RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1727887 - systemd user instance does not start for SELinux restricted accounts
Summary: systemd user instance does not start for SELinux restricted accounts
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.1
Hardware: All
OS: Linux
Target Milestone: rc
: 8.2
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Jan Fiala
: 1754476 (view as bug list)
Depends On:
Blocks: 1727382 1755139 1761915 1778780
TreeView+ depends on / blocked
Reported: 2019-07-08 12:58 UTC by Martin Pitt
Modified: 2021-08-27 22:35 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.14.3-22.el8
Doc Type: Enhancement
Doc Text:
.Confined users in SELinux can now manage user session services Previously, confined users were not able to manage user session services. As a result, they could not execute `systemctl --user` or `busctl --user` commands or work in the RHEL web console. With this update, confined users can manage user sessions.
Clone Of:
Last Closed: 2020-04-28 16:40:41 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-25799 0 None None None 2021-08-27 22:32:15 UTC
Red Hat Product Errata RHBA-2020:1773 0 None None None 2020-04-28 16:41:12 UTC

Description Martin Pitt 2019-07-08 12:58:52 UTC
Description of problem: Logging into Cockpit as a restricted SELinux user (i. e. not unconfined_u) currently does not work (bug 1727382). One part of that is that restricted user sessions can't start a user systemd instance, and hence also miss a user D-Bus, a user runtime directory ($XDG_RUNTIME_DIR), and related services.

Version-Release number of selected component (if applicable):


How reproducible: Always

Steps to Reproduce:
1. Create a new user: useradd unpriv; echo 'unpriv:foobar' | chpasswd
2. Change it away from unconfined_u: semanage login -a -s guest_u unpriv
3. log in as that user with ssh: ssh unpriv@localhost
4. check systemd user instance: /usr/bin/systemctl --user status
5. try to use a session/user D-Bus service: busctl --user

Actual results: 

systemd user instance fails to start up:

pam_unix(systemd-user:session): session opened for user unpriv by (uid=0)
audit: type=1400 audit(1562590486.191:82): avc:  denied  { signal } for  pid=2014 comm="systemd" scontext=guest_u:guest_r:guest_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process permissive=0
user: Failed with result 'protocol'.
Failed to start User Manager for UID 1002.

$ /usr/bin/systemctl --user status
-bash: /usr/bin/systemctl: Permission denied

$ busctl --user
Failed to set address: No such file or directory

Expected results: This is where I get a bit fuzzy - are users other than unconfined_u *expected* to only have a minimal bare-bones session? I. e. you would never have these use a desktop or Cockpit session, polkit, etc? I. e. is this by design or a bug?



Comment 3 Lukas Vrabec 2019-09-23 13:01:56 UTC
*** Bug 1754476 has been marked as a duplicate of this bug. ***

Comment 12 Martin Pitt 2019-11-04 07:46:37 UTC
I tested this on a reasonably current RHEL 8.2 nightly instance with selinux-policy-3.14.3-24.el8.noarch, and the test case still fails in exactly the same way. This also still happens on latest Fedora 31.

Comment 13 Martin Pitt 2019-11-04 07:47:25 UTC
When I say "test case"  I meant the reproducer in the bug description.

Comment 14 Martin Pitt 2019-11-04 08:05:57 UTC
I tested this with 'user_u' instead of 'guest_u', and that works. But you said in comment #1 that guest_u should be able to do this as well. If that shouldn't be the case any more, please feel free to reset to verified, of course. Thanks!

Comment 15 Milos Malik 2019-11-04 08:18:51 UTC
The problem with guest_u is that systemctl and busctl do not work in permissive mode:

$ id
uid=1000(guest-user) gid=1000(guest-user) groups=1000(guest-user) context=guest_u:guest_r:guest_t:s0
$ sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
$ /usr/bin/systemctl --user status
Failed to connect to bus: No such file or directory
$ /usr/bin/busctl --user
Failed to set address: No such file or directory

Some changes need to be done in systemd package.

# rpm -qa selinux\* systemd\* | sort

Comment 16 Martin Pitt 2019-11-04 08:58:46 UTC
Lukas said in bug 1718814 that guest_u is a really restricted role that shouldn't even have network access. So it sounds like the current implementation is fine, and this working with user_u and sysadm_u is sufficient. So I drop the FailedQA again, and I create cockpit test cases for user_u and sysadm_u. Thanks!

Comment 24 errata-xmlrpc 2020-04-28 16:40:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.