1652813 – systemd user service files have wrong context

Bug 1652813 - systemd user service files have wrong context

Summary: systemd user service files have wrong context

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	29
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-11-23 07:00 UTC by Robin Powell
Modified:	2019-01-17 02:16 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.14.2-46.fc29
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-01-17 02:16:27 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Robin Powell 2018-11-23 07:00:47 UTC

On a Fedora 29 system with unconfined disabled.

Various packages put stuff in /usr/lib/systemd/user/ , like so:

$ ls -lZ /usr/lib/systemd/user/
total 116
-rw-r--r--. 1 root root system_u:object_r:lib_t:s0  131 Sep  7 14:24 at-spi-dbus-bus.service
-rw-r--r--. 1 root root system_u:object_r:lib_t:s0  497 Oct 28 17:29 basic.target
-rw-r--r--. 1 root root system_u:object_r:lib_t:s0  419 Oct 28 17:29 bluetooth.target
-rw-r--r--. 1 root root system_u:object_r:lib_t:s0  138 Jul 12 16:01 colord-session.service
[snip]
-rw-r--r--. 1 root root system_u:object_r:lib_t:s0  285 Nov  6 00:18 syncthing.service

But if I try to use them, I get:

Nov 22 22:56:52 vrici systemd[958]: selinux: avc:  denied  { start } for auid=n/a uid=1000 gid=1000 path="/usr/lib/systemd/user/syncthing.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service permissive=1
Nov 22 22:56:52 vrici systemd[958]: selinux: avc:  denied  { status } for auid=n/a uid=1000 gid=1000 path="/usr/lib/systemd/user/syncthing.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service permissive=1
Nov 22 22:57:00 vrici systemd[958]: selinux: avc:  denied  { stop } for auid=n/a uid=1000 gid=1000 path="/usr/lib/systemd/user/syncthing.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service permissive=1

This is, presumably, because they should be of type systemd_unit_file_t

Comment 1 Lukas Vrabec 2019-01-08 15:54:36 UTC

commit f66be95c84a3d27e800117966f7147ff93e3acd6
Author: Lukas Vrabec <lvrabec>
Date:   Mon Jan 7 22:52:17 2019 +0100

    Label /usr/lib/systemd/user as systemd_unit_file_t BZ(1652814)

Comment 2 Fedora Update System 2019-01-13 15:44:42 UTC

selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61

Comment 3 Fedora Update System 2019-01-14 03:02:59 UTC

selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61

Comment 4 Fedora Update System 2019-01-17 02:16:27 UTC

selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.