Description of problem: Version-Release number of selected component (if applicable): selinux-policy-3.14.4-40.fc31.noarch selinux-policy-devel-3.14.4-40.fc31.noarch selinux-policy-targeted-3.14.4-40.fc31.noarch systemd-243-2.gitfab6f01.fc31.x86_64 systemd-bootchart-233-5.fc31.x86_64 systemd-libs-243-2.gitfab6f01.fc31.x86_64 systemd-pam-243-2.gitfab6f01.fc31.x86_64 systemd-rpm-macros-243-2.gitfab6f01.fc31.noarch systemd-udev-243-2.gitfab6f01.fc31.x86_64 How reproducible: * always Steps to Reproduce: 1. get a Fedora 31 machine (targeted policy is active) 2. create new users based on confined users (for exmaple: user_u, staff_u) 3. log in as the confined user via ssh 4. run systemctl --user status 5. search for SELinux denials Actual results: ---- type=PROCTITLE msg=audit(11/06/2019 03:11:49.466:378) : proctitle=(systemd) type=SYSCALL msg=audit(11/06/2019 03:11:49.466:378) : arch=x86_64 syscall=bpf success=no exit=EACCES(Permission denied) a0=BPF_PROG_LOAD a1=0x7ffd9d07c470 a2=0x70 a3=0x55e9cdc18ec0 items=0 ppid=1 pid=22822 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=5 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/06/2019 03:11:49.466:378) : avc: denied { prog_load } for pid=22822 comm=systemd scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=bpf permissive=0 ---- type=PROCTITLE msg=audit(11/06/2019 03:12:09.995:388) : proctitle=(systemd) type=PATH msg=audit(11/06/2019 03:12:09.995:388) : item=0 name=/etc/adjtime inode=143258 dev=fc:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:adjtime_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/06/2019 03:12:09.995:388) : cwd=/ type=SYSCALL msg=audit(11/06/2019 03:12:09.995:388) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f187f83e0dd a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=22822 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=5 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/06/2019 03:12:09.995:388) : avc: denied { read } for pid=22822 comm=systemd name=adjtime dev="vda1" ino=143258 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(11/06/2019 03:14:02.774:427) : proctitle=(systemd) type=SYSCALL msg=audit(11/06/2019 03:14:02.774:427) : arch=x86_64 syscall=bpf success=no exit=EACCES(Permission denied) a0=BPF_PROG_LOAD a1=0x7ffcf27e59e0 a2=0x70 a3=0x5561f450aa40 items=0 ppid=1 pid=22879 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=7 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) type=AVC msg=audit(11/06/2019 03:14:02.774:427) : avc: denied { prog_load } for pid=22879 comm=systemd scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=bpf permissive=0 ---- type=PROCTITLE msg=audit(11/06/2019 03:14:11.271:437) : proctitle=(systemd) type=PATH msg=audit(11/06/2019 03:14:11.271:437) : item=0 name=/etc/adjtime inode=143258 dev=fc:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:adjtime_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/06/2019 03:14:11.271:437) : cwd=/ type=SYSCALL msg=audit(11/06/2019 03:14:11.271:437) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7fca060e60dd a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=22879 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=7 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) type=AVC msg=audit(11/06/2019 03:14:11.271:437) : avc: denied { read } for pid=22879 comm=systemd name=adjtime dev="vda1" ino=143258 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=0 ---- Expected results: * no SELinux denials Additional info: * there are no SELinux denials when the same scenario is executed under sysadm_u
commit b1f64ef6da0d4cd5fa6f34358c945bf1e29c0780 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Wed Nov 6 10:20:12 2019 +0100 Allow users using template userdom_unpriv_user_template() to run bpf tool Resolves: rhbz#1769228 commit e9956387f9a8d905ab8d2408a866119f932dcb52 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Wed Nov 6 10:29:08 2019 +0100 Allow x_userdomain to read adjtime_t files Resolves: rhbz#1769228
Note the bpf-class denial is rather related to logging in, cf #1767714
FEDORA-2019-fefda9dd5e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
selinux-policy-3.14.4-42.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
container-selinux-2.123.0-2.fc31, selinux-policy-3.14.4-43.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
container-selinux-2.123.0-2.fc31, selinux-policy-3.14.4-43.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.