Description of problem: This is the same as #1965720, but for systemd-networkd now. Dec 13 08:39:24 fedora-new audit[565]: SYSCALL arch=c000003e syscall=254 success=no exit=-13 a0=9 a1=7f1b4010a565 a2=180 a3=561ebb6fadb0 items=0 ppid=1 pid=565 auid=4294967295 uid=192 gid=192 euid=192 suid=192 fsuid=192 egid=192 sgid=192 fsgid=192 tty=(none) ses=4294967295 comm="systemd-network" exe="/usr/lib/systemd/systemd-networkd" subj=system_u:system_r:systemd_networkd_t:s0 key=(null) Dec 13 08:39:24 fedora-new audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-networkd" Dec 13 08:39:24 fedora-new systemd-networkd[565]: Failed to connect to bus: Permission denied Dec 13 08:39:24 fedora-new systemd-networkd[565]: Could not setup manager: Permission denied The service tries to start 5 times, immediately fails 5 times, and is marked as permanently failed, no network on the machine. Version-Release number of selected component (if applicable): selinux-policy-targeted-35.6-1.fc36.noarch systemd-networkd-250~rc1-2.fc36.x86_64 How reproducible: I assume that there's a race here: if systemd-networkd is started a bit later, dbus-broker will have established the socket already, and the issue will not appear. Steps to Reproduce: 1. Install a Fedora rawhide machine 2. systemctl disable NetworkManager && systemctl enable systemd-networkd 3. reboot I think it'd make sense to just allow watch on /, /run, /run/dbus for everyone. We don't want to play whack-a-mole with each service that tries to connect to dbus asynchronously.
We need more information for analysis of this issue. Please collect SELinux denials and attach them here: # ausearch -m avc -m user_avc -m selinux_err -i -ts today Thank you.
'sudo dnf install /usr/sbin/ausearch' pulls in initscripts, uggggh. Anyway, it doesn't work and ausearch always prints "<no matches>". I think audit doesn't pick up the events, because it starts too late. $ journalctl -b --grep avc|cat -- Journal begins at Sun 2021-12-12 22:24:06 CET, ends at Mon 2021-12-13 09:37:38 CET. -- Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for pid=553 comm="systemd-sysctl" name="suid_dumpable" dev="proc" ino=15573 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for pid=553 comm="systemd-sysctl" name="suid_dumpable" dev="proc" ino=15573 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for pid=553 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=15593 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for pid=553 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=15593 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for pid=553 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=15594 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for pid=553 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=15594 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 Dec 13 09:34:15 fedora-new audit[564]: AVC avc: denied { watch } for pid=564 comm="systemd-network" path="/" dev="vda2" ino=256 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 Dec 13 09:34:16 fedora-new audit[587]: AVC avc: denied { watch } for pid=587 comm="systemd-network" path="/" dev="vda2" ino=256 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 Dec 13 09:34:16 fedora-new audit[588]: AVC avc: denied { watch } for pid=588 comm="systemd-network" path="/" dev="vda2" ino=256 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 Dec 13 09:34:16 fedora-new audit[589]: AVC avc: denied { watch } for pid=589 comm="systemd-network" path="/" dev="vda2" ino=256 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 Dec 13 09:34:16 fedora-new audit[591]: AVC avc: denied { watch } for pid=591 comm="systemd-network" path="/" dev="vda2" ino=256 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0
(In reply to Zbigniew Jędrzejewski-Szmek from comment #2) > 'sudo dnf install /usr/sbin/ausearch' pulls in initscripts, uggggh. I suppose initscripts-service should be enough, but this anyway is a different component. Summary fixed. > Anyway, it doesn't work and ausearch always prints "<no matches>". > I think audit doesn't pick up the events, because it starts too late. Right. These ones are not related: > $ journalctl -b --grep avc|cat > -- Journal begins at Sun 2021-12-12 22:24:06 CET, ends at Mon 2021-12-13 > 09:37:38 CET. -- > Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for > pid=553 comm="systemd-sysctl" name="suid_dumpable" dev="proc" ino=15573 > scontext=system_u:system_r:systemd_sysctl_t:s0 > tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 > Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for > pid=553 comm="systemd-sysctl" name="suid_dumpable" dev="proc" ino=15573 > scontext=system_u:system_r:systemd_sysctl_t:s0 > tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 > Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for > pid=553 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" > ino=15593 scontext=system_u:system_r:systemd_sysctl_t:s0 > tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 > Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for > pid=553 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" > ino=15593 scontext=system_u:system_r:systemd_sysctl_t:s0 > tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 > Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for > pid=553 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=15594 > scontext=system_u:system_r:systemd_sysctl_t:s0 > tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 > Dec 13 09:34:14 fedora-new audit[553]: AVC avc: denied { read } for > pid=553 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=15594 > scontext=system_u:system_r:systemd_sysctl_t:s0 > tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/1028
FEDORA-2022-20f36a8b0e has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-20f36a8b0e
FEDORA-2022-20f36a8b0e has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-20f36a8b0e` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-20f36a8b0e See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-20f36a8b0e has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.
*** Bug 2049696 has been marked as a duplicate of this bug. ***