1462924 – SELinux is preventing accounts-daemon from 'write' accesses on the directory root.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1462924 - SELinux is preventing accounts-daemon from 'write' accesses on the directory root.

Summary: SELinux is preventing accounts-daemon from 'write' accesses on the directory ...

Keywords:
Status:	CLOSED DUPLICATE of bug 1456760
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.4
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:	abrt_hash:aa8dff3211f69a6999a3bdb1152...
Depends On:	1342732
Blocks:
TreeView+	depends on / blocked

Reported:	2017-06-19 17:14 UTC by nate.dailey
Modified:	2018-05-17 19:10 UTC (History)
CC List:	20 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1342732
Environment:
Last Closed:	2017-06-20 10:32:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description nate.dailey 2017-06-19 17:14:45 UTC

I see this on RHEL 7.4, as recently as Snap-3:

Jun 15 07:50:25 localhost setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from write access on the directory root. For complete SELinux messages run: sealert -l 2550ea7d-2d41-40f4-ada1-06b19884085b

(Doesn't seem to cause a problem other than this message)


+++ This bug was initially created as a clone of Bug #1342732 +++

Description of problem:
Alert showed up in the graphical SELinux Troubleshooter tool after performing a network install from the current Fedora development 25 (rawhide) tree, fully relabeling the file system and rebooting the system in permissive mode.
SELinux is preventing accounts-daemon from 'write' accesses on the directory root.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that accounts-daemon should be allowed write access on the root directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon
# semodule -X 300 -i my-accountsdaemon.pp

Additional Information:
Source Context                system_u:system_r:accountsd_t:s0
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                root [ dir ]
Source                        accounts-daemon
Source Path                   accounts-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           filesystem-3.2-37.fc24.x86_64
Policy RPM                    selinux-policy-3.13.1-193.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.7.0-0.rc1.git3.1.fc25.x86_64 #1
                              SMP Thu Jun 2 15:45:29 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-06-04 11:16:31 CEST
Last Seen                     2016-06-04 11:16:31 CEST
Local ID                      4cf6afbc-28ad-4b76-9218-9aa86e43f217

Raw Audit Messages
type=AVC msg=audit(1465031791.730:94): avc:  denied  { write } for  pid=743 comm="accounts-daemon" name="root" dev="dm-0" ino=655362 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0


Hash: accounts-daemon,accountsd_t,admin_home_t,dir,write

Version-Release number of selected component:
selinux-policy-3.13.1-193.fc25.noarch

Additional info:
reporter:       libreport-2.7.1
hashmarkername: setroubleshoot
kernel:         4.7.0-0.rc1.git3.1.fc25.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Potential duplicate: bug 1341911

--- Additional comment from Adam Williamson on 2016-06-08 17:14:16 EDT ---

Description of problem:
Appears on boot of current Rawhide Workstation live with enforcing=0 . If you attempt to boot without enforcing=0, the system never reaches the desktop. There are 3 other alerts, not sure which is the critical one.

Version-Release number of selected component:
selinux-policy-3.13.1-194.fc25.noarch

Additional info:
reporter:       libreport-2.7.1
hashmarkername: setroubleshoot
kernel:         4.7.0-0.rc2.git1.1.fc25.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

--- Additional comment from Adam Williamson on 2016-06-08 17:21:10 EDT ---

Proposing as an F25 Alpha blocker: "All release-blocking images must boot in their supported configurations. ...  Release-blocking live images must boot to the expected boot menu, and then to a desktop or to a login prompt where it is clear how to log in to a desktop." - Workstation live does not reach a desktop unless you boot with enforcing=0 . This (and/or the other two related denials I listed in 'See Also') are my best bets as to why.

--- Additional comment from Adam Williamson on 2016-06-08 17:21:57 EDT ---

adding Ray for info, as he's the accountsservice maintainer.

--- Additional comment from Adam Williamson on 2016-06-08 17:48:55 EDT ---

Confirming this also appears to be what prevents a fresh Workstation network install from booting; I see the same denial and can boot with enforcing=0 . (The other two accounts-daemon denials don't happen for this case, though).

--- Additional comment from Ray Strode [halfline] on 2016-06-09 09:05:10 EDT ---

probably dupe of bug 1331926.  i guess i forgot to do a rawhide build.

--- Additional comment from Adam Williamson on 2016-06-11 10:50:00 EDT ---

Sorry, it's still broken the same way in today's Rawhide nightly, with accountsservice-0.6.42-1.fc25.

--- Additional comment from Lukas Vrabec on 2016-06-20 06:53:46 EDT ---

Ray, 
What is state of this issue? Do you need any policy changes?

--- Additional comment from Ray Strode [halfline] on 2016-06-20 10:22:12 EDT ---

no sure. I tried to reproduce everything worked for me.  adamw mentioned to me on the 15th (on irc) that things were working for him again, too, so I'll just close this WORKSFORME

If a problem remanifests we can reopen.

--- Additional comment from Joachim Frieben on 2016-06-22 09:00:26 EDT ---

Description of problem:
Alert appeared in the SELinux Troubleshooter utility after removing directory /root/.cache and rebooting the system.

Version-Release number of selected component:
selinux-policy-3.13.1-197.fc25.noarch

Additional info:
reporter:       libreport-2.7.1
hashmarkername: setroubleshoot
kernel:         4.7.0-0.rc4.git1.2.fc25.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

--- Additional comment from Joachim Frieben on 2016-06-22 09:06:18 EDT ---

(In reply to Joachim Frieben from comment #9)
Installed packages include accountsservice-0.6.42-1.fc25.

--- Additional comment from Joachim Frieben on 2016-06-30 10:12:01 EDT ---

(In reply to Ray Strode [halfline] from comment #8)
As of accountsservice-0.6.42-1.fc25, directory /root/.cache does get created upon reboot every time it has been removed, and this action does trigger an AVC as reported in /var/log/audit/audit.log but currently -not- by the SELinux Troubleshooter utility.
This behaviour contradicts the changelog of package accountsservice which states:

* Tue May 31 2016 Ray Strode <rstrode redhat com> - 0.6.40-4
- Don't create /root/.cache at startup
  Resolves: #1331926

--- Additional comment from Ray Strode [halfline] on 2016-06-30 12:58:56 EDT ---

does your /usr/lib/systemd/system/accounts-daemon.service have:

Environment=GVFS_DISABLE_FUSE=1
Environment=GIO_USE_VFS=local
Environment=GVFS_REMOTE_VOLUME_MONITOR_IGNORE=1

in it?

--- Additional comment from Joachim Frieben on 2016-06-30 13:24:54 EDT ---

Both Fedora 24 and Fedora 25 include identical files /usr/lib/systemd/system/accounts-daemon.service with content:

[Unit]
Description=Accounts Service

# In order to avoid races with identity-providing services like SSSD or
# winbind, we need to ensure that Accounts Service starts after
# nss-user-lookup.target
After=nss-user-lookup.target
Wants=nss-user-lookup.target

[Service]
Type=dbus
BusName=org.freedesktop.Accounts
ExecStart=/usr/libexec/accounts-daemon
StandardOutput=syslog
Environment=GVFS_DISABLE_FUSE=1
Environment=GIO_USE_VFS=local
Environment=GVFS_REMOTE_VOLUME_MONITOR_IGNORE=1

[Install]
# We pull this in by graphical.target instead of waiting for the bus
# activation, to speed things up a little: gdm uses this anyway so it is nice
# if it is already around when gdm wants to use it and doesn't have to wait for
# it.
WantedBy=graphical.target

--- Additional comment from Ray Strode [halfline] on 2016-07-01 07:59:40 EDT ---

can you run strings /proc/$(pidof accounds-daemon)/environ and post the output ?

--- Additional comment from Joachim Frieben on 2016-07-01 17:22:46 EDT ---

(In reply to Ray Strode [halfline] from comment #14)
LANG=en_US.UTF-8
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
GVFS_DISABLE_FUSE=1
GIO_USE_VFS=local
GVFS_REMOTE_VOLUME_MONITOR_IGNORE=1

--- Additional comment from Petr Schindler on 2016-07-21 05:34:32 EDT ---

Discussed at 2016-07-20 blocker review meeting: [1]. 

We decided to remove blocker nomination from this bug. Original bug seems to be already fixed. There is no need to block on this now. If the problem appears again, please repropose.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2016-07-20/f25-blocker-review.2016-07-20-16.00.html

--- Additional comment from Joachim Frieben on 2016-07-21 10:29:40 EDT ---

(In reply to Petr Schindler from comment #16)
Comment 11 is still valid even though related AVCs are again reported by the graphical SELinux Troubleshooter utility.

--- Additional comment from Joachim Frieben on 2016-07-21 10:30:20 EDT ---

SELinux is preventing accounts-daemon from write access on the directory /root.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that accounts-daemon should be allowed write access on the root directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon
# semodule -X 300 -i my-accountsdaemon.pp

Additional Information:
Source Context                system_u:system_r:accountsd_t:s0
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                /root [ dir ]
Source                        accounts-daemon
Source Path                   accounts-daemon
Port                          <Unknown>
Host                          noname
Source RPM Packages           
Target RPM Packages           filesystem-3.2-37.fc24.x86_64
Policy RPM                    selinux-policy-3.13.1-203.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     noname
Platform                      Linux noname 4.7.0-0.rc7.git4.2.fc25.x86_64 #1 SMP
                              Tue Jul 19 15:56:43 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-07-21 13:35:52 CEST
Last Seen                     2016-07-21 13:35:52 CEST
Local ID                      a5502fb0-e5b5-4f36-993c-f0d6a463462d

Raw Audit Messages
type=AVC msg=audit(1469100952.512:91): avc:  denied  { write } for  pid=672 comm="accounts-daemon" name="root" dev="dm-0" ino=262146 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0


Hash: accounts-daemon,accountsd_t,admin_home_t,dir,write

--- Additional comment from Jan Kurik on 2016-07-26 00:42:12 EDT ---

This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.

--- Additional comment from Kamil Páral on 2016-08-16 02:16:25 EDT ---

Description of problem:
This popped up on me on first boot after a default Workstation Live install (Fedora-Workstation-Live-x86_64-25-20160815.n.2.iso). I just started terminal and ran dnf, nothing else. Not sure whether this occurred before or after.

Version-Release number of selected component:
selinux-policy-3.13.1-207.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc1.git0.1.fc25.x86_64
type:           libreport

--- Additional comment from Kamil Páral on 2016-08-16 02:19:59 EDT ---

Proposing as a Final blocker:
"There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop. "
https://fedoraproject.org/wiki/Fedora_25_Final_Release_Criteria#SELinux_and_crash_notifications

--- Additional comment from Luya Tshimbalanga on 2016-08-18 17:32:18 EDT ---

Description of problem:
Bug occurred on booting a F25 Workstation livemedia

Version-Release number of selected component:
selinux-policy-3.13.1-207.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc1.git0.1.fc25.x86_64
type:           libreport

--- Additional comment from Geoffrey Marr on 2016-08-22 18:18:44 EDT ---

Discussed during the 2016-08-22 blocker review meeting: [1]

The decision to classify this bug as an AcceptedBlocker was made as it is a clear violation of "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2016-08-22/f25-blocker-review.2016-08-22-16.00.txt

--- Additional comment from Joachim Frieben on 2016-08-24 07:30:18 EDT ---

Description of problem:
Alert appears after booting from Fedora-Workstation-Live-x86_64-25_Alpha-1.1 media.

Version-Release number of selected component:
selinux-policy-3.13.1-208.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc2.git3.1.fc25.x86_64
type:           libreport

--- Additional comment from Fedora Update System on 2016-08-25 14:20:53 EDT ---

selinux-policy-3.13.1-211.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-cbdde50ec4

--- Additional comment from Christian Stadelmann on 2016-08-28 12:38:49 EDT ---

Description of problem:
I booted a Fedora 25 Workstation iso compose (2016-08-27) in a virtual machine using virt-manager and got this selinux alert after boot.

Version-Release number of selected component:
selinux-policy-3.13.1-208.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc2.git3.1.fc25.x86_64
type:           libreport

--- Additional comment from Mikhail on 2016-08-30 12:57:44 EDT ---

Description of problem:
Just run Fedora from live USB

Version-Release number of selected component:
selinux-policy-3.13.1-208.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc2.git3.1.fc25.x86_64
type:           libreport

--- Additional comment from Fedora Update System on 2016-09-13 14:11:41 EDT ---

selinux-policy-3.13.1-211.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

--- Additional comment from john smith on 2016-09-30 15:00:28 EDT ---

Comment 2 Milos Malik 2017-06-20 06:12:05 UTC

I believe this bug is a duplicate of BZ#1456760.

Comment 3 Lukas Vrabec 2017-06-20 10:32:03 UTC


*** This bug has been marked as a duplicate of bug 1456760 ***

Comment 4 Adam Williamson 2017-06-20 17:35:50 UTC

Please be careful when using the clone feature; you will 'clone' all kinds of stuff that isn't really appropriate, like metadata that is specific to Fedora and CCs of people who are not interested in RHEL bugs.

Note You need to log in before you can comment on or make changes to this bug.

2284577490
dominick.grift
dwalsh
fedora
gmarr
jfrieben
kenyon
luya
lvrabec
mclasen
mgrepl
mikhail.v.gavrilov
mmalik
plautrba
pschindl
pvrabec
reklov
rstrode
ssekidde
stefw