Bug 1797324 - SELinux is preventing (fwupd) from 'mounton' accesses on the directory /run/systemd/unit-root/run/motd.d.
Summary: SELinux is preventing (fwupd) from 'mounton' accesses on the directory /run/s...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 31
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:7a9c33049d29b7970df230e8909...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-02 16:20 UTC by Michael
Modified: 2020-02-13 15:04 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2020-02-13 15:04:52 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Michael 2020-02-02 16:20:04 UTC 
Description of problem:
dnf upgrade
SELinux is preventing (fwupd) from 'mounton' accesses on the directory /run/systemd/unit-root/run/motd.d.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/run/systemd/unit-root/run/motd.d default label should be init_var_run_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /run/systemd/unit-root/run/motd.d

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that (fwupd) should be allowed mounton access on the motd.d directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(fwupd)' --raw | audit2allow -M my-fwupd
# semodule -X 300 -i my-fwupd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:pam_var_run_t:s0
Target Objects                /run/systemd/unit-root/run/motd.d [ dir ]
Source                        (fwupd)
Source Path                   (fwupd)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.4-45.fc31.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.4.15-200.fc31.x86_64 #1 SMP Tue
                              Jan 28 09:08:32 UTC 2020 x86_64 x86_64
Alert Count                   1
First Seen                    2020-02-02 17:18:25 CET
Last Seen                     2020-02-02 17:18:25 CET
Local ID                      9f7e2402-6ce3-4396-9d72-3c4db8d95d1d

Raw Audit Messages
type=AVC msg=audit(1580660305.557:300): avc:  denied  { mounton } for  pid=8712 comm="(fwupd)" path="/run/systemd/unit-root/run/motd.d" dev="tmpfs" ino=13035 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=dir permissive=0


Hash: (fwupd),init_t,pam_var_run_t,dir,mounton

Version-Release number of selected component:
selinux-policy-3.14.4-45.fc31.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.11.3
hashmarkername: setroubleshoot
kernel:         5.4.15-200.fc31.x86_64
type:           libreport
Comment 1 rhbz 2020-02-03 00:38:15 UTC 
more detailed logs, from systemd-analyze log-level debug:
 
Successfully mounted /run/systemd/inaccessible/dir to /run/systemd/unit-root/home
Applying namespace mount on /run/systemd/unit-root/proc
Applying namespace mount on /run/systemd/unit-root/root
Successfully mounted /run/systemd/inaccessible/dir to /run/systemd/unit-root/root
Applying namespace mount on /run/systemd/unit-root/run/motd.d
Followed source symlinks /run/motd.d → /run/motd.d.
Failed to mount /run/motd.d to /run/systemd/unit-root/run/motd.d: Permission denied
fwupd.service: Failed to set up mount namespacing: /run/systemd/unit-root/run/motd.d: Permission denied
fwupd.service: Failed at step NAMESPACE spawning /usr/libexec/fwupd/fwupd: Permission denied

I believe that this is because /run/motd.d is marked as pam_var_run_t, which systemd does not have mounton access to. Because of how systemd sandboxing works, it needs to mount /run/motd.d into the sandbox of fwupd (/run/systemd/unit-root/).

https://github.com/fwupd/fwupd/commit/d81ea2e3fc0de9cf73a63fcd9f7360e54e03ed31 commit introducing new required access permissions for fwupd
Comment 2 Richard Hughes 2020-02-05 14:23:10 UTC 
The daemon writes into a folder in the per-service systemd runtime directory, but I don't know why that's being labelled pam_var_run_t. Because selinux fails the call to set up the mount namespacing, fwupd.service fails to start and there's a 30s timeout for all clients, which includes gnome-software which is started by default on all workstation installs.
Comment 3 Zdenek Pytela 2020-02-13 15:04:52 UTC 
Hi Richard,

This permission set is granted in the current version of policy:

  $ rpm -q selinux-policy --changelog|more
* Fri Feb 07 2020 Zdenek Pytela <zpytela> - 3.14.4-47
- Allow ipa_custodia_t create and use netlink_route_socket sockets.
- Allow networkmanager_t transition to setfiles_t
- Create init_create_dirs boolean to allow init create directories
- Create files_create_non_security_dirs() interface

Please update the selinux-policy package. Closing, feel free to reopen the bugzilla if the issue persists.
Note You need to log in before you can comment on or make changes to this bug.