Bug 1559281 - systemd services with DynamicUser=yes fail: avc: denied { create } for pid=1465 comm="(imesyncd)" name=".pwd.lock
Summary: systemd services with DynamicUser=yes fail: avc: denied { create } for pid...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1549580 1572200 1594478 1595370 1599066 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-22 07:55 UTC by Martin Pitt
Modified: 2018-10-23 23:37 UTC (History)
31 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-09-26 20:58:34 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1599066 None None None Never

Internal Links: 1599066

Description Martin Pitt 2018-03-22 07:55:11 UTC
Description of problem: Fedora 28's systemd now ships a bunch of services with DynamicUser=yes (see http://0pointer.net/blog/dynamic-users-with-systemd.html). This is currently broken with SELinux.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.14.1-14.fc28.noarch
selinux-policy-3.14.1-14.fc28.noarch
systemd-238-4.fc28.x86_64

How reproducible: Always


Steps to Reproduce:
1. systemctl start systemd-timesyncd

Actual results: service fails:

aded (/usr/lib/systemd/system/systemd-timesyncd.service; disabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/systemd-timesyncd.service.d
           └─override.conf
   Active: failed (Result: exit-code) since Thu 2018-03-22 03:51:01 EDT; 9s ago
     Docs: man:systemd-timesyncd.service(8)
  Process: 1465 ExecStart=/usr/lib/systemd/systemd-timesyncd (code=exited, status=217/USER)
 Main PID: 1465 (code=exited, status=217/USER)

Journal shows the SELinux violation:

AVC avc:  denied  { create } for  pid=1465 comm="(imesyncd)" name=".pwd.lock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0


Expected results: Service starts successfully

Comment 1 Martin Pitt 2018-03-22 08:03:42 UTC
*** Bug 1549580 has been marked as a duplicate of this bug. ***

Comment 2 Martin Pitt 2018-03-22 08:07:50 UTC
In case you wonder, the "override.conf" dropin just sets `Restart=no` to  get a sensible status output (otherwise it just repeatedly fails and runs into the restart limit).

Comment 3 Lukas Vrabec 2018-03-24 19:22:08 UTC
Michal, 

Any help here?

Comment 4 Michal Sekletar 2018-03-26 14:39:06 UTC
(In reply to Lukas Vrabec from comment #3)
 
> Any help here?

No idea off the top of my head. DynamicUsers feature could have triggered a lot of SELinux tripwires :)

Relevant excerpt of audit log would be helpful.

Comment 5 Martin Pitt 2018-03-27 08:38:54 UTC
@Michal: I already put the relevant SELinux message into the description. If that's not it, I put the full "journalctl -f" output here that happens during "systemctl start systemd-timesyncd". (However, this is trivial to reproduce and I don't believe it happens just for my VM).

Starting Network Time Synchronization...
AVC avc:  denied  { write } for  pid=1546 comm="(imesyncd)" name=".pwd.lock" dev="dm-0" ino=4220163 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
audit: type=1400 audit(1522139836.528:288): avc:  denied  { write } for  pid=1546 comm="(imesyncd)" name=".pwd.lock" dev="dm-0" ino=4220163 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
systemd-timesyncd.service: Failed to update dynamic user credentials: Permission denied
systemd-timesyncd.service: Failed at step USER spawning /usr/lib/systemd/systemd-timesyncd: Permission denied
systemd-timesyncd.service: Main process exited, code=exited, status=217/USER
systemd-timesyncd.service: Failed with result 'exit-code'.
SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f335837a02c a2=a0141 a3=180 items=0 ppid=1 pid=1546 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(imesyncd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
Failed to start Network Time Synchronization.
audit: type=1300 audit(1522139836.528:288): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f335837a02c a2=a0141 a3=180 items=0 ppid=1 pid=1546 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(imesyncd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
systemd-timesyncd.service: Consumed 0 CPU time
systemd-timesyncd.service: Service has no hold-off time, scheduling restart.
systemd-timesyncd.service: Scheduled restart job, restart counter is at 1.
Stopped Network Time Synchronization.
systemd-timesyncd.service: Consumed 0 CPU time
Starting Network Time Synchronization...
systemd-timesyncd.service: Failed to update dynamic user credentials: Permission denied
systemd-timesyncd.service: Failed at step USER spawning /usr/lib/systemd/systemd-timesyncd: Permission denied
systemd-timesyncd.service: Main process exited, code=exited, status=217/USER
systemd-timesyncd.service: Failed with result 'exit-code'.
PROCTITLE proctitle="(imesyncd)"
Failed to start Network Time Synchronization.
systemd-timesyncd.service: Consumed 0 CPU time
audit: type=1327 audit(1522139836.528:288): proctitle="(imesyncd)"
systemd-timesyncd.service: Service has no hold-off time, scheduling restart.
systemd-timesyncd.service: Scheduled restart job, restart counter is at 2.
Stopped Network Time Synchronization.
systemd-timesyncd.service: Consumed 0 CPU time
SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
audit: type=1130 audit(1522139836.542:289): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
systemd-timesyncd.service: Failed to update dynamic user credentials: Permission denied
systemd-timesyncd.service: Failed at step USER spawning /usr/lib/systemd/systemd-timesyncd: Permission denied
Starting Network Time Synchronization...
systemd-timesyncd.service: Main process exited, code=exited, status=217/USER
systemd-timesyncd.service: Failed with result 'exit-code'.
Failed to start Network Time Synchronization.
systemd-timesyncd.service: Consumed 0 CPU time
systemd-timesyncd.service: Service has no hold-off time, scheduling restart.
systemd-timesyncd.service: Scheduled restart job, restart counter is at 3.
Stopped Network Time Synchronization.
systemd-timesyncd.service: Consumed 0 CPU time
SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: type=1130 audit(1522139836.546:290): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Starting Network Time Synchronization...
systemd-timesyncd.service: Failed to update dynamic user credentials: Permission denied
systemd-timesyncd.service: Failed at step USER spawning /usr/lib/systemd/systemd-timesyncd: Permission denied
systemd-timesyncd.service: Main process exited, code=exited, status=217/USER
systemd-timesyncd.service: Failed with result 'exit-code'.
Failed to start Network Time Synchronization.
systemd-timesyncd.service: Consumed 0 CPU time
systemd-timesyncd.service: Service has no hold-off time, scheduling restart.
systemd-timesyncd.service: Scheduled restart job, restart counter is at 4.
Stopped Network Time Synchronization.
systemd-timesyncd.service: Consumed 0 CPU time
SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: type=1131 audit(1522139836.546:291): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Starting Network Time Synchronization...
systemd-timesyncd.service: Failed to update dynamic user credentials: Permission denied
systemd-timesyncd.service: Failed at step USER spawning /usr/lib/systemd/systemd-timesyncd: Permission denied
systemd-timesyncd.service: Main process exited, code=exited, status=217/USER
systemd-timesyncd.service: Failed with result 'exit-code'.
Failed to start Network Time Synchronization.
systemd-timesyncd.service: Consumed 0 CPU time
systemd-timesyncd.service: Service has no hold-off time, scheduling restart.
systemd-timesyncd.service: Scheduled restart job, restart counter is at 5.
Stopped Network Time Synchronization.
systemd-timesyncd.service: Consumed 0 CPU time
systemd-timesyncd.service: Start request repeated too quickly.
systemd-timesyncd.service: Failed with result 'exit-code'.
Failed to start Network Time Synchronization.
AVC avc:  denied  { write } for  pid=1549 comm="(imesyncd)" name=".pwd.lock" dev="dm-0" ino=4220163 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
audit: type=1400 audit(1522139836.554:292): avc:  denied  { write } for  pid=1549 comm="(imesyncd)" name=".pwd.lock" dev="dm-0" ino=4220163 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
audit: type=1300 audit(1522139836.554:292): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f335837a02c a2=a0141 a3=180 items=0 ppid=1 pid=1549 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(imesyncd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f335837a02c a2=a0141 a3=180 items=0 ppid=1 pid=1549 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(imesyncd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
audit: type=1327 audit(1522139836.554:292): proctitle="(imesyncd)"
PROCTITLE proctitle="(imesyncd)"
audit: type=1130 audit(1522139836.558:293): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
AVC avc:  denied  { write } for  pid=1552 comm="(imesyncd)" name=".pwd.lock" dev="dm-0" ino=4220163 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f335837a02c a2=a0141 a3=180 items=0 ppid=1 pid=1552 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(imesyncd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
PROCTITLE proctitle="(imesyncd)"
SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
AVC avc:  denied  { write } for  pid=1555 comm="(imesyncd)" name=".pwd.lock" dev="dm-0" ino=4220163 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f335837a02c a2=a0141 a3=180 items=0 ppid=1 pid=1555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(imesyncd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
PROCTITLE proctitle="(imesyncd)"
SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
AVC avc:  denied  { write } for  pid=1558 comm="(imesyncd)" name=".pwd.lock" dev="dm-0" ino=4220163 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f335837a02c a2=a0141 a3=180 items=0 ppid=1 pid=1558 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(imesyncd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
PROCTITLE proctitle="(imesyncd)"
SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Comment 6 Robert-André Mauchin 2018-05-05 20:37:52 UTC
I hit a similar bug with dnscrypt-proxy 2 (not yet packaged):

# The service file:

[Unit]
Description=DNSCrypt-proxy client
Documentation=https://github.com/jedisct1/dnscrypt-proxy/wiki
Requires=dnscrypt-proxy.socket
After=network.target
Before=nss-lookup.target
Wants=nss-lookup.target

[Service]
NonBlocking=true
ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelModules=yes

# Run dnscrypt-proxy as unprivileged user with
# temporary assigned UID/GID. See man:systemd.exec
# for more info. Requires systemd 232+.
DynamicUser=yes
CacheDirectory=dnscrypt-proxy
LogsDirectory=dnscrypt-proxy
RuntimeDirectory=dnscrypt-proxy

[Install]
Also=dnscrypt-proxy.socket
WantedBy=multi-user.target


# Initial SELinux errors:

Raw Audit Messages
type=AVC msg=audit(1525551759.43:5971): avc:  denied  { create } for  pid=31320 comm="(pt-proxy)" name=".pwd.lock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0


Hash: (pt-proxy),init_t,passwd_file_t,file,create


Raw Audit Messages
type=AVC msg=audit(1525551776.108:6001): avc:  denied  { write } for  pid=31381 comm="(pt-proxy)" name=".pwd.lock" dev="sda7" ino=661 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0


Hash: (pt-proxy),init_t,passwd_file_t,file,write


# Rules added for all errors to be cleared:

module my-ptproxy 1.0;

require {
	type var_t;
	type passwd_file_t;
	type init_t;
	type var_log_t;
	class file { create write };
	class dir { create setattr };
	class lnk_file { create getattr read };
}

#============= init_t ==============
allow init_t passwd_file_t:file { create write };
allow init_t var_log_t:dir { create setattr };
allow init_t var_log_t:lnk_file { create getattr read };
allow init_t var_t:dir { create setattr };
allow init_t var_t:lnk_file create;

Comment 7 Scott Shambarger 2018-05-16 22:45:40 UTC
With the chmod 700 /var/lib/private workaround from bug 1559286, I started systemd-timesyncd and received the following denials (needed to include dontaudit denials to get all the needed rules):

----
time->Wed May 16 14:56:16 2018
type=AVC msg=audit(1526507776.511:146): avc:  denied  { write } for  pid=958 comm="(imesyncd)" name=".pwd.lock" dev="dm-0" ino=262465 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Wed May 16 14:56:16 2018
type=AVC msg=audit(1526507776.516:147): avc:  denied  { create } for  pid=958 comm="(imesyncd)" name="timesync" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1
----
time->Wed May 16 14:56:16 2018
type=AVC msg=audit(1526507776.516:148): avc:  denied  { setattr } for  pid=958 comm="(imesyncd)" name="timesync" dev="dm-0" ino=654128 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1
----
time->Wed May 16 15:03:39 2018
type=AVC msg=audit(1526508219.517:151): avc:  denied  { create } for  pid=1036 comm="(imesyncd)" name=".pwd.lock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Wed May 16 15:03:39 2018
type=AVC msg=audit(1526508219.520:152): avc:  denied  { setattr } for  pid=1036 comm="(imesyncd)" name="timesync" dev="dm-0" ino=654128 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1
----
time->Wed May 16 15:33:45 2018
type=AVC msg=audit(1526510025.739:170): avc:  denied  { mounton } for  pid=870 comm="(imesyncd)" path="/run/systemd/unit-root/dev" dev="dm-0" ino=130817 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1

... which are fixed with the following rules:

#============= init_t ==============
allow init_t passwd_file_t:file { create write };
allow init_t var_lib_t:dir { create setattr };
#!!!! This avc has a dontaudit rule in the current policy
allow init_t unlabeled_t:dir mounton;

Enabling the above in the current policy allowed systemd-timesyncd to start correctly.

Comment 8 Scott Shambarger 2018-05-17 00:16:15 UTC
I also noticed that once timesyncd is running, I get the following output from restorecon -rnv /

Would relabel /var/lib/private/systemd/timesync/clock from system_u:object_r:init_var_lib_t:s0 to system_u:object_r:var_lib_t:s0

Not sure which is correct... but clearly either timesyncd or the policy has the wrong label.

Comment 9 Robert-André Mauchin 2018-05-29 22:49:55 UTC
Any chance this could be fixed soon? I'd like to push an update for dnscrypt-proxy but it is not usable without this bug being fixed.

Comment 10 Lukas Vrabec 2018-05-30 22:38:14 UTC
Yes, I'll create SELinux boolean for that. Give me few days. 

THanks
Lukas.

Comment 11 Bruno Vernay 2018-06-08 13:26:05 UTC
I made a very simple test to see if both bugs are resolved https://gitlab.com/BrunoVernay/dynustat 

Is there a way to help on this one?
Also note that for DynamicUser to work, your boolean should be set by default

Comment 12 Lukas Vrabec 2018-07-03 08:52:05 UTC
*** Bug 1594478 has been marked as a duplicate of this bug. ***

Comment 13 Lukas Vrabec 2018-07-03 10:55:06 UTC
*** Bug 1595370 has been marked as a duplicate of this bug. ***

Comment 14 Lukas Vrabec 2018-07-04 08:02:03 UTC
*** Bug 1572200 has been marked as a duplicate of this bug. ***

Comment 15 Zbigniew Jędrzejewski-Szmek 2018-07-18 12:34:37 UTC
*** Bug 1599066 has been marked as a duplicate of this bug. ***

Comment 16 Lukas Vrabec 2018-07-23 21:29:32 UTC
Based on this discussion[1], moving this ticket to systemd component.

[1] https://github.com/systemd/systemd/issues/9583

Comment 17 Martin Pitt 2018-08-14 13:26:45 UTC
This also affects resolved now:

audit: type=1400 audit(1534253081.174:78): avc:  denied  { create } for  pid=647 comm="(resolved)" name=".pwd.lock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0

Comment 18 Martin Pitt 2018-09-26 20:58:34 UTC
We haven't seen this any more in current Fedora 28 and 29 in three weeks, so apparently this got fixed in the SELinux policy (or or maybe systemd).

Comment 19 Igor Savluk 2018-10-01 13:02:02 UTC
Fedora 28
systemd 238
selinux-policy 3.14.1-42.fc28

Problem is still persist.

Comment 20 Jacob Keller 2018-10-23 23:37:08 UTC
I still see this with selinux-policy-3.14.1-47.fc28.noarch


Note You need to log in before you can comment on or make changes to this bug.