SELinux is preventing /usr/lib/systemd/systemd from unlink access on the file krb5_25.rcache2. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd should be allowed unlink access on the krb5_25.rcache2 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:named_tmp_t:s0 Target Objects krb5_25.rcache2 [ file ] Source systemd Source Path /usr/lib/systemd/systemd Port <Unknown> Host ipahost.testrelm.test Source RPM Packages systemd-244.1-2.fc32.x86_64 Target RPM Packages Policy RPM selinux-policy-3.14.5-21.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ipahost.testrelm.test Platform Linux ipahost.testrelm.test 5.5.0-0.rc6.git3.1.fc32.x86_64 #1 SMP Fri Jan 17 18:29:51 UTC 2020 x86_64 x86_64 Alert Count 2 First Seen 2020-02-01 16:14:16 CET Last Seen 2020-02-01 16:54:45 CET Local ID 9d85128a-99b9-44f4-a668-bd01e57867df Raw Audit Messages type=AVC msg=audit(1580572485.872:664): avc: denied { unlink } for pid=1 comm="systemd" name="krb5_25.rcache2" dev="dm-0" ino=26370783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:named_tmp_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1580572485.872:664): arch=x86_64 syscall=unlinkat success=no exit=EACCES a0=38 a1=7f6808008d33 a2=0 a3=76 items=2 ppid=0 pid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=CWD msg=audit(1580572485.872:664): cwd=/ type=PATH msg=audit(1580572485.872:664): item=0 name=/ inode=26370770 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1580572485.872:664): item=1 name=krb5_25.rcache2 inode=26370783 dev=fd:00 mode=0100600 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_tmp_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Hash: systemd,init_t,named_tmp_t,file,unlink
Reproducible on rawhide with IPA server [root@kvm-02-guest19 ~]# /bin/sh sh-5.0# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful sh-5.0# systemctl restart named-pkcs11 sh-5.0# ausearch -m avc -ts recent -i ---- type=PROCTITLE msg=audit(02/01/2020 16:54:45.872:664) : proctitle=/usr/lib/systemd/systemd --switched-root --system --deserialize 30 type=PATH msg=audit(02/01/2020 16:54:45.872:664) : item=1 name=krb5_25.rcache2 inode=26370783 dev=fd:00 mode=file,600 ouid=named ogid=named rdev=00:00 obj=system_u:object_r:named_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(02/01/2020 16:54:45.872:664) : item=0 name=/ inode=26370770 dev=fd:00 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(02/01/2020 16:54:45.872:664) : cwd=/ type=SYSCALL msg=audit(02/01/2020 16:54:45.872:664) : arch=x86_64 syscall=unlinkat success=no exit=EACCES(Permission denied) a0=0x38 a1=0x7f6808008d33 a2=0x0 a3=0x76 items=2 ppid=0 pid=1 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(02/01/2020 16:54:45.872:664) : avc: denied { unlink } for pid=1 comm=systemd name=krb5_25.rcache2 dev="dm-0" ino=26370783 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:named_tmp_t:s0 tclass=file permissive=0 sh-5.0# find / -inum 26370770 /var/tmp/systemd-private-d07feaa640e346fa9b4c3478a08152eb-named-pkcs11.service-OVFDxf/tmp/krb5_25.rcache2 sh-5.0#
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy-contrib/pull/203
commit dd32a9e30993116d8cb49c176a4a593f76dfa107 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Zdenek Pytela <zpytela> Date: Mon Feb 10 10:14:38 2020 +0100 Allow systemd_private_tmp(named_tmp_t) Resolves: rhbz#1797224
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle. Changing version to 32.
BZ says it is fixed in selinux-policy-3.14.5-28.fc32 bodhi says selinux-policy-3.14.5-32.fc32 is in stable https://bodhi.fedoraproject.org/updates/FEDORA-2020-32711482f7 But this BZ is still in MODIFIED. What is the correct status?
The correct status is CLOSED, thank you for reporting.