Created attachment 1848261 [details] selinux fixes (partly, this alone will not fix it) Description of problem: SELinux seems to be not adapted for systemd-homed. The issues start if you want to create a user then when you login and so on. I will add a file what I have added - but even this this in the end it does not work. Currently systemd-homed only works if you put SELinux into permissive mode. Version-Release number of selected component (if applicable): systemd-249.7-2.fc35.x86_64 How reproducible: Try to use systemd-homed with Fedora 35 with SELinux in enforcing mode. Steps to Reproduce: 1. 2. 3. Actual results: All major steps necessary to work with systemd-homed fail in enforcing mode. Expected results: The SELinux policy should be adapted for systemd-homed. Additional info:
Created attachment 1848595 [details] ausearch -m avc -ts recent This is the result when I just try to login.
Hey All, So I am trying to get systemd-homed into a working state for those who want to enable it on fedora. On the SELinux side of things I found putting SELinux in permissive mode and then using SELinux trouble shooter to create policies generally works well. However, where should I be sharing these policies so it just works for everyone? and in what form? For example policies have to be made for: 1. systemd-homed 2. systemd-homewor 3 dbus-broker 4. gdm-session-wor 5. gdbus 6. colord
So I just went through and modified the SELinux policies based on what the trouble shooter told me. I then re-enabled SELinux and am not have further issues with existing homed users or newly created ones (created post-SELinux=enforcing). I have a bunch of *.te and *.pp files from that process. I just need a little bit of direction on where to submit those.
Looks like this is the place: https://github.com/fedora-selinux/selinux-policy With a PR under dev: https://github.com/fedora-selinux/selinux-policy/pull/939
This message is a reminder that Fedora Linux 35 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 35 on 2022-12-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '35'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 35 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Fedora Linux 35 entered end-of-life (EOL) status on 2022-12-13. Fedora Linux 35 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle. Changing version to 38.
This message is a reminder that Fedora Linux 38 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 38 on 2024-05-21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '38'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 38 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
I keep seeing this, now in FreeIPA OpenQA tests which gate us on Fedora: https://openqa.fedoraproject.org/tests/2905812/logfile?filename=_console_avc_crash-avcs.txt time->Wed Sep 25 08:47:32 2024 type=PROCTITLE msg=audit(1727268452.218:86): proctitle="/usr/lib/systemd/systemd-homed" type=SYSCALL msg=audit(1727268452.218:86): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=564d4c6e805e a2=90800 a3=0 items=0 ppid=1 pid=831 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-homed" exe="/usr/lib/systemd/systemd-homed" subj=system_u:system_r:systemd_homed_t:s0 key=(null) type=AVC msg=audit(1727268452.218:86): avc: denied { read } for pid=831 comm="systemd-homed" name="home" dev="dm-0" ino=4323192 scontext=system_u:system_r:systemd_homed_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0 This is actually the only AVC present in the test which is awesome but this bug is open for 3+ years and needs to be addressed. Zdenek, what are your plans on getting this addressed for F41/42?
Alexander, Do you happen to have more details, like what is the trigger and if it is /home which was requested to be read? It is a bit surprising. A new F41 and F42 builds will be created soon along with progress on other bugs.
I suspect systemd-homed is now configured to be active by default. You can download tarball with logs of that machine: https://openqa.fedoraproject.org/tests/2905812/file/role_deploy_domain_controller_check-var_log.tar.gz $ grep systemd-homed messages Sep 25 08:12:14 localhost systemd[1]: Starting systemd-homed.service - Home Area Manager... Sep 25 08:12:14 localhost systemd-homed[782]: Watching /home. Sep 25 08:12:14 localhost audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Sep 25 08:12:14 localhost audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed-activate comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Sep 25 08:12:14 localhost systemd[1]: Started systemd-homed.service - Home Area Manager. Sep 25 08:12:14 localhost systemd[1]: Finished systemd-homed-activate.service - Home Area Activation. Sep 25 08:15:14 ipa001 systemd[1]: Stopping systemd-homed-activate.service - Home Area Activation... Sep 25 08:15:14 ipa001 systemd[1]: systemd-homed-activate.service: Deactivated successfully. Sep 25 08:15:14 ipa001 systemd[1]: Stopped systemd-homed-activate.service - Home Area Activation. Sep 25 08:15:14 ipa001 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed-activate comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Sep 25 08:15:14 ipa001 systemd[1]: Stopping systemd-homed.service - Home Area Manager... Sep 25 08:15:14 ipa001 systemd[1]: systemd-homed.service: Deactivated successfully. Sep 25 08:15:14 ipa001 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Sep 25 08:15:14 ipa001 systemd[1]: Stopped systemd-homed.service - Home Area Manager. Sep 25 08:15:42 ipa001 systemd[1]: Starting systemd-homed.service - Home Area Manager... Sep 25 08:15:42 ipa001 systemd-homed[778]: Watching /home. Sep 25 08:15:42 ipa001 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Sep 25 08:15:42 ipa001 systemd[1]: Started systemd-homed.service - Home Area Manager. Sep 25 08:15:42 ipa001 systemd[1]: Finished systemd-homed-activate.service - Home Area Activation. Sep 25 08:15:42 ipa001 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed-activate comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Sep 25 08:33:35 ipa001 systemd-homed[778]: block device /sys/devices/pci0000:00/0000:00:09.0/virtio6/block/vdb/vdb1 has been removed. Sep 25 08:47:32 ipa001 systemd[1]: Starting systemd-homed.service - Home Area Manager... Sep 25 08:47:32 ipa001 systemd-homed[831]: Watching /home. Sep 25 08:47:32 ipa001 audit[831]: AVC avc: denied { read } for pid=831 comm="systemd-homed" name="home" dev="dm-0" ino=4323192 scontext=system_u:system_r:systemd_homed_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0 Sep 25 08:47:32 ipa001 audit[831]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=564d4c6e805e a2=90800 a3=0 items=0 ppid=1 pid=831 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-homed" exe="/usr/lib/systemd/systemd-homed" subj=system_u:system_r:systemd_homed_t:s0 key=(null) Sep 25 08:47:32 ipa001 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-homed" Sep 25 08:47:32 ipa001 systemd-homed[831]: Failed to open /var/cache/systemd/home/: Permission denied Sep 25 08:47:32 ipa001 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Sep 25 08:47:32 ipa001 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed-activate comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Sep 25 08:47:32 ipa001 systemd[1]: Started systemd-homed.service - Home Area Manager. Sep 25 08:47:32 ipa001 systemd[1]: Finished systemd-homed-activate.service - Home Area Activation. Sep 25 08:47:52 ipa001 setroubleshoot[906]: SELinux is preventing /usr/lib/systemd/systemd-homed from read access on the directory home. For complete SELinux messages run: sealert -l be067faf-49f0-49f7-850d-06ff76126a98 Sep 25 08:47:53 ipa001 setroubleshoot[906]: SELinux is preventing /usr/lib/systemd/systemd-homed from read access on the directory home.#012#012***** Plugin catchall_labels (83.8 confidence) suggests *******************#012#012If you want to allow systemd-homed to have read access on the home directory#012Then you need to change the label on home#012Do#012# semanage fcontext -a -t FILE_TYPE 'home'#012where FILE_TYPE is one of the following: NetworkManager_etc_rw_t, NetworkManager_etc_t, abrt_etc_t, admin_home_t, aiccu_etc_t, alsa_etc_rw_t, alsa_home_t, antivirus_conf_t, antivirus_home_t, asterisk_etc_t, audio_home_t, auth_home_t, avahi_conf_t, bin_t, bitlbee_conf_t, bluetooth_conf_t, boot_t, boothd_etc_t, bootloader_etc_t, cache_home_t, cert_t, cgconfig_etc_t, cgrules_etc_t, chrome_sandbox_home_t, cluster_conf_t, cobbler_etc_t, condor_conf_t, config_home_t, conntrackd_conf_t, couchdb_conf_t, courier_etc_t, cpucontrol_conf_t, cupsd_etc_t, cupsd_rw_etc_t, cvs_home_t, data_home_t, dbus_home_t, dbusd_etc_t, ddclient_etc_t, device_t, devpts_t, dhcp_etc_t, dictd_etc_t, dnsmasq_etc_t, dovecot_cert_t, dovecot_etc_t, etc_mail_t, etc_runtime_t, etc_t, exports_t, fdo_conf_rw_t, fdo_conf_t, fdo_home_t, fetchmail_etc_t, fetchmail_home_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t, firstboot_etc_t, fonts_cache_t, fonts_t, ftpd_etc_t, fwupd_cert_t, gconf_etc_t, gconf_home_t, gdomap_conf_t, getty_etc_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gpm_conf_t, gstreamer_home_t, hddtemp_etc_t, home_bin_t, home_cert_t, home_root_t, hostname_etc_t, httpd_config_t, httpd_user_content_t, httpd_user_script_exec_t, ibacm_conf_t, icc_data_home_t, iceauth_home_t, init_var_lib_t, init_var_run_t, innd_etc_t, insights_client_etc_rw_t, insights_client_etc_t, ipa_cert_t, irc_conf_t, irc_home_t, irc_tmp_t, irssi_etc_t, irssi_home_t, kdump_etc_t, kismet_home_t, krb5_conf_t, krb5_home_t, krb5_host_rcache_t, krb5kdc_conf_t, l2tp_conf_t, lib_t, likewise_etc_t, lircd_etc_t, local_login_home_t, locale_t, lvm_etc_t, machineid_t, mail_home_rw_t, mail_home_t, mail_spool_t, man_cache_t, man_t, mandb_home_t, mcelog_etc_t, mdadm_conf_t, mdevctl_conf_t, minidlna_conf_t, minissdpd_conf_t, mock_etc_t, modules_conf_t, mozilla_conf_t, mozilla_home_t, mozilla_plugin_rw_t, mpd_etc_t, mpd_home_t, mpd_user_data_t, mplayer_etc_t, mplayer_home_t, mptcpd_etc_t, mrtg_etc_t, mscan_etc_t, munin_etc_t, mysqld_etc_t, mysqld_home_t, nagios_etc_t, named_conf_t, net_conf_t, nrpe_etc_t, nscd_var_run_t, nslcd_conf_t, ntop_etc_t, ntp_conf_t, nut_conf_t, opendnssec_conf_t, openshift_var_lib_t, openvpn_etc_rw_t, openvpn_etc_t, openvswitch_rw_t, oracleasm_conf_t, pads_config_t, pdns_conf_t, pegasus_conf_t, pingd_etc_t, pkcs11_modules_conf_t, pki_tomcat_cert_t, polipo_cache_home_t, polipo_config_home_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t, postgresql_etc_t, postgrey_etc_t, pppd_etc_t, prelude_correlator_config_t, printconf_t, proc_t, procmail_home_t, psad_etc_t, ptal_etc_t, pulseaudio_home_t, puppet_etc_t, qatlib_conf_t, qmail_etc_t, rabbitmq_conf_t, radiusd_etc_t, radvd_etc_t, redis_conf_t, rhnsd_conf_t, rhsmcertd_config_t, rlogind_home_t, root_t, rssh_ro_t, rssh_rw_t, rsync_etc_t, samba_cert_t, samba_etc_t, sandbox_file_t, sanlock_conf_t, screen_home_t, shell_exec_t, shorewall_etc_t, slapd_cert_t, slapd_etc_t, snapperd_conf_t, snort_etc_t, soundd_etc_t, spamc_home_t, spamd_etc_t, speech_dispatcher_home_t, squid_conf_t, src_t, ssh_home_t, sslh_config_t, sssd_conf_t, sssd_public_t, stunnel_etc_t, svc_conf_t, svirt_home_t, sysfs_t, syslog_conf_t, system_conf_t, system_db_t, systemd_conf_t, systemd_home_t, systemd_homed_crypto_luks_t, systemd_homed_library_dir_t, systemd_homed_runtime_dir_t, systemd_hwdb_etc_t, systemd_userdbd_runtime_t, targetclid_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, tftpd_etc_t, thumb_home_t, tmp_t, tmpfs_t, tor_etc_t, tuned_etc_t, tuned_rw_etc_t, tvtime_home_t, udev_etc_t, udev_var_run_t, ulogd_etc_t, uml_ro_t, uml_rw_t, unlabeled_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, userhelper_conf_t, usr_t, var_lib_t, var_run_t, varnishd_etc_t, virt_content_t, virt_etc_t, virt_home_t, virt_var_lib_t, virtlogd_etc_t, vmware_conf_t, vmware_file_t, vmware_sys_conf_t, webalizer_etc_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_etc_t, xdm_home_t, xdm_rw_etc_t, xserver_etc_t, ypserv_conf_t, zarafa_etc_t, zebra_conf_t.#012Then execute:#012restorecon -v 'home'#012#012#012***** Plugin catchall (17.1 confidence) suggests **************************#012#012If you believe that systemd-homed should be allowed read access on the home directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'systemd-homed' --raw | audit2allow -M my-systemdhomed#012# semodule -X 300 -i my-systemdhomed.pp#012
*** Bug 2315087 has been marked as a duplicate of this bug. ***
The following SELinux denial was found on Fedora rawhide machine: ---- type=PROCTITLE msg=audit(09/27/2024 06:25:55.223:87) : proctitle=/usr/lib/systemd/systemd-homed type=PATH msg=audit(09/27/2024 06:25:55.223:87) : item=0 name=/var/cache/systemd/home/ inode=93 dev=fc:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/27/2024 06:25:55.223:87) : cwd=/ type=SYSCALL msg=audit(09/27/2024 06:25:55.223:87) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55d60b59d05e a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=672 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-homed exe=/usr/lib/systemd/systemd-homed subj=system_u:system_r:systemd_homed_t:s0 key=(null) type=AVC msg=audit(09/27/2024 06:25:55.223:87) : avc: denied { read } for pid=672 comm=systemd-homed name=home dev="vda2" ino=93 scontext=system_u:system_r:systemd_homed_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0 ----
Each execution of the following command triggers 1 SELinux denial: # service systemd-homed restart Here are additional details: # ls -RailZ /var/cache/systemd/ /var/cache/systemd/: total 12 92 drwxr-xr-x. 3 root root system_u:object_r:var_t:s0 4096 Sep 24 02:49 . 837 drwxr-xr-x. 11 root root system_u:object_r:var_t:s0 4096 Sep 27 06:20 .. 93 drwxr-xr-x. 2 root root system_u:object_r:var_t:s0 4096 Sep 24 02:49 home /var/cache/systemd/home: total 8 93 drwxr-xr-x. 2 root root system_u:object_r:var_t:s0 4096 Sep 24 02:49 . 92 drwxr-xr-x. 3 root root system_u:object_r:var_t:s0 4096 Sep 24 02:49 .. # matchpathcon /var/cache/systemd/ /var/cache/systemd system_u:object_r:var_t:s0 # matchpathcon /var/cache/systemd/home/ /var/cache/systemd/home system_u:object_r:var_t:s0 #
The following SELinux denial appears in permissive mode: ---- type=PROCTITLE msg=audit(09/27/2024 07:27:53.667:203) : proctitle=/usr/lib/systemd/systemd-homed type=PATH msg=audit(09/27/2024 07:27:53.667:203) : item=0 name=/var/cache/systemd/home/ inode=93 dev=fc:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/27/2024 07:27:53.667:203) : cwd=/ type=SYSCALL msg=audit(09/27/2024 07:27:53.667:203) : arch=x86_64 syscall=openat success=yes exit=15 a0=AT_FDCWD a1=0x55bb9a01d05e a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1126 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-homed exe=/usr/lib/systemd/systemd-homed subj=system_u:system_r:systemd_homed_t:s0 key=(null) type=AVC msg=audit(09/27/2024 07:27:53.667:203) : avc: denied { read } for pid=1126 comm=systemd-homed name=home dev="vda2" ino=93 scontext=system_u:system_r:systemd_homed_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1 ----
The /var/cache/systemd/home/ location seems to be a default value: # grep -Ri cache /etc/systemd/ /etc/systemd/system/multi-user.target.wants/systemd-homed.service:CacheDirectory=systemd/home /etc/systemd/system/sockets.target.wants/sssd-kcm.socket:Description=SSSD Kerberos Cache Manager responder socket /etc/systemd/system/dbus-org.freedesktop.home1.service:CacheDirectory=systemd/home # grep -Ri cache /usr/lib/systemd/system/systemd-homed* /usr/lib/systemd/system/systemd-homed.service:CacheDirectory=systemd/home #
Test coverage for this bug exists in a form of PR: * https://src.fedoraproject.org/tests/selinux/pull-request/547 The PR waits for a review.
*** Bug 2315587 has been marked as a duplicate of this bug. ***
*** Bug 2315812 has been marked as a duplicate of this bug. ***
*** Bug 2316163 has been marked as a duplicate of this bug. ***
*** Bug 2316931 has been marked as a duplicate of this bug. ***
*** Bug 2317959 has been marked as a duplicate of this bug. ***
*** Bug 2319354 has been marked as a duplicate of this bug. ***