sssd.service: Main process exited, code=exited juin 23 13:44:33 dada systemd[1]: Failed to start System Security Services Daemo juin 23 13:44:33 dada systemd[1]: sssd.service: Unit entered failed state. juin 23 13:44:33 dada systemd[1]: sssd.service: Failed with result 'exit-code'.
Some update The issue impact sssd but auditd too. auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Sun 2017-06-18 19:02:48 CEST; 29s ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 657 ExecStart=/sbin/auditd (code=exited, status=6) juin 18 19:02:48 john systemd[1]: Starting Security Auditing Service... juin 18 19:02:48 john auditd[657]: Unable to open /var/log/audit/audit.log (Permission denied) juin 18 19:02:48 john auditd[657]: The audit daemon is exiting. juin 18 19:02:48 john systemd[1]: auditd.service: Control process exited, code=exited status=6 juin 18 19:02:48 john systemd[1]: Failed to start Security Auditing Service. juin 18 19:02:48 john systemd[1]: auditd.service: Unit entered failed state. juin 18 19:02:48 john systemd[1]: auditd.service: Failed with result 'exit-code'. Something is changing the selinux context to unlabeled. ls -lZ /var/log/audit/audit.log -rw-------. 1 root root system_u:object_r:unlabeled_t:s0 8140563 28 juin 11:26 /var/log/audit/audit.log And for ssd : /var/lib/sss/db/config.ldb from system_u:object_r:unlabeled_t:s0 /var/lib/sss/db/cache_implicit_files.ldb from system_u:object_r:unlabeled_t:s0 Restorecon fix the issue but only for two/three days : sudo restorecon -v /var/log/audit/audit.log Relabeled /var/log/audit/audit.log from system_u:object_r:unlabeled_t:s0 to system_u:object_r:auditd_log_t:s0 Fix for SSSD : sudo restorecon -Rv /var/lib/sss Relabeled /var/lib/sss/db/config.ldb from system_u:object_r:unlabeled_t:s0 to system_u:object_r:sssd_var_lib_t:s0 Relabeled /var/lib/sss/db/cache_implicit_files.ldb from system_u:object_r:unlabeled_t:s0 to system_u:object_r:sssd_var_lib_t:s0 Perhaps something interesting : My system is on BTRFS...
Same bug on other computer. BTRFS too. I think BTRFS have an issue with selinux contexts for auditd and sssd.
I do not think that problem is in selinux-policy in this case. selinux-policy-targeted properly allow access for sssd to all files in /var/lib/sss/db/ The problem is that for some reason files were mislabelled. I use btrfs on root filesystem and I do not have such problems [root@host ~]# rm -f /var/lib/sss/db/* [root@host ~]# systemctl restart sssd [root@host ~]# ls -lZ /var/lib/sss/db/ total 5024 -rw-------. 1 sssd sssd system_u:object_r:sssd_var_lib_t:s0 1286144 Jul 4 08:51 cache_example.com.ldb -rw-------. 1 sssd sssd system_u:object_r:sssd_var_lib_t:s0 1286144 Jul 4 08:51 config.ldb -rw-------. 1 sssd sssd system_u:object_r:sssd_var_lib_t:s0 1286144 Jul 4 08:51 sssd.ldb -rw-------. 1 sssd sssd system_u:object_r:sssd_var_lib_t:s0 1286144 Jul 4 08:51 timestamps_example.com.ldb [root@host ~]# mount -l | grep btrfs /dev/mapper/luks-048a9346-0d14-4aed-b72d-ab7c75501cb6 on / type btrfs (rw,relatime,seclabel,ssd,space_cache,subvolid=257,subvol=/root) [fedora_btrfs] /dev/mapper/luks-048a9346-0d14-4aed-b72d-ab7c75501cb6 on /var/lib/docker/containers type btrfs (rw,relatime,seclabel,ssd,space_cache,subvolid=257,subvol=/root/var/lib/docker/containers) [fedora_btrfs] /dev/mapper/luks-048a9346-0d14-4aed-b72d-ab7c75501cb6 on /var/lib/docker/btrfs type btrfs (rw,relatime,seclabel,ssd,space_cache,subvolid=257,subvol=/root/var/lib/docker/btrfs) [fedora_btrfs]
Restorecon restores labels correctly from policy. So I do not think that is the cause of the problem. But something regularly impacts labels that are changed and incorrect. It is always auditd and sssd simultaneously. And always after a reboot. Or in this case just after a fresh installation of FC26. mount -l | grep btrfs /dev/sdc4 on / type btrfs (rw,relatime,seclabel,ssd,space_cache,subvolid=257,subvol=/root) [fedora] /dev/sdc4 on /home type btrfs (rw,relatime,seclabel,ssd,space_cache,subvolid=258,subvol=/home) [fedora] That's why I thought about a btrfs issue or a low-system one.
Paul, do you think that problem will be with btrfs in kernel? or what would mark files as system_u:object_r:unlabeled_t:s0?
The btrfs filesystem has some odd behaviors with respect to SELinux labeling; it may be possible that this is a kernel issue, but I would like to better understand the problem first. A few questions: * Are the parent directories labeled correctly (e.g. /var/log/audit)? * Does the problem appear after _every_ reboot? Any other times? * Are btrfs snapshots being used at all?
* Are the parent directories labeled correctly (e.g. /var/log/audit)? Yes. Impact on audit.log, /var/lib/sss/db/config.ldb and /var/lib/sss/db/cache_implicit_files.ldb. Only, and simultaneously * Does the problem appear after _every_ reboot? Any other times? No. I tracked auditd to verify if a process has touched /var/log/audit/audit.log. it was low level fs issue since no process other than audit touched the file. I even wondered if secureboot had no impact but i think it irrelevant. The btrfs track is most likely. * Are btrfs snapshots being used at all? No. But i have two subvolumes.
It would be good to find out what is a trigger. Because I do not have any problem with labeling of sssd.conf or audit.log on btrfs. I use f26 as well.
(In reply to Lukas Slebodnik from comment #9) > It would be good to find out what is a trigger. Because I do not have any > problem with labeling of sssd.conf or audit.log on btrfs. I use f26 as well. Lukas, are you using subvolumes?
On my side : UUID=ee0c6491-4a6c-4501-bd6a-ce4daae2725d / btrfs subvol=root,ssd 0 0 UUID=b105633d-0cbc-43f9-ab8d-91f65dbfe5d7 /boot ext4 defaults 1 2 UUID=7DFD-5F06 /boot/efi vfat umask=0077,shortname=winnt 0 2 UUID=ee0c6491-4a6c-4501-bd6a-ce4daae2725d /home btrfs subvol=home,ssd 0 0 UUID=38fa7537-d828-46d9-a335-efc721844029 swap swap defaults 0 0 So impacted files are on a subvolume.
(In reply to Paul Moore from comment #10) > (In reply to Lukas Slebodnik from comment #9) > > It would be good to find out what is a trigger. Because I do not have any > > problem with labeling of sssd.conf or audit.log on btrfs. I use f26 as well. > > Lukas, are you using subvolumes? Yes, because docker use them and I also create subvolume/snapshot before fedora upgrades [root@host ~]# btrfs subvolume list / | grep -v docker ID 257 gen 447269 top level 5 path root ID 259 gen 445588 top level 257 path var/lib/machines ID 4207 gen 278820 top level 257 path fedora25_before26 But ATM I use root subvolume.
(In reply to Lukas Slebodnik from comment #9) > It would be good to find out what is a trigger. Because I do not have any > problem with labeling of sssd.conf or audit.log on btrfs. I use f26 as well. Yes, we need to figure out what is causing this. Lukas, dherault, it appears that you are both using a btrfs subvolume so it would appear that is not the source of the problem. What selinux-policy and kernel RPMs are both of you running on your system? # rpm -qa | grep selinux-policy # uname -r
[root@host ~]# rpm -qa | grep selinux-policy selinux-policy-3.13.1-259.fc26.noarch selinux-policy-devel-3.13.1-259.fc26.noarch selinux-policy-targeted-3.13.1-259.fc26.noarch [root@host ~]# uname -r 4.11.8-300.fc26.x86_64
selinux-policy-targeted-3.13.1-259.fc26.noarch selinux-policy-3.13.1-259.fc26.noarch uname -r 4.11.8-300.fc26.x86_64
Small additional precision. I have not had the issue for a week now since my last restorecon. In may, when i report the bug, it was much more frequent.
(In reply to dherault from comment #16) > Small additional precision. I have not had the issue for a week now since my > last restorecon. In may, when i report the bug, it was much more frequent. Hmm, I wonder if whatever the problem was has now been resolved? I would have preferred to be able to debug this and reach some definitive conclusion, but if this problem has sorted itself out, that's good too. I'm going to mark this as NEEDINFO for you and if you see this problem on your system again, please let us know.
(In reply to dherault from comment #16) > Small additional precision. I have not had the issue for a week now since my > last restorecon. In may, when i report the bug, it was much more frequent. Could you seen AVCs in last two months?
I've just checked. Everything is OK. No more change of selinux context.
(In reply to dherault from comment #19) > I've just checked. Everything is OK. No more change of selinux context. Two months seems to be enough time for proving that it works :-) Therefore closing as works for me. Feel free to reopen if happens again.
Hello, This bug is back for me and on F27. I really think of a btrfs problem because it does not do it on my ext4 systems. Context changes are only made in the event of a bad reboot (reset..) Now there are two files with a context change : restorecon -v -R /var/log/ Relabeled /var/log/journal/8bd6f1cdc7e5407abc6d450072b86c5d/user-1000.journal from system_u:object_r:unlabeled_t:s0 to system_u:object_r:var_log_t:s0 restorecon -v /var/log/audit/audit.log Relabeled /var/log/audit/audit.log from system_u:object_r:unlabeled_t:s0 to system_u:object_r:auditd_log_t:s0
Confirmed on F27 with kernel-4.14.16-300.fc27.x86_64 with /, including /var/log/journal, on btrfs. For me only user-1000.journal is hit, not audit.log. Indeed "only" happening after unclean shutdown. But unclean shutdowns were highly frequent until I added work-arounds for bug 1402073 (and 1385432). Note that the bug changes more than just a SELinux label. It looses the entire SELinux context as well as the ACL on the user journal. The ACL grants read access to the relevant user. The SELinux context and ACL are stored in extended attributes: [root@...]# getfattr -dm- user-1000.journal # file: user-1000.journal security.selinux="system_u:object_r:var_log_t:s0" system.posix_acl_access=0sAgAAAAEABgD/////AgAEAOgDAAAEAAQA/////xAABAD/////IAAAAP////8= After unclean btrfs shutdown, both attributes are lost. I use the nice Fedora default of No_COW (+C) for the journal dir and active journals, and COW (+ lzo compression currently) for audit.log and all other system files & dirs: [root@...]# lsattr user-1000.journal /var/log/audit/audit.log ---------------C user-1000.journal ---------------- /var/log/audit/audit.log The COW attribute is of the simple non-extended kind and is not lost at unclean shutdown. My mount options: rw,noatime,seclabel,compress=lzo,space_cache,subvolid=257,subvol=/root The update Feb 01 to setroubleshoot-3.3.15-1.fc27.x86_64 made it so "efficient" at reporting SELinux troubles with user-1000.journal -- including the ones caused by itself in an infinite recursive cascade -- that it spammed the system.journal and audit log hard enough to freeze the user-1000 GNOME desktop, exceed the audit backlog limit and make root login on another VT take several tries and a long time. Thus a lost SELinux context on user journals became completely unacceptable. To prevent such madness from ever occurring again, I made the work-around of creating a new /etc/tmpfiles.d/ file to restore SELinux security context for all 4-digit user journal files at every new boot: z /var/log/journal/%m/user-????.journal - - - - - and, much less importantly, also restore user read-only ACLs for a few known users on the system, e.g.: a+ /var/log/journal/%m/user-1000.journal - - - - user:1000:r-- a+ /var/log/journal/%m/user-1600.journal - - - - user:1600:r-- Since systemd-tmpfiles-setup.service by default runs some time after systemd-journal-flush.service, there'll still be at least 3 AVC denials for getattr by systemd-journald on user-1000.journal, but never _much_ more than that. I think having a few denials left are better than hiding and possibly forgetting the problem completely. The "unclean" shutdowns were still clean enough to leave no other trace than the lost xattrs on user-1000.journal. Maybe the problem is limited to No_COW files, so another work-around might be to make all journal files COW. I haven't tested that because I'd like to avoid the increased fragmentation and slowness of that solution (using spinning disk, not SSD). In summary I agree with dherault that the root cause of this bug is btrfs, not SELinux, so it should probably be reassigned to a btrfs developer. Unclean shutdowns may of course loose last-minute data or inode changes, but they definitely shouldn't loose untouched extended attributes (https://btrfs.wiki.kernel.org/index.php/Data_Structures#btrfs_dir_item).
*** Bug 1490295 has been marked as a duplicate of this bug. ***
*** Bug 1546536 has been marked as a duplicate of this bug. ***
This message is a reminder that Fedora 26 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '26'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 26 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 26 changed to end-of-life (EOL) status on 2018-05-29. Fedora 26 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
Bug was valid for Fedora 27 too, see comment 21 and comment 22. But I guess it was completely fixed by the very recent release of kernel-4.16.11-200.fc27 due to commit 492ed01a8c6028f28b331b1cdd47068ec4653a10 ("Btrfs: fix xattr loss after power failure") in the 4.16.11 release 7 days ago. So the right way to close the bus is with fixed status for Fedora 27, not EOL of Fedora 26.