The below is copied from https://serverfault.com/questions/890798/why-is-selinux-blocking-systemctl-user-systemd-user-instance-commands ; I thought it was something weird on a single system, but now it seems to be every F27 system that I reboot after upgrade (I usually don't do that if I can avoid it). I have a number of Fedora 27 systems. I am reasonably comfortable with SELinux. I run it on all my systems, with the "unconfined" module disabled. On this particular system, SELinux is blocking all "systemctl --user" commands: $ systemctl --user status Failed to read server status: Access denied This worked until recently. I don't know what changed. I *did* upgrade from Fedora 26 to Fedora 27 recently, but the timing is not the same as this problem, I don't think. The part that's weirding me out, and making it hard to know what to do next, is that there's nothing about it in auditd, at all. In syslog I get: Dec 25 09:48:07 jukni systemd[669]: selinux: avc: denied { status } for auid=n/a uid=1086 gid=1086 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=system permissive=0 Further, this: $ systemctl --user restart lojban_mediawiki_web Failed to restart lojban_mediawiki_web.service: Access denied See user logs and 'systemctl --user status lojban_mediawiki_web.service' for details. Gives this in syslog: Dec 25 09:49:06 jukni systemd[669]: selinux: avc: denied { start } for auid=n/a uid=1086 gid=1086 path="/home/sampre_mw/.config/systemd/user/lojban_mediawiki_web.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 I can't find anything in sesearch about self:system, and all I can find in https://github.com/TresysTechnology/refpolicy.git or https://github.com/TresysTechnology/refpolicy-contrib.git is: policy/modules/kernel/kernel.te 481: allow can_load_kernmodule self:system module_load; policy/modules/system/init.te 225: allow init_t self:system { status reboot halt reload }; My other similar systems don't have this problem. A relabel reboot did not help. The contexts of the user unit files are: $ ls -lZ ~/.config/systemd/user/ total 8 drwxr-xr-x. 2 sampre sampre staff_u:object_r:user_home_t:s0 66 Feb 6 2017 default.target.wants -rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 417 Jul 14 00:32 jbotcan_database.service -rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 419 Jul 14 00:32 jbotcan_site.service , which I have no idea if that's correct or not. Changing this user's login to sysadm_u or user_u didn't help either. I have no idea where to even go from here. I mean, I could make a custom module to implement the AVCs that are going to syslog, but that seems like The Wrong Thing (tm), since clearly the OS didn't ship without this working. Added: $ cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted Added #2: I've now rebooted one of my other Fedora 27 boxes and: Jan 5 23:31:38 vrici systemd[5992]: selinux: avc: denied { status } for auid=n/a uid=1000 gid=1000 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcla ss=system permissive=0 which makes it feel a lot more like a bug with systemd or selinux.
I have confirmed that sudo semanage module -e unconfined makes this problem go away, which makes it feel like a straight up selinux bug to me (but I certainly could be wrong).
This looks like it should be allowed.
Yay. Now, can someone explain in small words :) why it's showing up in syslog but not the audit log? Or is that likely something weird about my config?
Also, more AVCs (still in syslog) from various systemctl --user operations: Jan 9 11:32:13 stodi systemd[11774]: selinux: avc: denied { status } for auid=n/a uid=1000 gid=1000 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=system permissive=1 Jan 9 11:33:12 stodi systemd[11774]: selinux: avc: denied { start } for auid=n/a uid=1000 gid=1000 path="/usr/lib/systemd/user/dbus.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service permissive=1 Jan 9 11:33:12 stodi systemd[11774]: selinux: avc: denied { status } for auid=n/a uid=1000 gid=1000 path="/usr/lib/systemd/user/dbus.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service permissive=1 Jan 9 08:17:01 vrici systemd[731]: selinux: avc: denied { start } for auid=n/a uid=1072 gid=1072 path="/home/gleki/.config/systemd/user/fenki.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0 tcontext=user_u:object_r:config_home_t:s0 tclass=service permissive=0 Jan 9 08:56:16 vrici systemd[731]: selinux: avc: denied { start } for auid=n/a uid=1072 gid=1072 path="/home/gleki/.config/systemd/user/glekitufa.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0 tcontext=user_u:object_r:config_home_t:s0 tclass=service permissive=0 Jan 9 09:17:01 vrici systemd[731]: selinux: avc: denied { start } for auid=n/a uid=1072 gid=1072 path="/home/gleki/.config/systemd/user/fenki.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0 tcontext=user_u:object_r:config_home_t:s0 tclass=service permissive=0 Jan 9 09:23:41 vrici systemd[731]: selinux: avc: denied { status } for auid=n/a uid=1072 gid=1072 path="/home/gleki/.config/systemd/user/glekitufa.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0 tcontext=user_u:object_r:config_home_t:s0 tclass=service permissive=0 Jan 9 10:17:01 vrici systemd[731]: selinux: avc: denied { start } for auid=n/a uid=1072 gid=1072 path="/home/gleki/.config/systemd/user/fenki.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0 tcontext=user_u:object_r:config_home_t:s0 tclass=service permissive=0 Jan 9 11:17:01 vrici systemd[731]: selinux: avc: denied { start } for auid=n/a uid=1072 gid=1072 path="/home/gleki/.config/systemd/user/fenki.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0 tcontext=user_u:object_r:config_home_t:s0 tclass=service permissive=0 Jan 9 11:34:40 vrici systemd[727]: selinux: avc: denied { status } for auid=n/a uid=1000 gid=1000 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=system permissive=1 Jan 9 11:34:48 vrici systemd[727]: selinux: avc: denied { stop } for auid=n/a uid=1000 gid=1000 path="/home/rlpowell/.config/systemd/user/mw_pather.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=service permissive=1 Jan 9 11:34:48 vrici systemd[727]: selinux: avc: denied { status } for auid=n/a uid=1000 gid=1000 path="/home/rlpowell/.config/systemd/user/mw_pather.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=service permissive=1 Jan 9 11:35:07 vrici systemd[727]: selinux: avc: denied { start } for auid=n/a uid=1000 gid=1000 path="/home/rlpowell/.config/systemd/user/mw_pather.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=service permissive=1 (some of those are repeats, sorry)
Still wondering about the syslog thing.
Added fixes for this issue. Should be fixed in next selinux-policy package update.
selinux-policy-3.13.1-283.24.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Confirmed! Thank you!