Description of problem: Confined users cannot query systemd journal when logged on console Version-Release number of selected component (if applicable): selinux-policy-3.14.5-11.fc32.noarch How reproducible: always Steps to Reproduce: 1. A confined user user_u, staff_u, or sysadm_t logs in on a console 2. run journalctl Actual results: $ journalctl -l --user <no output in enforcing mode> AVC's audited in permissive: ---- type=PROCTITLE msg=audit(11/01/19 09:11:06.778:2636) : proctitle=journalctl -l --user type=PATH msg=audit(11/01/19 09:11:06.778:2636) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=273424 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(11/01/19 09:11:06.778:2636) : item=0 name=/usr/bin/journalctl inode=275732 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:journalctl_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/01/19 09:11:06.778:2636) : cwd=/home/sysadm type=EXECVE msg=audit(11/01/19 09:11:06.778:2636) : argc=3 a0=journalctl a1=-l a2=--user type=SYSCALL msg=audit(11/01/19 09:11:06.778:2636) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55e0e5d55070 a1=0x55e0e5d515f0 a2=0x55e0e5d59850 a3=0x8 items=2 ppid=35872 pid=35913 auid=sysadm uid=sysadm gid=sysadm euid=sysadm suid=sysadm fsuid=sysadm egid=sysadm sgid=sysadm fsgid=sysadm tty=tty5 ses=210 comm=journalctl exe=/usr/bin/journalctl subj=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/01/19 09:11:06.778:2636) : avc: denied { read write } for pid=35913 comm=journalctl path=/dev/tty5 dev="devtmpfs" ino=1047 scontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_tty_device_t:s0 tclass=chr_file permissive=1 ---- type=PROCTITLE msg=audit(11/01/19 09:11:06.812:2637) : proctitle=journalctl -l --user type=SYSCALL msg=audit(11/01/19 09:11:06.812:2637) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x1 a1=TCGETS a2=0x7fffe232dc30 a3=0x0 items=0 ppid=35872 pid=35913 auid=sysadm uid=sysadm gid=sysadm euid=sysadm suid=sysadm fsuid=sysadm egid=sysadm sgid=sysadm fsgid=sysadm tty=tty5 ses=210 comm=journalctl exe=/usr/bin/journalctl subj=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/01/19 09:11:06.812:2637) : avc: denied { ioctl } for pid=35913 comm=journalctl path=/dev/tty5 dev="devtmpfs" ino=1047 ioctlcmd=TCGETS scontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_tty_device_t:s0 tclass=chr_file permissive=1 Fri Nov 1 09:11:16 CET 2019 Expected results: list of journal entries Additional info: These permissions are allowed: allow journalctl_t user_devpts_t:chr_file { append getattr ioctl lock read write };
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle. Changing version to 32.
PR: https://github.com/fedora-selinux/selinux-policy-contrib/pull/330
commit 16a9b53217387a5efc16b45cb25a610f4f72d957 (HEAD -> f32, origin/f32) Author: Patrik Koncity <pkoncity> Date: Wed Sep 2 13:33:45 2020 +0200 Allow journalctl to read and write to inherited user domain tty Add macro userdom_use_inherited_user_tty() to journalctl policy, which allow to read and write to inherited user domain tty. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1767721
FEDORA-2020-9896f80cf0 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0
FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-9896f80cf0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.