Bug 1860443 - AVC denial init_t home_bin_t when systemd ExecStart executable in user's home bin directory
Summary: AVC denial init_t home_bin_t when systemd ExecStart executable in user's home...
Keywords:
Status: MODIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.6
Assignee: Zdenek Pytela
QA Contact: Amith
Khushbu Borole
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-24 15:16 UTC by Anthony Zone
Modified: 2021-10-21 06:12 UTC (History)
11 users (show)

Fixed In Version: selinux-policy-3.14.3-82.el8
Doc Type: Bug Fix
Doc Text:
.*systemd* cannot execute commands from arbitrary paths The *systemd* service cannot execute commands from `/home/user/bin` arbitrary paths because the SELinux policy package does not include any such rule. Consequently, the custom services that are executed on non-system paths fail and eventually log the Access Vector Cache (AVC) denial audit messages when SELinux denied access. To work around this problem, do one of the following: * Execute the command using a *shell* script with the `-c` option. For example, + [subs="quotes"] ---- bash -c _command_ ---- * Execute the command from a common path using `/bin`, `/sbin`, `/usr/sbin`, `/usr/local/bin`, and `/usr/local/sbin` common directories.
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 5248291 0 None None None 2020-07-30 14:19:58 UTC

Description Anthony Zone 2020-07-24 15:16:33 UTC
Description of problem:

When an executable is in /home/user/bin and a systemd unit file attempts to run it, we fail with AVC denial:

# ausearch -i -m avc,user_avc
----
type=AVC msg=audit(07/24/2020 10:40:46.402:762) : avc:  denied  { execute } for  pid=5221 comm=(test.sh) name=test.sh dev="dm-0" ino=8424005 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:home_bin_t:s0 tclass=file permissive=0

Version-Release number of selected component (if applicable):

RHEL 8

How reproducible:

Every time


Steps to Reproduce:
1. mkdir /home/user/bin
2. Create executable:

    # cat /home/vagrant/bin/test.sh 
    #!/bin/bash

    echo 'test'

3. Create systemd unit file:

    # cat /etc/systemd/system/test.service 
    [Service]
    ExecStart=/home/vagrant/bin/test.sh

4. systemd daemon-reload; systemd start test.service

Actual results:

AVC denial:

    type=AVC msg=audit(07/24/2020 10:40:46.402:762) : avc:  denied  { execute } for  pid=5221 comm=(test.sh) name=test.sh dev="dm-0" ino=8424005 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:home_bin_t:s0 tclass=file permissive=0

Expected results:

systemd should be able to run an executable in a user's bin home without AVC.

Additional info:

This can be worked around by wrapping the executable in a shell so it's bin_t instead of init_t:

    # cat /etc/systemd/system/test.service 
    [Service]
    ExecStart=/bin/sh -c '/home/vagrant/bin/test.sh'

Comment 19 Zdenek Pytela 2021-10-18 13:49:38 UTC
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/918

Comment 20 Zdenek Pytela 2021-10-20 16:29:07 UTC
To backport:
commit 6cd3803e9bf80bce715ab4e84afb00c68b3708c7
Author: Zdenek Pytela <zpytela@redhat.com>
Date:   Mon Oct 18 15:48:07 2021 +0200

    Allow systemd execute user bin files


Note You need to log in before you can comment on or make changes to this bug.