Bug 1800927 - SELinux is preventing /usr/lib/systemd/systemd-journald from 'read' accesses on the lnk_file /run/user/1000/systemd/units/invocation:dbus-:1.2-org.fedoraproject.Setroubleshootd@0.service.
Summary: SELinux is preventing /usr/lib/systemd/systemd-journald from 'read' accesses ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 32
Hardware: x86_64
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:481ca6e5756fbb5dfdd2515a735...
: 1801121 1802677 1809993 (view as bug list)
Depends On: 1812955
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-09 08:56 UTC by Mikhail
Modified: 2020-03-30 11:14 UTC (History)
11 users (show)

Fixed In Version: selinux-policy-3.14.5-32.fc32
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-30 00:17:04 UTC
Type: ---


Attachments (Terms of Use)

Description Mikhail 2020-02-09 08:56:31 UTC
Description of problem:
SELinux is preventing /usr/lib/systemd/systemd-journald from 'read' accesses on the lnk_file /run/user/1000/systemd/units/invocation:dbus-:1.2-org.fedoraproject.Setroubleshootd@0.service.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/run/user/1000/systemd/units/invocation:dbus-:1.2-org.fedoraproject.Setroubleshootd@0.service default label should be session_dbusd_tmp_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /run/user/1000/systemd/units/invocation:dbus-:1.2-org.fedoraproject.Setroubleshootd@0.service

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that systemd-journald should be allowed read access on the invocation:dbus-:1.2-org.fedoraproject.Setroubleshootd@0.service lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-journal' --raw | audit2allow -M my-systemdjournal
# semodule -X 300 -i my-systemdjournal.pp

Additional Information:
Source Context                system_u:system_r:syslogd_t:s0
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                /run/user/1000/systemd/units/invocation:dbus-:1.2-
                              org.fedoraproject.Setroubleshootd@0.service [
                              lnk_file ]
Source                        systemd-journal
Source Path                   /usr/lib/systemd/systemd-journald
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-245~rc1-1.fc32.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.5-24.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 5.6.0-0.rc0.git5.1.fc32.x86_64 #1
                              SMP Fri Feb 7 17:00:23 UTC 2020 x86_64 x86_64
Alert Count                   14
First Seen                    2020-02-09 13:53:32 +05
Last Seen                     2020-02-09 13:55:48 +05
Local ID                      b02c481f-5356-4776-9edc-ff28cabd75f5

Raw Audit Messages
type=AVC msg=audit(1581238548.450:480): avc:  denied  { read } for  pid=771 comm="systemd-journal" name="invocation:dbus-:1.2-org.fedoraproject.Setroubleshootd@0.service" dev="tmpfs" ino=81353 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1


type=SYSCALL msg=audit(1581238548.450:480): arch=x86_64 syscall=readlinkat success=yes exit=EPIPE a0=ffffff9c a1=564120fb8ea0 a2=564120fb4e70 a3=1000 items=1 ppid=1 pid=771 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-journal exe=/usr/lib/systemd/systemd-journald subj=system_u:system_r:syslogd_t:s0 key=(null)

type=CWD msg=audit(1581238548.450:480): cwd=/

type=PATH msg=audit(1581238548.450:480): item=0 name=/run/user/1000/systemd/units/invocation:dbus-:1.2-org.fedoraproject.Setroubleshootd@0.service inode=81353 dev=00:2a mode=0120777 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Hash: systemd-journal,syslogd_t,user_tmp_t,lnk_file,read

Version-Release number of selected component:
selinux-policy-3.14.5-24.fc32.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.12.0
hashmarkername: setroubleshoot
kernel:         5.6.0-0.rc0.git5.1.fc32.x86_64
type:           libreport

Comment 1 Ben Cotton 2020-02-11 16:35:35 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle.
Changing version to 32.

Comment 2 Zdenek Pytela 2020-02-13 14:49:41 UTC
*** Bug 1801121 has been marked as a duplicate of this bug. ***

Comment 3 Zdenek Pytela 2020-02-13 17:29:33 UTC
*** Bug 1802677 has been marked as a duplicate of this bug. ***

Comment 4 Kamil Páral 2020-03-05 14:32:08 UTC
Similar problem has been detected:

I just upgraded to Fedora 32 and I'm spammed with these SELinux alerts right after boot.

hashmarkername: setroubleshoot
kernel:         5.6.0-0.rc3.git0.1.fc32.x86_64
package:        selinux-policy-3.14.5-28.fc32.noarch
reason:         SELinux is preventing /usr/lib/systemd/systemd-journald from 'read' accesses on the lnk_file /run/user/1000/systemd/units/invocation:gnome-shell-x11.service.
type:           libreport

Comment 5 Kamil Páral 2020-03-09 15:57:42 UTC
I had about 300 occurrences of this alert in the last few days. This is by far the most frequent source of "New SELinux security alert" popups.

Comment 6 Kamil Páral 2020-03-17 13:42:02 UTC
Can we please do something about this? It's extremely frequent.

Comment 7 Zdenek Pytela 2020-03-17 14:46:26 UTC
*** Bug 1809993 has been marked as a duplicate of this bug. ***

Comment 8 Zdenek Pytela 2020-03-17 17:15:03 UTC
Kamil,

I understand it needs to be addressed soon.

Comment 9 Lukas Vrabec 2020-03-23 13:58:45 UTC
commit 64e6995beda26de512045d73159054e274427a1a (HEAD -> rawhide, origin/rawhide)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Mar 23 14:56:22 2020 +0100

    Allow systemd-journald to read user_tmp_t symlinks
    
    Resolves: rhbz#1800927

Comment 10 Adam Williamson 2020-03-24 19:42:46 UTC
Similar problem has been detected:

Not sure what specifically triggered this. Just found it when checking AVCs in my current boot. I've just booted to Workstation and done usual desktop-y stuff.

hashmarkername: setroubleshoot
kernel:         5.6.0-0.rc5.git0.2.fc32.x86_64
package:        selinux-policy-3.14.5-31.fc32.noarch
reason:         SELinux is preventing systemd-journal from 'read' accesses on the lnk_file /run/user/1001/systemd/units/invocation:gnome-shell-wayland.service.
type:           libreport

Comment 11 Tomas Toth 2020-03-24 20:38:55 UTC
Similar problem has been detected:

This SELinux Alert started to show after I upgraded my F31 KDE to F32.

hashmarkername: setroubleshoot
kernel:         5.6.0-0.rc7.git0.2.fc32.x86_64
package:        selinux-policy-3.14.5-31.fc32.noarch
reason:         SELinux is preventing /usr/lib/systemd/systemd-journald from 'read' accesses on the lnk_file /run/user/1000/systemd/units/invocation:dbus-:1.2-org.fedoraproject.Setroubleshootd@3.service.
type:           libreport

Comment 12 Fedora Update System 2020-03-27 15:58:25 UTC
FEDORA-2020-32711482f7 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-32711482f7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-32711482f7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 13 Fedora Update System 2020-03-30 00:17:04 UTC
FEDORA-2020-32711482f7 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 14 Kamil Páral 2020-03-30 10:48:46 UTC
I can confirm the update fixes this problem.

Comment 15 Lukas Vrabec 2020-03-30 11:14:11 UTC
Thanks Kamil for testing.


Note You need to log in before you can comment on or make changes to this bug.