Description of problem: * I'm not sure if all confined users should be able to run userdbctl Version-Release number of selected component (if applicable): selinux-policy-3.14.5-38.fc32.noarch selinux-policy-devel-3.14.5-38.fc32.noarch selinux-policy-doc-3.14.5-38.fc32.noarch selinux-policy-targeted-3.14.5-38.fc32.noarch systemd-245.4-1.fc32.x86_64 systemd-libs-245.4-1.fc32.x86_64 systemd-pam-245.4-1.fc32.x86_64 systemd-rpm-macros-245.4-1.fc32.noarch systemd-udev-245.4-1.fc32.x86_64 How reproducible: * always Steps to Reproduce: 1. get a Fedora 32 machine (targeted policy is active) 2. create confined users (guest_u, xguest_u) 3. log into the machine as each of the confined users 4. run "userdbctl user" or "userdbctl group" as each of the confined users 5. search for SELinux denials Actual results: ---- type=PROCTITLE msg=audit(05/14/2020 09:41:37.709:1214) : proctitle=userdbctl user type=PATH msg=audit(05/14/2020 09:41:37.709:1214) : item=0 name=/run/systemd/userdb/io.systemd.Multiplexer inode=20688 dev=00:18 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_userdbd_runtime_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(05/14/2020 09:41:37.709:1214) : cwd=/home/user8288 type=SOCKADDR msg=audit(05/14/2020 09:41:37.709:1214) : saddr={ saddr_fam=local path=/run/systemd/userdb/io.systemd.Multiplexer } type=SYSCALL msg=audit(05/14/2020 09:41:37.709:1214) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffeea292db0 a2=0x2d a3=0x64 items=1 ppid=36693 pid=36694 auid=user7455 uid=user7455 gid=user7455 euid=user7455 suid=user7455 fsuid=user7455 egid=user7455 sgid=user7455 fsgid=user7455 tty=pts2 ses=29 comm=userdbctl exe=/usr/bin/userdbctl subj=xguest_u:xguest_r:xguest_t:s0 key=(null) type=AVC msg=audit(05/14/2020 09:41:37.709:1214) : avc: denied { write } for pid=36694 comm=userdbctl name=io.systemd.Multiplexer dev="tmpfs" ino=20688 scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=0 ---- Expected results: * no SELinux denials (appropriate allow or dontaudit rule is present in the SELinux policy) Additional info: userdbctl executed by confined users produces error messages like these: Failed to enumerate groups: Permission denied Failed to open /run/systemd/userdb/: Permission denied
Looks like something has changed, I cannot confirm the bug as described neither in F32 nor F33. I was checking this while working on bz#1862686 and bz#1865748. systemd-245.6-2.fc32.x86_64 systemd-246~rc1-1.fc33.x86_64 no related rules added to selinux-policy
I propose this fix: PR: https://github.com/fedora-selinux/selinux-policy/pull/414 Link to scratch build: https://download.copr.fedorainfracloud.org/results/rfilo/Selinux-policy-f32/fedora-32-x86_64/01629806-selinux-policy/
commit 5e9918310dccf6d6dd1da52c19ce2a2927d0a96e (HEAD -> rawhide, origin/rawhide) Author: Richard Filo <rfilo> Date: Mon Aug 24 10:55:10 2020 +0200 Allow all users to connect to systemd-userdbd with a unix socket Add interface systemd_userdbd_stream_connect() to allow communication using userdb sockets. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1835630
FEDORA-2020-740de661da has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-740de661da
FEDORA-2020-740de661da has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-740de661da` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-740de661da See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-740de661da has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.