Bug 1531864 - F27 with unconfined disabled breaks systemd user commands
Summary: F27 with unconfined disabled breaks systemd user commands
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-06 09:22 UTC by Robin Powell
Modified: 2018-02-09 07:17 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.13.1-283.24.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-06 15:31:50 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Robin Powell 2018-01-06 09:22:35 UTC 
The below is copied from https://serverfault.com/questions/890798/why-is-selinux-blocking-systemctl-user-systemd-user-instance-commands ; I thought it was something weird on a single system, but now it seems to be every F27 system that I reboot after upgrade (I usually don't do that if I can avoid it).


I have a number of Fedora 27 systems.  I am reasonably comfortable with SELinux.  I run it on all my systems, with the "unconfined" module disabled.

On this particular system, SELinux is blocking all "systemctl --user" commands:

    $ systemctl --user status
    Failed to read server status: Access denied

This worked until recently.  I don't know what changed.  I *did* upgrade from Fedora 26 to Fedora 27 recently, but the timing is not the same as this problem, I don't think.

The part that's weirding me out, and making it hard to know what to do next, is that there's nothing about it in auditd, at all.

In syslog I get:

    Dec 25 09:48:07 jukni systemd[669]: selinux: avc:  denied  { status } for auid=n/a uid=1086 gid=1086 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=system permissive=0

Further, this:

    $ systemctl --user restart lojban_mediawiki_web
    Failed to restart lojban_mediawiki_web.service: Access denied
    See user logs and 'systemctl --user status lojban_mediawiki_web.service' for details.

Gives this in syslog:

    Dec 25 09:49:06 jukni systemd[669]: selinux: avc:  denied  { start } for auid=n/a uid=1086 gid=1086 path="/home/sampre_mw/.config/systemd/user/lojban_mediawiki_web.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0

I can't find anything in sesearch about self:system, and all I can
find in https://github.com/TresysTechnology/refpolicy.git  or
https://github.com/TresysTechnology/refpolicy-contrib.git is:

    policy/modules/kernel/kernel.te
    481:    allow can_load_kernmodule self:system module_load;
    
    policy/modules/system/init.te
    225:    allow init_t self:system { status reboot halt reload };

My other similar systems don't have this problem.  A relabel reboot
did not help.  The contexts of the user unit files are:

    $ ls -lZ ~/.config/systemd/user/
    total 8
    drwxr-xr-x. 2 sampre sampre staff_u:object_r:user_home_t:s0  66 Feb  6  2017 default.target.wants
    -rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 417 Jul 14 00:32 jbotcan_database.service
    -rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 419 Jul 14 00:32 jbotcan_site.service

, which I have no idea if that's correct or not.

Changing this user's login to sysadm_u or user_u didn't help either.

I have no idea where to even go from here.  I mean, I could make a
custom module to implement the AVCs that are going to syslog, but
that seems like The Wrong Thing (tm), since clearly the OS didn't
ship without this working.

Added:

    $ cat /etc/selinux/config
    
    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #     enforcing - SELinux security policy is enforced.
    #     permissive - SELinux prints warnings instead of enforcing.
    #     disabled - No SELinux policy is loaded.
    SELINUX=enforcing
    # SELINUXTYPE= can take one of these two values:
    #     targeted - Targeted processes are protected,
    #     mls - Multi Level Security protection.
    SELINUXTYPE=targeted

Added #2:

I've now rebooted one of my other Fedora 27 boxes and:

    Jan  5 23:31:38 vrici systemd[5992]: selinux: avc:  denied  { status } for auid=n/a uid=1000 gid=1000 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcla
ss=system permissive=0

which makes it feel a lot more like a bug with systemd or selinux.
Comment 1 Robin Powell 2018-01-06 18:22:12 UTC 
I have confirmed that sudo semanage module -e unconfined makes this problem go away, which makes it feel like a straight up selinux bug to me (but I certainly could be wrong).
Comment 2 Daniel Walsh 2018-01-09 14:36:10 UTC 
This looks like it should be allowed.
Comment 3 Robin Powell 2018-01-09 15:59:59 UTC 
Yay.  Now, can someone explain in small words :) why it's showing up in syslog but not the audit log?  Or is that likely something weird about my config?
Comment 4 Robin Powell 2018-01-10 00:43:39 UTC 
Also, more AVCs (still in syslog) from various systemctl --user operations:

Jan  9 11:32:13 stodi systemd[11774]: selinux: avc:  denied  { status } for auid=n/a uid=1000 gid=1000 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=system permissive=1
Jan  9 11:33:12 stodi systemd[11774]: selinux: avc:  denied  { start } for auid=n/a uid=1000 gid=1000 path="/usr/lib/systemd/user/dbus.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service permissive=1
Jan  9 11:33:12 stodi systemd[11774]: selinux: avc:  denied  { status } for auid=n/a uid=1000 gid=1000 path="/usr/lib/systemd/user/dbus.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service permissive=1
Jan  9 08:17:01 vrici systemd[731]: selinux: avc:  denied  { start } for auid=n/a uid=1072 gid=1072 path="/home/gleki/.config/systemd/user/fenki.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0 tcontext=user_u:object_r:config_home_t:s0 tclass=service permissive=0
Jan  9 08:56:16 vrici systemd[731]: selinux: avc:  denied  { start } for auid=n/a uid=1072 gid=1072 path="/home/gleki/.config/systemd/user/glekitufa.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0 tcontext=user_u:object_r:config_home_t:s0 tclass=service permissive=0
Jan  9 09:17:01 vrici systemd[731]: selinux: avc:  denied  { start } for auid=n/a uid=1072 gid=1072 path="/home/gleki/.config/systemd/user/fenki.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0 tcontext=user_u:object_r:config_home_t:s0 tclass=service permissive=0
Jan  9 09:23:41 vrici systemd[731]: selinux: avc:  denied  { status } for auid=n/a uid=1072 gid=1072 path="/home/gleki/.config/systemd/user/glekitufa.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0 tcontext=user_u:object_r:config_home_t:s0 tclass=service permissive=0
Jan  9 10:17:01 vrici systemd[731]: selinux: avc:  denied  { start } for auid=n/a uid=1072 gid=1072 path="/home/gleki/.config/systemd/user/fenki.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0 tcontext=user_u:object_r:config_home_t:s0 tclass=service permissive=0
Jan  9 11:17:01 vrici systemd[731]: selinux: avc:  denied  { start } for auid=n/a uid=1072 gid=1072 path="/home/gleki/.config/systemd/user/fenki.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0 tcontext=user_u:object_r:config_home_t:s0 tclass=service permissive=0
Jan  9 11:34:40 vrici systemd[727]: selinux: avc:  denied  { status } for auid=n/a uid=1000 gid=1000 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=system permissive=1
Jan  9 11:34:48 vrici systemd[727]: selinux: avc:  denied  { stop } for auid=n/a uid=1000 gid=1000 path="/home/rlpowell/.config/systemd/user/mw_pather.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=service permissive=1
Jan  9 11:34:48 vrici systemd[727]: selinux: avc:  denied  { status } for auid=n/a uid=1000 gid=1000 path="/home/rlpowell/.config/systemd/user/mw_pather.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=service permissive=1
Jan  9 11:35:07 vrici systemd[727]: selinux: avc:  denied  { start } for auid=n/a uid=1000 gid=1000 path="/home/rlpowell/.config/systemd/user/mw_pather.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=service permissive=1


(some of those are repeats, sorry)
Comment 5 Robin Powell 2018-01-14 05:50:07 UTC 
Still wondering about the syslog thing.
Comment 6 Lukas Vrabec 2018-01-22 09:01:48 UTC 
Added fixes for this issue. Should be fixed in next selinux-policy package update.
Comment 7 Fedora Update System 2018-01-30 16:41:53 UTC 
selinux-policy-3.13.1-283.24.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
Comment 8 Fedora Update System 2018-01-31 22:45:17 UTC 
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
Comment 9 Fedora Update System 2018-02-06 15:31:50 UTC 
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Robin Powell 2018-02-09 07:17:19 UTC 
Confirmed!  Thank you!
Note You need to log in before you can comment on or make changes to this bug.