2089171 – SELinux is preventing systemctl from 'search' accesses on the directory 1.

Bug 2089171 - SELinux is preventing systemctl from 'search' accesses on the directory 1.

Summary: SELinux is preventing systemctl from 'search' accesses on the directory 1.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	36
Hardware:	x86_64
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:63a164edb7f6dde0c7a60d58f9a...
Duplicates (2):	2089172 2089174 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-05-23 07:28 UTC by Kamil Páral
Modified:	2022-08-03 15:36 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-08-03 15:36:40 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Kamil Páral 2022-05-23 07:28:07 UTC

Description of problem:
I upgraded my F36 Workstation and rebooted. This is the first time I see this error, so it must be related to the recent update.
SELinux is preventing systemctl from 'search' accesses on the directory 1.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemctl should be allowed search access on the 1 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl
# semodule -X 300 -i my-systemctl.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_dispatcher_custom
                              _t:s0
Target Context                system_u:system_r:init_t:s0
Target Objects                1 [ dir ]
Source                        systemctl
Source Path                   systemctl
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-36.9-1.fc36.noarch
Local Policy RPM              selinux-policy-targeted-36.9-1.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.17.9-300.fc36.x86_64 #1 SMP
                              PREEMPT Wed May 18 15:08:23 UTC 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-05-23 09:25:13 CEST
Last Seen                     2022-05-23 09:25:13 CEST
Local ID                      3a2511bd-989a-43a0-99d3-ac59c8d80c3a

Raw Audit Messages
type=AVC msg=audit(1653290713.730:249): avc:  denied  { search } for  pid=1396 comm="systemctl" name="1" dev="proc" ino=16751 scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1


Hash: systemctl,NetworkManager_dispatcher_custom_t,init_t,dir,search

Version-Release number of selected component:
selinux-policy-targeted-36.9-1.fc36.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.17.1
hashmarkername: setroubleshoot
kernel:         5.17.9-300.fc36.x86_64
type:           libreport

Comment 1 Zdenek Pytela 2022-05-23 11:13:22 UTC

Kamile,

Do you know which script triggers this denial?

Comment 2 Zdenek Pytela 2022-05-23 11:13:45 UTC

*** Bug 2089172 has been marked as a duplicate of this bug. ***

Comment 3 Zdenek Pytela 2022-05-23 11:13:52 UTC

*** Bug 2089174 has been marked as a duplicate of this bug. ***

Comment 4 Kamil Páral 2022-05-23 11:41:42 UTC

I have no idea. How can I figure it out? I have a fairly stock F36 Workstation installation.

It appeared together with sendmail AVCs (bug 2089175 and others) and they have the same occurrence count. Perhaps those are related to this?

Comment 5 Zdenek Pytela 2022-05-23 11:47:46 UTC

(In reply to Kamil Páral from comment #4)
> I have no idea. How can I figure it out? I have a fairly stock F36
> Workstation installation.
I am afraid it will not be disclosed even with full auditing enabled and it is not worth the effort put into watch audit rules.

> It appeared together with sendmail AVCs (bug 2089175 and others) and they
> have the same occurrence count. Perhaps those are related to this?
Perhaps. Let's check again once bz#2089175 is addressed.

Comment 6 Johannes Kalliauer 2022-05-28 11:09:32 UTC

Similar problem has been detected:

used wifi at airport

hashmarkername: setroubleshoot
kernel:         5.17.11-300.fc36.x86_64
package:        selinux-policy-targeted-36.9-1.fc36.noarch
reason:         SELinux is preventing systemctl from 'read' accesses on the file labeled init_t.
type:           libreport

Comment 7 Johannes Kalliauer 2022-05-28 11:10:39 UTC

Similar problem has been detected:

used airport-wifi

hashmarkername: setroubleshoot
kernel:         5.17.11-300.fc36.x86_64
package:        selinux-policy-targeted-36.9-1.fc36.noarch
reason:         SELinux is preventing systemctl from 'read' accesses on the lnk_file root.
type:           libreport

Comment 8 Johannes Kalliauer 2022-05-28 11:11:05 UTC

Similar problem has been detected:

used airport-wifi

hashmarkername: setroubleshoot
kernel:         5.17.11-300.fc36.x86_64
package:        selinux-policy-targeted-36.9-1.fc36.noarch
reason:         SELinux is preventing systemctl from 'search' accesses on the directory 1.
type:           libreport

Comment 9 Johannes Kalliauer 2022-05-29 10:28:20 UTC

Similar problem has been detected:

in the USA I switched to the University-VPN in Europe

hashmarkername: setroubleshoot
kernel:         5.17.11-300.fc36.x86_64
package:        selinux-policy-targeted-36.9-1.fc36.noarch
reason:         SELinux is preventing systemctl from 'read' accesses on the file labeled init_t.
type:           libreport

Comment 10 Johannes Kalliauer 2022-05-29 10:28:51 UTC

Similar problem has been detected:

in the USA I switched to the University-VPN in Europe

hashmarkername: setroubleshoot
kernel:         5.17.11-300.fc36.x86_64
package:        selinux-policy-targeted-36.9-1.fc36.noarch
reason:         SELinux is preventing systemctl from 'read' accesses on the lnk_file root.
type:           libreport

Comment 11 Johannes Kalliauer 2022-05-29 10:29:18 UTC

Similar problem has been detected:

in the USA I switched to the University-VPN in Europe

hashmarkername: setroubleshoot
kernel:         5.17.11-300.fc36.x86_64
package:        selinux-policy-targeted-36.9-1.fc36.noarch
reason:         SELinux is preventing systemctl from 'search' accesses on the directory 1.
type:           libreport

Comment 12 Davide Repetto 2022-05-29 18:07:30 UTC

Similar problem has been detected:

This happens at boot, even after "fixfiles onboot", together with another 10 AVCs.


hashmarkername: setroubleshoot
kernel:         5.17.11-300.fc36.x86_64
package:        selinux-policy-targeted-36.9-1.fc36.noarch
reason:         SELinux is preventing systemctl from 'search' accesses on the cartella 1.
type:           libreport

Comment 13 Davide Repetto 2022-05-29 18:07:52 UTC

Similar problem has been detected:

This happens at boot, even after "fixfiles onboot", together with another 10 AVCs.


hashmarkername: setroubleshoot
kernel:         5.17.11-300.fc36.x86_64
package:        selinux-policy-targeted-36.9-1.fc36.noarch
reason:         SELinux is preventing systemctl from 'read' accesses on the lnk_file root.
type:           libreport

Comment 14 Davide Repetto 2022-05-29 18:08:14 UTC

Similar problem has been detected:

This happens at boot, even after "fixfiles onboot", together with another 10 AVCs.


hashmarkername: setroubleshoot
kernel:         5.17.11-300.fc36.x86_64
package:        selinux-policy-targeted-36.9-1.fc36.noarch
reason:         SELinux is preventing systemctl from 'read' accesses on the file Sconosciuto.
type:           libreport

Comment 15 Ankur Sinha (FranciscoD) 2022-05-31 15:21:14 UTC

Similar problem has been detected:

Running a minikube cluster using docker (from the docker repo, not podman)

hashmarkername: setroubleshoot
kernel:         5.17.11-300.fc36.x86_64
package:        selinux-policy-targeted-36.9-1.fc36.noarch
reason:         SELinux is preventing systemctl from 'read' accesses on the file labeled init_t.
type:           libreport

Comment 16 Zdenek Pytela 2022-05-31 19:04:59 UTC

I believe this issue will be gone with selinux-policy-36.10-1.fc36.noarch.

Comment 17 Zdenek Pytela 2022-08-03 15:36:40 UTC

I believe this AVC has been addressed in the latest release:

# sesearch -A -s NetworkManager_dispatcher_custom_t -t init_t -c dir -p search
allow NetworkManager_dispatcher_custom_t init_t:dir { getattr open search };
# rpm -q selinux-policy
selinux-policy-36.10-1.fc36.noarch

Note You need to log in before you can comment on or make changes to this bug.