Description of problem: SELinux is preventing systemd-machine from 'remove_name' accesses on the directory io.systemd.Machine. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-machine should be allowed remove_name access on the io.systemd.Machine directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-machine' --raw | audit2allow -M my-systemdmachine # semodule -X 300 -i my-systemdmachine.pp Additional Information: Source Context system_u:system_r:systemd_machined_t:s0 Target Context system_u:object_r:systemd_userdbd_runtime_t:s0 Target Objects io.systemd.Machine [ dir ] Source systemd-machine Source Path systemd-machine Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.6-29.fc33.noarch Local Policy RPM selinux-policy-targeted-3.14.6-29.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.8.15-301.fc33.x86_64 #1 SMP Thu Oct 15 16:58:06 UTC 2020 x86_64 x86_64 Alert Count 2 First Seen 2020-10-23 19:35:32 PDT Last Seen 2020-10-23 19:35:32 PDT Local ID 589e6368-12c3-4897-b85e-7938bef60e35 Raw Audit Messages type=AVC msg=audit(1603506932.973:619): avc: denied { remove_name } for pid=2719 comm="systemd-machine" name="io.systemd.Machine" dev="tmpfs" ino=35949 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0 Hash: systemd-machine,systemd_machined_t,systemd_userdbd_runtime_t,dir,remove_name Version-Release number of selected component: selinux-policy-targeted-3.14.6-29.fc33.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.8.16-300.fc33.x86_64 type: libreport
Also appeared on my Fedora 33 VM: ---- type=PROCTITLE msg=audit(11/27/2020 07:54:01.050:426) : proctitle=/usr/lib/systemd/systemd-machined type=PATH msg=audit(11/27/2020 07:54:01.050:426) : item=1 name=/run/systemd/userdb/io.systemd.Machine inode=1237 dev=00:19 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_userdbd_runtime_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(11/27/2020 07:54:01.050:426) : item=0 name=/run/systemd/userdb/ inode=34 dev=00:19 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_userdbd_runtime_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/27/2020 07:54:01.050:426) : cwd=/ type=SYSCALL msg=audit(11/27/2020 07:54:01.050:426) : arch=x86_64 syscall=unlink success=no exit=EACCES(Permission denied) a0=0x7ffe3948c522 a1=0x0 a2=0xe a3=0x4ce61b918ccedda0 items=2 ppid=1 pid=4022 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-machine exe=/usr/lib/systemd/systemd-machined subj=system_u:system_r:systemd_machined_t:s0 key=(null) type=AVC msg=audit(11/27/2020 07:54:01.050:426) : avc: denied { remove_name } for pid=4022 comm=systemd-machine name=io.systemd.Machine dev="tmpfs" ino=1237 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0 ----
# service systemd-machined restart ---- type=PROCTITLE msg=audit(11/27/2020 18:26:00.759:2062) : proctitle=/usr/lib/systemd/systemd-machined type=PATH msg=audit(11/27/2020 18:26:00.759:2062) : item=1 name=/run/systemd/userdb/io.systemd.Machine inode=1237 dev=00:19 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_userdbd_runtime_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(11/27/2020 18:26:00.759:2062) : item=0 name=/run/systemd/userdb/ inode=34 dev=00:19 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_userdbd_runtime_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/27/2020 18:26:00.759:2062) : cwd=/ type=SYSCALL msg=audit(11/27/2020 18:26:00.759:2062) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x7ffe0c75d912 a1=0x0 a2=0x1e a3=0x52f33a9ea51ef1f4 items=2 ppid=1 pid=53646 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-machine exe=/usr/lib/systemd/systemd-machined subj=system_u:system_r:systemd_machined_t:s0 key=(null) type=AVC msg=audit(11/27/2020 18:26:00.759:2062) : avc: denied { unlink } for pid=53646 comm=systemd-machine name=io.systemd.Machine dev="tmpfs" ino=1237 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(11/27/2020 18:26:00.759:2062) : avc: denied { remove_name } for pid=53646 comm=systemd-machine name=io.systemd.Machine dev="tmpfs" ino=1237 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=1 ----
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/540
Similar problem has been detected: this happened doing: sudo systemctl restart systemd-machined hashmarkername: setroubleshoot kernel: 5.10.10-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing systemd-machine from 'remove_name' accesses on the cartella io.systemd.Machine. type: libreport
*** Bug 1922149 has been marked as a duplicate of this bug. ***
Similar problem has been detected: At boot, this happens. hashmarkername: setroubleshoot kernel: 5.10.10-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing systemd-machine from 'unlink' accesses on the sock_file io.systemd.Machine. type: libreport
Merged, needs to be backported. commit bd926e6e04bf891be59a7e56cc24e517cfa04873 (HEAD -> rawhide, upstream/rawhide) Author: Zdenek Pytela <zpytela> Date: Tue Jan 12 18:36:07 2021 +0100 Allow systemd-machined manage systemd-userdbd runtime sockets Add the systemd_manage_userdbd_runtime_sock_files() interface and remove systemd_create_userdbd_runtime_sock_files() which is not used any longer. Resolves: rhbz#1891182
FEDORA-2021-e9050fdd5c has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e9050fdd5c
FEDORA-2021-e9050fdd5c has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-e9050fdd5c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-e9050fdd5c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-e9050fdd5c has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.