Description of problem: systemd-logind sometimes wants to inspect the configuration files used by systemd-bootd. In particular it is looking for the files in /boot/efi/loader/entries. These files does only exist if you disable grub2 and use systemd-bootd. SELinux is preventing systemd-logind from 'read' accesses on the directory entries. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-logind should be allowed read access on the entries directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-logind' --raw | audit2allow -M my-systemdlogind # semodule -X 300 -i my-systemdlogind.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:object_r:dosfs_t:s0 Target Objects entries [ dir ] Source systemd-logind Source Path systemd-logind Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.4-32.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.3.0-0.rc6.git0.1.fc31.x86_64 #1 SMP Mon Aug 26 13:01:25 UTC 2019 x86_64 x86_64 Alert Count 1 First Seen 2019-09-14 11:54:25 CEST Last Seen 2019-09-14 11:54:25 CEST Local ID 468beb2e-1819-431e-874d-c33fd744b96e Raw Audit Messages type=AVC msg=audit(1568454865.144:246): avc: denied { read } for pid=419 comm="systemd-logind" name="entries" dev="vdb1" ino=17 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1 Hash: systemd-logind,systemd_logind_t,dosfs_t,dir,read Version-Release number of selected component: selinux-policy-3.14.4-32.fc31.noarch Additional info: component: selinux-policy reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.3.0-0.rc6.git0.1.fc31.x86_64 type: libreport
Hi Villy, Do you have any functionality issues related to this SELinux denial? Or you just saw this SELinux denial setroubleshoot tool ? Thanks, Nikola.
(In reply to nknazeko from comment #1) > Hi Villy, > > Do you have any functionality issues related to this SELinux denial? Or you > just saw this SELinux denial setroubleshoot tool ? > > Thanks, Nikola. As I always run SELinux in permissive mod I don't have functionality issue. I suspect it has something to do with a new feature as described in https://github.com/systemd/systemd/issues/9896. I can't say much more, except I noticed it occurs with LXDE environment when doing a reboot from the GUI interface.
PR for Fedora: https://github.com/fedora-selinux/selinux-policy/pull/286
commit 626598424d91ec84dba4e27684c57828f704899a (HEAD -> rawhide, origin/rawhide) Author: Nikola Knazekova <nknazeko> Date: Fri Oct 4 17:21:06 2019 +0200 Allow systemd_logind to read dosfs files & dirs Allow systemd-logind - a system service that manages user logins, to read files and list dirs on a DOS filesystem Fixed Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1751766 https://bugzilla.redhat.com/show_bug.cgi?id=1752826
FEDORA-2019-7ef1fde499 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7ef1fde499
selinux-policy-3.14.4-38.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7ef1fde499
FEDORA-2019-7d65c50fd6 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6
selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6
(In reply to Lukas Vrabec from comment #4) > commit 626598424d91ec84dba4e27684c57828f704899a (HEAD -> rawhide, > origin/rawhide) > Author: Nikola Knazekova <nknazeko> > Date: Fri Oct 4 17:21:06 2019 +0200 > > Allow systemd_logind to read dosfs files & dirs > Allow systemd-logind - a system service that manages user logins, to > read files and list dirs on a DOS filesystem > > Fixed Bugzilla: > https://bugzilla.redhat.com/show_bug.cgi?id=1751766 > https://bugzilla.redhat.com/show_bug.cgi?id=1752826 As far as I can see, this commit is not (yet as of 27 October) ported to the f31 branch of selinux-policy.
Villy, You're right. Sorry I forgot to back port it from Rawhide. commit 4431fb750c8ccc8e2204325588de9d5e02b62a8d (HEAD -> f31, origin/f31) Author: Nikola Knazekova <nknazeko> Date: Fri Oct 4 17:21:06 2019 +0200 Allow systemd_logind to read dosfs files & dirs Allow systemd-logind - a system service that manages user logins, to read files and list dirs on a DOS filesystem Fixed Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1751766 https://bugzilla.redhat.com/show_bug.cgi?id=1752826
selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
I think we need a new build for f31 before closing this report.
Still an issue with selinux-policy-3.14.4-39.fc31.noarch systemd-243-4.gitef67743.fc31.x86_64 Fedora 31, XFCE Please reopen ----- SELinux is preventing systemd-logind from read access on the directory entries. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-logind should be allowed read access on the entries directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-logind' --raw | audit2allow -M my-systemdlogind # semodule -X 300 -i my-systemdlogind.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:object_r:dosfs_t:s0 Target Objects entries [ dir ] Source systemd-logind Source Path systemd-logind Port <Unknown> Host frida Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.4-39.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name frida Platform Linux frida 5.3.8-300.fc31.x86_64 #1 SMP Tue Oct 29 14:28:41 UTC 2019 x86_64 x86_64 Alert Count 4 First Seen 2019-11-01 20:17:31 MSK Last Seen 2019-11-02 09:41:18 MSK Local ID e734bfc4-cb08-4ebd-858e-da2c45be65eb Raw Audit Messages type=AVC msg=audit(1572676878.418:203): avc: denied { read } for pid=937 comm="systemd-logind" name="entries" dev="sda1" ino=116 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=0 Hash: systemd-logind,systemd_logind_t,dosfs_t,dir,read
FEDORA-2019-aec8f7ab50 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-aec8f7ab50
selinux-policy-3.14.4-40.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-aec8f7ab50
selinux-policy-3.14.4-40.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.