Bug 1860443 - AVC denial init_t home_bin_t when systemd ExecStart executable in user's home bin directory
Summary: AVC denial init_t home_bin_t when systemd ExecStart executable in user's home...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.6
Assignee: Zdenek Pytela
QA Contact: Amith
Khushbu Borole
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-24 15:16 UTC by Anthony Zone
Modified: 2022-05-10 16:22 UTC (History)
15 users (show)

Fixed In Version: selinux-policy-3.14.3-82.el8
Doc Type: Bug Fix
Doc Text:
.`systemd` can now execute files from `/home/_user_/bin` Previously, `systemd` services could not execute files from the `/home/_user_/bin/` directory because the SELinux policy did not include the policy rules that allow such access. Consequently, the `systemd` services failed and eventually logged the Access Vector Cache (AVC) denial Audit messages. This update adds the missing SELinux rules that allow access, and `systemd` services can now correctly execute commands from `/home/_user_/bin/`.
Clone Of:
Environment:
Last Closed: 2022-05-10 15:14:56 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 5248291 0 None None None 2020-07-30 14:19:58 UTC
Red Hat Product Errata RHBA-2022:1995 0 None None None 2022-05-10 15:15:13 UTC

Description Anthony Zone 2020-07-24 15:16:33 UTC
Description of problem:

When an executable is in /home/user/bin and a systemd unit file attempts to run it, we fail with AVC denial:

# ausearch -i -m avc,user_avc
----
type=AVC msg=audit(07/24/2020 10:40:46.402:762) : avc:  denied  { execute } for  pid=5221 comm=(test.sh) name=test.sh dev="dm-0" ino=8424005 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:home_bin_t:s0 tclass=file permissive=0

Version-Release number of selected component (if applicable):

RHEL 8

How reproducible:

Every time


Steps to Reproduce:
1. mkdir /home/user/bin
2. Create executable:

    # cat /home/vagrant/bin/test.sh 
    #!/bin/bash

    echo 'test'

3. Create systemd unit file:

    # cat /etc/systemd/system/test.service 
    [Service]
    ExecStart=/home/vagrant/bin/test.sh

4. systemd daemon-reload; systemd start test.service

Actual results:

AVC denial:

    type=AVC msg=audit(07/24/2020 10:40:46.402:762) : avc:  denied  { execute } for  pid=5221 comm=(test.sh) name=test.sh dev="dm-0" ino=8424005 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:home_bin_t:s0 tclass=file permissive=0

Expected results:

systemd should be able to run an executable in a user's bin home without AVC.

Additional info:

This can be worked around by wrapping the executable in a shell so it's bin_t instead of init_t:

    # cat /etc/systemd/system/test.service 
    [Service]
    ExecStart=/bin/sh -c '/home/vagrant/bin/test.sh'

Comment 19 Zdenek Pytela 2021-10-18 13:49:38 UTC
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/918

Comment 20 Zdenek Pytela 2021-10-20 16:29:07 UTC
To backport:
commit 6cd3803e9bf80bce715ab4e84afb00c68b3708c7
Author: Zdenek Pytela <zpytela>
Date:   Mon Oct 18 15:48:07 2021 +0200

    Allow systemd execute user bin files

Comment 32 errata-xmlrpc 2022-05-10 15:14:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995


Note You need to log in before you can comment on or make changes to this bug.