1809878 – 'homectl create/activate/remove' fails with many AVC denials

Bug 1809878 - 'homectl create/activate/remove' fails with many AVC denials

Summary: 'homectl create/activate/remove' fails with many AVC denials

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	1812955
Blocks:
TreeView+	depends on / blocked

Reported:	2020-03-04 05:06 UTC by Chris Murphy
Modified:	2024-09-24 13:27 UTC (History)
CC List:	18 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-09-24 13:27:25 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
sudo strace homectl create hack (54.17 KB, text/plain) 2020-03-04 05:09 UTC, Chris Murphy	no flags	Details
local_homed.fc (792 bytes, text/plain) 2021-10-10 20:23 UTC, Markus Linnala	no flags	Details
local_homed.if (885 bytes, text/x-matlab) 2021-10-10 20:23 UTC, Markus Linnala	no flags	Details
local_homed.te (47.98 KB, text/plain) 2021-10-10 20:24 UTC, Markus Linnala	no flags	Details
View All

Description Chris Murphy 2020-03-04 05:06:19 UTC

Description of problem:

Can't create a new sd-homed user account, unless enforcing=0.


Version-Release number of selected component (if applicable):
systemd-245~rc2-1.fc33.x86_64
selinux-policy-3.14.5-28.fc32.noarch



How reproducible:
Always


Steps to Reproduce:
0. enforcing enable
1. sudo homectl create hack
2.
3.

Actual results:

systemd-homed is prevented from one of its checks to see if this user account might already exist

[ 2137.195823] localhost.localdomain audit[719]: AVC avc:  denied  { read } for  pid=719 comm="systemd-homed" name="mail" dev="vda2" ino=153904 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=lnk_file permissive=0

systemd-homework is prevented from creating the backing file


[ 2137.242059] localhost.localdomain audit[1381]: AVC avc:  denied  { create } for  pid=1381 comm="systemd-homewor" name=".#homeworkhack.homed4712c156a3cea80" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file permissive=0


Expected results:

Command should succeed.


Additional info:


Additional comments with enforcing=0 (many more AVC's than this description).

Comment 1 Chris Murphy 2020-03-04 05:07:42 UTC

With enforcing=1, and therefore the command succeeds.


[   49.855025] localhost.localdomain audit[714]: AVC avc:  denied  { read } for  pid=714 comm="systemd-homed" name="mail" dev="vda2" ino=153904 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=lnk_file permissive=1
[   49.876646] localhost.localdomain systemd-homed[714]: hack: changing state absent → creating
[   49.907136] localhost.localdomain systemd-homework[1301]: Sizing home to 85% of available disk space, which is 77.1G.
[   49.908640] localhost.localdomain audit[1301]: AVC avc:  denied  { create } for  pid=1301 comm="systemd-homewor" name=".#homeworkhack.homea8a24f4032837160" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file permissive=1
[   49.908785] localhost.localdomain audit[1301]: AVC avc:  denied  { read write open } for  pid=1301 comm="systemd-homewor" path="/home/.#homeworkhack.homea8a24f4032837160" dev="vda2" ino=454 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file permissive=1
[   49.908899] localhost.localdomain audit[1301]: AVC avc:  denied  { setattr } for  pid=1301 comm="systemd-homewor" path="/home/.#homeworkhack.homea8a24f4032837160" dev="vda2" ino=454 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file permissive=1
[   49.911204] localhost.localdomain systemd-homework[1301]: Allocating image file completed.
[   49.913175] localhost.localdomain systemd-homework[1301]: Writing of partition table completed.
[   49.913302] localhost.localdomain audit[1301]: AVC avc:  denied  { read write } for  pid=1301 comm="systemd-homewor" name="loop-control" dev="devtmpfs" ino=17130 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1
[   49.913390] localhost.localdomain audit[1301]: AVC avc:  denied  { open } for  pid=1301 comm="systemd-homewor" path="/dev/loop-control" dev="devtmpfs" ino=17130 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1
[   49.924964] localhost.localdomain audit[1301]: AVC avc:  denied  { ioctl } for  pid=1301 comm="systemd-homewor" path="/dev/loop-control" dev="devtmpfs" ino=17130 ioctlcmd=0x4c82 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1
[   49.459046] localhost.localdomain kernel: loop: module loaded
[   49.944137] localhost.localdomain systemd-homework[1301]: Setting up loopback device /dev/loop0 completed.
[   49.949146] localhost.localdomain systemd-udevd[1303]: loop0: Failed to process device, ignoring: Resource temporarily unavailable
[   49.949816] localhost.localdomain systemd-udevd[1303]: loop0: Failed to process device, ignoring: Resource temporarily unavailable
[   49.949866] localhost.localdomain systemd-udevd[1303]: loop0: Failed to process device, ignoring: Resource temporarily unavailable
[   50.953041] localhost.localdomain systemd-homework[1301]: LUKS formatting completed.
[   52.389183] localhost.localdomain systemd-homework[1301]: Writing password to LUKS keyslot 0 completed.
[   52.559545] localhost.localdomain systemd-udevd[1304]: loop0: Failed to process device, ignoring: Resource temporarily unavailable
[   52.578332] localhost.localdomain systemd-homework[1301]: LUKS activation by volume key succeeded.
[   52.640661] localhost.localdomain systemd-homework[1301]: Writing user record as LUKS token completed.
[   52.640815] localhost.localdomain systemd-homework[1301]: Setting up LUKS device /dev/mapper/home-hack completed.
[   52.647680] localhost.localdomain systemd-homed[1314]: mke2fs 1.45.5 (07-Jan-2020)
[   52.649541] localhost.localdomain systemd-homed[1314]: Creating filesystem with 20219666 4k blocks and 5062656 inodes
[   52.649618] localhost.localdomain systemd-homed[1314]: Filesystem UUID: fffc950f-d4d4-4515-aa97-030d501611ba
[   52.649685] localhost.localdomain systemd-homed[1314]: Superblock backups stored on blocks:
[   52.649924] localhost.localdomain systemd-homed[1314]:         32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
[   52.650031] localhost.localdomain systemd-homed[1314]:         4096000, 7962624, 11239424
[   52.650684] localhost.localdomain systemd-homed[1314]: [57B blob data]
[   52.651334] localhost.localdomain systemd-homed[1314]: [54B blob data]
[   53.378762] localhost.localdomain systemd-homed[1314]: Creating journal (131072 blocks): done
[   53.581293] localhost.localdomain systemd-homed[1314]: [91B blob data]
[   53.581682] localhost.localdomain systemd-homework[1301]: Formatting file system completed.
[   53.585027] localhost.localdomain systemd-homework[1301]: Mounting file system completed.
[   53.119574] localhost.localdomain kernel: EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: noquota,user_xattr,nodiscard
[   53.585214] localhost.localdomain audit[1301]: AVC avc:  denied  { add_name } for  pid=1301 comm="systemd-homewor" name="hack" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
[   53.585628] localhost.localdomain audit[1301]: AVC avc:  denied  { add_name } for  pid=1301 comm="systemd-homewor" name=".mozilla" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
[   53.585941] localhost.localdomain audit[1301]: AVC avc:  denied  { create } for  pid=1301 comm="systemd-homewor" name=".bash_logout" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
[   53.586036] localhost.localdomain audit[1301]: AVC avc:  denied  { write } for  pid=1301 comm="systemd-homewor" path="/run/systemd/user-home-mount/hack/.bash_logout" dev="dm-0" ino=3932165 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
[   53.586097] localhost.localdomain audit[1301]: AVC avc:  denied  { setattr } for  pid=1301 comm="systemd-homewor" name=".bash_logout" dev="dm-0" ino=3932165 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
[   53.586167] localhost.localdomain systemd-homework[1301]: Copying in /etc/skel completed.
[   53.586436] localhost.localdomain audit[1301]: AVC avc:  denied  { remove_name } for  pid=1301 comm="systemd-homewor" name=".#.identitye015192006fb85b2" dev="dm-0" ino=3932168 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
[   53.586509] localhost.localdomain audit[1301]: AVC avc:  denied  { rename } for  pid=1301 comm="systemd-homewor" name=".#.identitye015192006fb85b2" dev="dm-0" ino=3932168 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
[   53.586575] localhost.localdomain systemd-homework[1301]: Wrote embedded .identity file.
[   53.586623] localhost.localdomain systemd-homework[1301]: Recursive changing of ownership completed.
[   53.586675] localhost.localdomain systemd-homework[1301]: Changed top-level directory access mode to 0700.
[   53.844362] localhost.localdomain systemd-homework[1301]: Synchronized disk.
[   53.881915] localhost.localdomain audit[1301]: AVC avc:  denied  { write } for  pid=1301 comm="systemd-homewor" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1
[   57.051338] localhost.localdomain systemd-homework[1301]: Failed to remove device /dev/loop0: Device or resource busy
[   57.053486] localhost.localdomain audit[1301]: AVC avc:  denied  { rename } for  pid=1301 comm="systemd-homewor" name=".#homeworkhack.homea8a24f4032837160" dev="vda2" ino=454 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file permissive=1
[   57.053877] localhost.localdomain systemd-homework[1301]: Moved image file into place.
[   57.054101] localhost.localdomain systemd-homework[1301]: Everything completed.
[   57.054362] localhost.localdomain systemd-homework[1301]: Image size is 77.1G, file system size is 77.1G, file system payload size is 75.4G, file system free is 75.3G.
[   57.062919] localhost.localdomain systemd-homed[714]: hack: changing state creating → inactive
[   57.068133] localhost.localdomain sudo[1259]: pam_unix(sudo:session): session closed for user root
[   57.068704] localhost.localdomain audit[1259]: USER_END pid=1259 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
[   57.068841] localhost.localdomain audit[1259]: CRED_DISP pid=1259 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
[   57.070500] localhost.localdomain systemd[1]: session-1.scope: Succeeded.
[   57.071924] localhost.localdomain systemd-logind[780]: Session 1 logged out. Waiting for processes to exit.
[   57.073791] localhost.localdomain systemd-logind[780]: Removed session 1.

Comment 2 Chris Murphy 2020-03-04 05:09:28 UTC

Created attachment 1667367 [details]
sudo strace homectl create hack

enforcing=1

This is the strace output from the (successful) 'homectl create' command.

Comment 3 Chris Murphy 2020-03-04 05:13:40 UTC

Also enforcing=1, 'sudo homectl activate hack'

[  849.942101] localhost.localdomain systemd-homed[714]: hack: changing state inactive → activating
[  849.970902] localhost.localdomain systemd-homework[1433]: Provided password unlocks user record.
[  849.971447] localhost.localdomain audit[1433]: AVC avc:  denied  { read write } for  pid=1433 comm="systemd-homewor" name="hack.home" dev="vda2" ino=454 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file permissive=1
[  849.971553] localhost.localdomain audit[1433]: AVC avc:  denied  { open } for  pid=1433 comm="systemd-homewor" path="/home/hack.home" dev="vda2" ino=454 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file permissive=1
[  849.971605] localhost.localdomain systemd-homework[1433]: Backing file is fully allocated already.
[  849.971782] localhost.localdomain audit[1433]: AVC avc:  denied  { read write } for  pid=1433 comm="systemd-homewor" name="loop-control" dev="devtmpfs" ino=17130 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1
[  849.971902] localhost.localdomain audit[1433]: AVC avc:  denied  { open } for  pid=1433 comm="systemd-homewor" path="/dev/loop-control" dev="devtmpfs" ino=17130 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1
[  849.972024] localhost.localdomain audit[1433]: AVC avc:  denied  { ioctl } for  pid=1433 comm="systemd-homewor" path="/dev/loop-control" dev="devtmpfs" ino=17130 ioctlcmd=0x4c82 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1
[  849.978552] localhost.localdomain systemd-homework[1433]: Setting up loopback device /dev/loop0 completed.
[  850.847138] localhost.localdomain systemd-homework[1433]: Setting up LUKS device /dev/mapper/home-hack completed.
[  850.868078] localhost.localdomain systemd-homework[1433]: Provided password unlocks user record.
[  850.870660] localhost.localdomain systemd-homework[1433]: Probing file system completed (found ext4).
[  850.879666] localhost.localdomain systemd-homed[1446]: hack: clean, 19/5062656 files, 462193/20219666 blocks
[  850.887932] localhost.localdomain systemd-homework[1433]: File system check completed.
[  850.897245] localhost.localdomain systemd-homework[1433]: Mounting file system completed.
[  850.444823] localhost.localdomain kernel: EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: noquota,user_xattr,nodiscard
[  850.897451] localhost.localdomain systemd-homework[1433]: Read embedded .identity file.
[  850.917765] localhost.localdomain systemd-homework[1433]: Provided password unlocks user record.
[  850.917898] localhost.localdomain systemd-homework[1433]: Reconciling user identities completed (host and header version were identical).
[  850.918023] localhost.localdomain systemd-homework[1433]: Reconciling embedded user identity completed (host and embedded version were identical).
[  850.918100] localhost.localdomain systemd-homework[1433]: Recursive changing of ownership not necessary, skipped.
[  850.924719] localhost.localdomain systemd-homework[1433]: Synchronized disk.
[  850.927711] localhost.localdomain systemd-homework[1433]: Moving to final mount point /home/hack completed.
[  850.927819] localhost.localdomain systemd-homework[1433]: Everything completed.
[  850.927881] localhost.localdomain systemd-homework[1433]: Image size is 77.1G, file system size is 77.1G, file system payload size is 75.4G, file system free is 75.3G.
[  850.929426] localhost.localdomain systemd-homed[714]: Home hack is signed exclusively by our key, accepting.
[  850.929513] localhost.localdomain systemd-homed[714]: hack: changing state activating → active
[  850.931882] localhost.localdomain sudo[1393]: pam_unix(sudo:session): session closed for user root
[  850.932946] localhost.localdomain audit[1393]: USER_END pid=1393 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
[  850.933086] localhost.localdomain audit[1393]: CRED_DISP pid=1393 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
[  850.934505] localhost.localdomain systemd[1]: session-1.scope: Succeeded.
[  850.937290] localhost.localdomain systemd-logind[780]: Session 1 logged out. Waiting for processes to exit.
[  850.941714] localhost.localdomain systemd-logind[780]: Removed session 1.
[chris@localhost ~]$

Comment 4 Chris Murphy 2020-03-04 05:16:32 UTC

Also enforcing=1, 'sudo homectl remove hack'

[ 1079.436734] localhost.localdomain audit[1535]: USER_ACCT pid=1535 uid=1000 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="chris" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
[ 1079.437220] localhost.localdomain sudo[1535]:    chris : TTY=pts/0 ; PWD=/home/chris ; USER=root ; COMMAND=/usr/bin/homectl remove hack
[ 1079.438616] localhost.localdomain audit[1535]: USER_CMD pid=1535 uid=1000 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/chris" cmd=686F6D6563746C2072656D6F7665206861636B exe="/usr/bin/sudo" terminal=pts/0 res=success'
[ 1079.438731] localhost.localdomain audit[1535]: CRED_REFR pid=1535 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
[ 1079.451380] localhost.localdomain systemd-logind[780]: New session 1 of user root.
[ 1079.454068] localhost.localdomain systemd[1]: Created slice User Slice of UID 0.
[ 1079.455670] localhost.localdomain systemd[1]: Starting User Runtime Directory /run/user/0...
[ 1079.470659] localhost.localdomain systemd[1]: Started User Runtime Directory /run/user/0.
[ 1079.471279] localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user-runtime-dir@0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 1079.473444] localhost.localdomain systemd[1]: Starting User Manager for UID 0...
[ 1079.480405] localhost.localdomain audit[1542]: USER_ACCT pid=1542 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 1079.480531] localhost.localdomain audit[1542]: CRED_ACQ pid=1542 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:setcred grantors=? acct="root" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
[ 1079.513318] localhost.localdomain audit[1542]: USER_ROLE_CHANGE pid=1542 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 1079.515953] localhost.localdomain systemd[1542]: pam_unix(systemd-user:session): session opened for user root by (uid=0)
[ 1079.516704] localhost.localdomain audit[1542]: USER_START pid=1542 uid=0 auid=0 ses=6 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 1079.525055] localhost.localdomain audit: BPF prog-id=52 op=LOAD
[ 1079.525317] localhost.localdomain audit: BPF prog-id=52 op=UNLOAD
[ 1079.525400] localhost.localdomain audit: BPF prog-id=53 op=LOAD
[ 1079.525439] localhost.localdomain audit: BPF prog-id=53 op=UNLOAD
[ 1079.611235] localhost.localdomain systemd[1542]: Condition check resulted in Mark boot as successful after the user session has run 2 minutes being skipped.
[ 1079.611816] localhost.localdomain systemd[1542]: Started Daily Cleanup of User's Temporary Directories.
[ 1079.611883] localhost.localdomain systemd[1542]: Reached target Paths.
[ 1079.611958] localhost.localdomain systemd[1542]: Reached target Timers.
[ 1079.613367] localhost.localdomain systemd[1542]: Starting D-Bus User Message Bus Socket.
[ 1079.613625] localhost.localdomain systemd[1542]: Listening on Multimedia System.
[ 1079.613734] localhost.localdomain systemd[1542]: Condition check resulted in Sound System being skipped.
[ 1079.614720] localhost.localdomain systemd[1542]: Starting Create User's Volatile Files and Directories...
[ 1079.626582] localhost.localdomain systemd[1542]: Listening on D-Bus User Message Bus Socket.
[ 1079.627132] localhost.localdomain systemd[1542]: Started Create User's Volatile Files and Directories.
[ 1079.627369] localhost.localdomain systemd[1542]: Reached target Sockets.
[ 1079.627515] localhost.localdomain systemd[1542]: Reached target Basic System.
[ 1079.627795] localhost.localdomain systemd[1542]: Reached target Main User Target.
[ 1079.627933] localhost.localdomain systemd[1542]: Startup finished in 105ms.
[ 1079.628217] localhost.localdomain systemd[1]: Started User Manager for UID 0.
[ 1079.628595] localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 1079.629820] localhost.localdomain systemd[1]: Started Session 1 of user root.
[ 1079.639207] localhost.localdomain sudo[1535]: pam_unix(sudo:session): session opened for user root by chris(uid=0)
[ 1079.639550] localhost.localdomain audit[1535]: USER_START pid=1535 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
[ 1079.647075] localhost.localdomain systemd-homed[714]: hack: changing state inactive → removing
[ 1079.651915] localhost.localdomain audit[1560]: AVC avc:  denied  { unlink } for  pid=1560 comm="systemd-homewor" name="hack.home" dev="vda2" ino=454 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file permissive=1
[ 1079.787678] localhost.localdomain audit[1560]: AVC avc:  denied  { rmdir } for  pid=1560 comm="systemd-homewor" name="hack" dev="vda2" ino=455 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir permissive=1
[ 1079.787940] localhost.localdomain systemd-homework[1560]: Everything completed.
[ 1079.790690] localhost.localdomain sudo[1535]: pam_unix(sudo:session): session closed for user root
[ 1079.790854] localhost.localdomain audit[1535]: USER_END pid=1535 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
[ 1079.790958] localhost.localdomain audit[1535]: CRED_DISP pid=1535 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
[ 1079.792057] localhost.localdomain systemd[1]: session-1.scope: Succeeded.
[ 1079.794288] localhost.localdomain systemd-logind[780]: Session 1 logged out. Waiting for processes to exit.
[ 1079.795868] localhost.localdomain systemd-logind[780]: Removed session 1.
[chris@localhost ~]$

Comment 5 Chris Murphy 2020-03-04 05:46:04 UTC

Summary of the above, based on the same journal and time stamps. 


These all look like the creation of the backing file itself in the real /home/ directory.


[   49.855025] localhost.localdomain audit[714]: AVC avc:  denied  { read } for  pid=714 comm="systemd-homed" name="mail" dev="vda2" ino=153904 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=lnk_file permissive=1
[   49.908640] localhost.localdomain audit[1301]: AVC avc:  denied  { create } for  pid=1301 comm="systemd-homewor" name=".#homeworkhack.homea8a24f4032837160" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file permissive=1
[   49.908785] localhost.localdomain audit[1301]: AVC avc:  denied  { read write open } for  pid=1301 comm="systemd-homewor" path="/home/.#homeworkhack.homea8a24f4032837160" dev="vda2" ino=454 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file permissive=1
[   49.908899] localhost.localdomain audit[1301]: AVC avc:  denied  { setattr } for  pid=1301 comm="systemd-homewor" path="/home/.#homeworkhack.homea8a24f4032837160" dev="vda2" ino=454 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file permissive=1
[   49.913302] localhost.localdomain audit[1301]: AVC avc:  denied  { read write } for  pid=1301 comm="systemd-homewor" name="loop-control" dev="devtmpfs" ino=17130 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1
[   49.913390] localhost.localdomain audit[1301]: AVC avc:  denied  { open } for  pid=1301 comm="systemd-homewor" path="/dev/loop-control" dev="devtmpfs" ino=17130 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1
[   49.924964] localhost.localdomain audit[1301]: AVC avc:  denied  { ioctl } for  pid=1301 comm="systemd-homewor" path="/dev/loop-control" dev="devtmpfs" ino=17130 ioctlcmd=0x4c82 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1


At this point, because of all the tcontexts that are unlabeled, this might be a systemd-homed bug, it probably needs to do a 'restorecon' as part of creating the home, but that's a guess. But I'm not really sure.


[   53.585214] localhost.localdomain audit[1301]: AVC avc:  denied  { add_name } for  pid=1301 comm="systemd-homewor" name="hack" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
[   53.585628] localhost.localdomain audit[1301]: AVC avc:  denied  { add_name } for  pid=1301 comm="systemd-homewor" name=".mozilla" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
[   53.585941] localhost.localdomain audit[1301]: AVC avc:  denied  { create } for  pid=1301 comm="systemd-homewor" name=".bash_logout" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
[   53.586036] localhost.localdomain audit[1301]: AVC avc:  denied  { write } for  pid=1301 comm="systemd-homewor" path="/run/systemd/user-home-mount/hack/.bash_logout" dev="dm-0" ino=3932165 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
[   53.586097] localhost.localdomain audit[1301]: AVC avc:  denied  { setattr } for  pid=1301 comm="systemd-homewor" name=".bash_logout" dev="dm-0" ino=3932165 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
[   53.586436] localhost.localdomain audit[1301]: AVC avc:  denied  { remove_name } for  pid=1301 comm="systemd-homewor" name=".#.identitye015192006fb85b2" dev="dm-0" ino=3932168 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
[   53.586509] localhost.localdomain audit[1301]: AVC avc:  denied  { rename } for  pid=1301 comm="systemd-homewor" name=".#.identitye015192006fb85b2" dev="dm-0" ino=3932168 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

I have no idea what this is, but using its monotonic time stamp as a reference and going up to the description, right before this is syncronizing disks, and right after is a failure to remove /dev/loop0 - and yet following the completion of the command, there is nothing listed by 'losetup' so it must have tried again and succeeded?

[   53.881915] localhost.localdomain audit[1301]: AVC avc:  denied  { write } for  pid=1301 comm="systemd-homewor" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1


And this is following the creation and setup, and it wants to rename the backing file, which seems reasonable, but it's not labeled correctly?


[   57.053486] localhost.localdomain audit[1301]: AVC avc:  denied  { rename } for  pid=1301 comm="systemd-homewor" name=".#homeworkhack.homea8a24f4032837160" dev="vda2" ino=454 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file permissive=1

$ ls -lZ
total 80901920
drwx------. 1 chris chris unconfined_u:object_r:user_home_dir_t:s0         288 Mar  3 22:02 chris
-rw-------. 1 root  root  system_u:object_r:home_root_t:s0         82843564032 Mar  3 22:31 hack.home
$ 


These are for the 'activate' subcommand, which at this point just wants to attach /homd/hack.home file to /dev/loop0. There is not cryptsetup or mount attempt yet.

[  849.971447] localhost.localdomain audit[1433]: AVC avc:  denied  { read write } for  pid=1433 comm="systemd-homewor" name="hack.home" dev="vda2" ino=454 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file permissive=1
[  849.971553] localhost.localdomain audit[1433]: AVC avc:  denied  { open } for  pid=1433 comm="systemd-homewor" path="/home/hack.home" dev="vda2" ino=454 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file permissive=1
[  849.971782] localhost.localdomain audit[1433]: AVC avc:  denied  { read write } for  pid=1433 comm="systemd-homewor" name="loop-control" dev="devtmpfs" ino=17130 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1
[  849.971902] localhost.localdomain audit[1433]: AVC avc:  denied  { open } for  pid=1433 comm="systemd-homewor" path="/dev/loop-control" dev="devtmpfs" ino=17130 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1
[  849.972024] localhost.localdomain audit[1433]: AVC avc:  denied  { ioctl } for  pid=1433 comm="systemd-homewor" path="/dev/loop-control" dev="devtmpfs" ino=17130 ioctlcmd=0x4c82 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1



And finally these are for destroying/removing the hack.home backing file.


[ 1079.651915] localhost.localdomain audit[1560]: AVC avc:  denied  { unlink } for  pid=1560 comm="systemd-homewor" name="hack.home" dev="vda2" ino=454 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file permissive=1
[ 1079.787678] localhost.localdomain audit[1560]: AVC avc:  denied  { rmdir } for  pid=1560 comm="systemd-homewor" name="hack" dev="vda2" ino=455 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir permissive=1

Comment 6 Chris Murphy 2020-03-04 05:51:57 UTC

Setting priority to low since this is not a Fedora 32 feature; users won't likely run into it. Also there are more subcommands that have a decent chance of causing AVC denials:

deactivate     
inspect
authenticate
update
passwd
resize
lock
unlock
lock-all

Comment 7 Chris Murphy 2020-03-04 05:53:51 UTC

Oh jeez, I got confused. Only in the original description is enforcing=1 (enabled) and in all the others I did in fact have enforcing=0.

Comment 8 Zdenek Pytela 2020-03-04 12:29:38 UTC

Chris,

Thank you for reporting the issue. This new systemd feature will require new selinux domain.

Comment 10 Zdenek Pytela 2020-03-04 15:45:40 UTC

Adjusting priority and severity.

Comment 11 Carl George 🤠 2020-04-30 03:21:04 UTC

If user interest matters, count me in.  I was excited to try out this feature but ran into this same denial.

Comment 12 Fedora Program Management 2021-04-29 17:16:01 UTC

This message is a reminder that Fedora 32 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 32 on 2021-05-25.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '32'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 32 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 13 Markus Linnala 2021-10-10 20:21:25 UTC

I made a SELinux module to support systemd-homed and it kind of works and it was kind of straight forward. I can login via Gnome in F34.

As of this writing there is no selinux string in systemd/src/home and I think systemd-homed does not support SELinux.

Almost all home files are not labeled (unlabeled_t).

It is pointless to continue until there is update for systemd to implement at least rudimentary SELinux support. I wonder how SELinux user / login support should work with systemd-homed.

To test this you need to reboot also your machine because some directories are created by systemd-homed if missing.

[root@workstation testuser]# ls -lZ
total 0
drwxr-xr-x. 2 testuser testuser unconfined_u:object_r:unlabeled_t:s0 6 10.10. 22:13 Desktop
drwxr-xr-x. 2 testuser testuser unconfined_u:object_r:unlabeled_t:s0 6 10.10. 22:13 Documents
drwxr-xr-x. 2 testuser testuser unconfined_u:object_r:unlabeled_t:s0 6 10.10. 22:13 Downloads
drwxr-xr-x. 2 testuser testuser unconfined_u:object_r:unlabeled_t:s0 6 10.10. 22:13 Music
drwxr-xr-x. 2 testuser testuser unconfined_u:object_r:unlabeled_t:s0 53 10.10. 22:14 Pictures
drwxr-xr-x. 2 testuser testuser unconfined_u:object_r:unlabeled_t:s0 6 10.10. 22:13 Public
drwxr-xr-x. 2 testuser testuser unconfined_u:object_r:unlabeled_t:s0 6 10.10. 22:13 Templates
drwxr-xr-x. 2 testuser testuser unconfined_u:object_r:unlabeled_t:s0 6 10.10. 22:13 Videos

$ cat test-systemd-homed.sh
#!/bin/bash
set -x
sudo systemctl restart systemd-homed
read
sudo homectl remove testuser
sudo homectl remove testuser
sudo homectl list
sudo homectl create testuser --real-name="Test User" --disk-size=1G --fs-type=xfs --storage=luks --timezone=Europe/Helsinki --language=fi_FI.utf8
sudo homectl list
sudo homectl with testuser -- bash -c 'ls -laZ;id -a;iostat;restorecon -nvR /run /var/lib/systemd /usr/lib/systemd; grep /run /proc/mounts'
sudo homectl activate testuser
sudo homectl inspect testuser
ls -laZ /home/testuser.home
sudo homectl resize testuser 1100M
sudo homectl update testuser
ls -laZ /home/testuser.home
sudo homectl inspect testuser
sudo homectl deactivate-all
sudo homectl activate testuser
sudo homectl inspect testuser
sudo homectl lock testuser
sudo homectl unlock testuser
sudo homectl lock-all
sudo homectl unlock testuser
sudo homectl deactivate-all
sudo homectl remove testuser
read
# for s in luks fscrypt directory subvolume cifs; do
for s in luks directory subvolume; do
for f in xfs ext4 btrfs; do
sudo homectl create testuser --real-name="Test User" --disk-size=1G --fs-type="$f" --storage="$s" --timezone=Europe/Helsinki --language=fi_FI.utf8
sudo homectl remove testuser
done
done

Comment 14 Markus Linnala 2021-10-10 20:23:00 UTC

Created attachment 1831587 [details]
local_homed.fc

Comment 15 Markus Linnala 2021-10-10 20:23:50 UTC

Created attachment 1831588 [details]
local_homed.if

Comment 16 Markus Linnala 2021-10-10 20:24:28 UTC

Created attachment 1831589 [details]
local_homed.te

Comment 17 Markus Linnala 2021-10-10 20:30:12 UTC

My modules are designed to be added to fedora-selinux/selinux-policy/policy/modules/system/systemd.{fc,if,te}. But this kind of stuff is quite hard to test if it is a patch to selinux-policy.

There is also one regression of /run/cryptsetup where there is disagreement of domain used.

It is possible there is some dependencies of other local modifications as I did not use clean install here.

Comment 18 Timothée Ravier 2021-11-10 12:02:49 UTC

Thanks, this is a good start. Could you make a PR at https://github.com/fedora-selinux/selinux-policy to get the conversation started? Thanks

Comment 19 Markus Linnala 2021-11-11 20:29:47 UTC

https://github.com/fedora-selinux/selinux-policy/pull/939

Comment 20 Zdenek Pytela 2024-09-24 13:27:25 UTC

Should be in the next rawhide after merging
https://github.com/fedora-selinux/selinux-policy/pull/2018

Note You need to log in before you can comment on or make changes to this bug.