Bug 1769228 - systemd triggers SELinux denials when confined users run systemctl --user status
Summary: systemd triggers SELinux denials when confined users run systemctl --user status
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 31
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1767779
TreeView+ depends on / blocked
 
Reported: 2019-11-06 08:26 UTC by Milos Malik
Modified: 2019-12-11 02:05 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.4-43.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-12-11 02:05:49 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Milos Malik 2019-11-06 08:26:04 UTC 
Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-3.14.4-40.fc31.noarch
selinux-policy-devel-3.14.4-40.fc31.noarch
selinux-policy-targeted-3.14.4-40.fc31.noarch
systemd-243-2.gitfab6f01.fc31.x86_64
systemd-bootchart-233-5.fc31.x86_64
systemd-libs-243-2.gitfab6f01.fc31.x86_64
systemd-pam-243-2.gitfab6f01.fc31.x86_64
systemd-rpm-macros-243-2.gitfab6f01.fc31.noarch
systemd-udev-243-2.gitfab6f01.fc31.x86_64

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 31 machine (targeted policy is active)
2. create new users based on confined users (for exmaple: user_u, staff_u)
3. log in as the confined user via ssh
4. run systemctl --user status
5. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(11/06/2019 03:11:49.466:378) : proctitle=(systemd) 
type=SYSCALL msg=audit(11/06/2019 03:11:49.466:378) : arch=x86_64 syscall=bpf success=no exit=EACCES(Permission denied) a0=BPF_PROG_LOAD a1=0x7ffd9d07c470 a2=0x70 a3=0x55e9cdc18ec0 items=0 ppid=1 pid=22822 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=5 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/06/2019 03:11:49.466:378) : avc:  denied  { prog_load } for  pid=22822 comm=systemd scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=bpf permissive=0 
----
type=PROCTITLE msg=audit(11/06/2019 03:12:09.995:388) : proctitle=(systemd) 
type=PATH msg=audit(11/06/2019 03:12:09.995:388) : item=0 name=/etc/adjtime inode=143258 dev=fc:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:adjtime_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/06/2019 03:12:09.995:388) : cwd=/ 
type=SYSCALL msg=audit(11/06/2019 03:12:09.995:388) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f187f83e0dd a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=22822 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=5 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/06/2019 03:12:09.995:388) : avc:  denied  { read } for  pid=22822 comm=systemd name=adjtime dev="vda1" ino=143258 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(11/06/2019 03:14:02.774:427) : proctitle=(systemd) 
type=SYSCALL msg=audit(11/06/2019 03:14:02.774:427) : arch=x86_64 syscall=bpf success=no exit=EACCES(Permission denied) a0=BPF_PROG_LOAD a1=0x7ffcf27e59e0 a2=0x70 a3=0x5561f450aa40 items=0 ppid=1 pid=22879 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=7 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(11/06/2019 03:14:02.774:427) : avc:  denied  { prog_load } for  pid=22879 comm=systemd scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=bpf permissive=0 
----
type=PROCTITLE msg=audit(11/06/2019 03:14:11.271:437) : proctitle=(systemd) 
type=PATH msg=audit(11/06/2019 03:14:11.271:437) : item=0 name=/etc/adjtime inode=143258 dev=fc:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:adjtime_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/06/2019 03:14:11.271:437) : cwd=/ 
type=SYSCALL msg=audit(11/06/2019 03:14:11.271:437) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7fca060e60dd a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=22879 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=7 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(11/06/2019 03:14:11.271:437) : avc:  denied  { read } for  pid=22879 comm=systemd name=adjtime dev="vda1" ino=143258 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:adjtime_t:s0 tclass=file permissive=0 
----

Expected results:
 * no SELinux denials

Additional info:
 * there are no SELinux denials when the same scenario is executed under sysadm_u
Comment 1 Lukas Vrabec 2019-11-06 09:31:01 UTC 
commit b1f64ef6da0d4cd5fa6f34358c945bf1e29c0780 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Wed Nov 6 10:20:12 2019 +0100

    Allow users using template userdom_unpriv_user_template() to run bpf
    tool
    
    Resolves: rhbz#1769228

commit e9956387f9a8d905ab8d2408a866119f932dcb52 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Wed Nov 6 10:29:08 2019 +0100

    Allow x_userdomain to read adjtime_t files
    
    Resolves: rhbz#1769228
Comment 2 Zdenek Pytela 2019-11-06 09:38:07 UTC 
Note the bpf-class denial is rather related to logging in, cf #1767714
Comment 3 Fedora Update System 2019-11-22 16:17:23 UTC 
FEDORA-2019-fefda9dd5e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
Comment 4 Fedora Update System 2019-11-23 02:39:11 UTC 
selinux-policy-3.14.4-42.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
Comment 5 Fedora Update System 2019-12-06 18:02:28 UTC 
FEDORA-2019-fefda9dd5e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
Comment 6 Fedora Update System 2019-12-07 03:38:20 UTC 
container-selinux-2.123.0-2.fc31, selinux-policy-3.14.4-43.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
Comment 7 Fedora Update System 2019-12-11 02:05:49 UTC 
container-selinux-2.123.0-2.fc31, selinux-policy-3.14.4-43.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.