2118784 – AVC denied read init_t var_lib_t:lnk_file prevent using systemd StateDirectory

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2118784 - AVC denied read init_t var_lib_t:lnk_file prevent using systemd StateDirectory

Summary: AVC denied read init_t var_lib_t:lnk_file prevent using systemd StateDirectory

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.4
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	8.8
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-08-16 18:39 UTC by François Rigault
Modified:	2023-05-16 11:00 UTC (History)
CC List:	2 users (show)
Fixed In Version:	selinux-policy-3.14.3-111.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-16 09:03:52 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-131239	0	None	None	None	2022-08-16 18:48:23 UTC
Red Hat Product Errata	RHBA-2023:2965	0	None	None	None	2023-05-16 09:04:05 UTC

Description François Rigault 2022-08-16 18:39:42 UTC

Description of problem:
reading https://www.redhat.com/sysadmin/systemd-secure-services
I cannot use systemd DynamicUser with StateDirectory feature in RHEL 8.4


Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-67.el8_4.4.noarch

How reproducible:
all the time

Steps to Reproduce:
1. systemd-run -p DynamicUser=yes -p StateDirectory=myservice0  touch /var/lib/myservice0/foo
2. systemd-run -p DynamicUser=yes -p StateDirectory=myservice0 --pipe wc -c /var/lib/myservice0/foo
3. ausearch -ts recent -m AVC

Actual results:
journalctl -u run-u1347032
systemd[1]: run-u1347032.service: Main process exited, code=exited, status=238/STATE_DIRECTORY
systemd[1]: run-u1347032.service: Failed with result 'exit-code'.

type=AVC msg=audit(1660674703.774:2002484): avc:  denied  { read } for  pid=823450 comm="(wc)" name="myservice0" dev="sda3" ino=17011586 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0


Expected results:
0 /var/lib/myservice0/foo
<no matches>


Additional info:
fedora has this:
$ sesearch  -A -s init_t -t var_lib_t -c lnk_file -p read
allow init_t var_lib_t:lnk_file { create read write }

Thanks

Comment 1 Milos Malik 2022-08-17 07:08:30 UTC

The following SELinux denials appeared in enforcing mode:
----
type=PROCTITLE msg=audit(08/17/2022 09:05:46.511:383) : proctitle=(touch) 
type=PATH msg=audit(08/17/2022 09:05:46.511:383) : item=3 name=/var/lib/private/myservice0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/17/2022 09:05:46.511:383) : item=2 name=/var/lib/myservice0 inode=26165988 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/17/2022 09:05:46.511:383) : item=1 name=/var/lib/private/ inode=162767 dev=fd:02 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/17/2022 09:05:46.511:383) : item=0 name=/var/lib/ inode=101 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/17/2022 09:05:46.511:383) : cwd=/ 
type=SYSCALL msg=audit(08/17/2022 09:05:46.511:383) : arch=x86_64 syscall=rename success=no exit=EACCES(Permission denied) a0=0x556175c95790 a1=0x556175c95880 a2=0xfffffffffffffdc8 a3=0x100 items=4 ppid=1 pid=4995 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(touch) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(08/17/2022 09:05:46.511:383) : avc:  denied  { rename } for  pid=4995 comm=(touch) name=myservice0 dev="vda2" ino=26165988 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(08/17/2022 09:05:55.264:387) : proctitle=(wc) 
type=PATH msg=audit(08/17/2022 09:05:55.264:387) : item=3 name=/var/lib/private/myservice0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/17/2022 09:05:55.264:387) : item=2 name=/var/lib/myservice0 inode=26165988 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/17/2022 09:05:55.264:387) : item=1 name=/var/lib/private/ inode=162767 dev=fd:02 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/17/2022 09:05:55.264:387) : item=0 name=/var/lib/ inode=101 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/17/2022 09:05:55.264:387) : cwd=/ 
type=SYSCALL msg=audit(08/17/2022 09:05:55.264:387) : arch=x86_64 syscall=rename success=no exit=EACCES(Permission denied) a0=0x556175b88b70 a1=0x556175ca9510 a2=0xfffffffffffffdc8 a3=0x100 items=4 ppid=1 pid=5018 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(wc) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(08/17/2022 09:05:55.264:387) : avc:  denied  { rename } for  pid=5018 comm=(wc) name=myservice0 dev="vda2" ino=26165988 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0 
----

# ls -ldZ /var/lib/myservice0
drwxr-xr-x. 2 root root unconfined_u:object_r:var_lib_t:s0 6 Aug 17 09:05 /var/lib/myservice0
# ls -laZ /var/lib/myservice0
total 8
drwxr-xr-x.   2 root root unconfined_u:object_r:var_lib_t:s0    6 Aug 17 09:05 .
drwxr-xr-x. 143 root root system_u:object_r:var_lib_t:s0     4096 Aug 17 09:05 ..
#

Comment 2 Milos Malik 2022-08-17 07:11:11 UTC

The following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(08/17/2022 09:08:57.396:397) : proctitle=(touch) 
type=PATH msg=audit(08/17/2022 09:08:57.396:397) : item=3 name=/var/lib/private/myservice0 inode=26165988 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/17/2022 09:08:57.396:397) : item=2 name=/var/lib/myservice0 inode=26165988 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/17/2022 09:08:57.396:397) : item=1 name=/var/lib/private/ inode=162767 dev=fd:02 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(08/17/2022 09:08:57.396:397) : item=0 name=/var/lib/ inode=101 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/17/2022 09:08:57.396:397) : cwd=/ 
type=SYSCALL msg=audit(08/17/2022 09:08:57.396:397) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x556175bd2880 a1=0x556175c87820 a2=0xfffffffffffffdc8 a3=0x100 items=4 ppid=1 pid=5708 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(touch) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(08/17/2022 09:08:57.396:397) : avc:  denied  { reparent } for  pid=5708 comm=(touch) name=myservice0 dev="vda2" ino=26165988 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(08/17/2022 09:08:57.396:397) : avc:  denied  { rename } for  pid=5708 comm=(touch) name=myservice0 dev="vda2" ino=26165988 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(08/17/2022 09:09:06.012:401) : proctitle=(wc) 
type=PATH msg=audit(08/17/2022 09:09:06.012:401) : item=0 name=/var/lib/myservice0 inode=40925 dev=fd:02 mode=link,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/17/2022 09:09:06.012:401) : cwd=/ 
type=SYSCALL msg=audit(08/17/2022 09:09:06.012:401) : arch=x86_64 syscall=readlinkat success=yes exit=18 a0=AT_FDCWD a1=0x556175d4ac10 a2=0x556175df25d0 a3=0x63 items=1 ppid=1 pid=5740 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(wc) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(08/17/2022 09:09:06.012:401) : avc:  denied  { read } for  pid=5740 comm=(wc) name=myservice0 dev="vda2" ino=40925 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=1
----

# rpm -qa selinux\* systemd\* | sort
selinux-policy-3.14.3-106.el8.noarch
selinux-policy-devel-3.14.3-106.el8.noarch
selinux-policy-doc-3.14.3-106.el8.noarch
selinux-policy-minimum-3.14.3-106.el8.noarch
selinux-policy-mls-3.14.3-106.el8.noarch
selinux-policy-sandbox-3.14.3-106.el8.noarch
selinux-policy-targeted-3.14.3-106.el8.noarch
#

Comment 3 François Rigault 2022-08-17 07:28:19 UTC

note I do not have problems with the touch:

$ sudo systemd-run -p DynamicUser=yes -p StateDirectory=myservice0  touch /var/lib/myservice0/foo
Running as unit: run-r08702a47b7d74f5094231f76d97462c8.service
$ sudo ls -l /var/lib/private/myservice0
total 0
-rw-r--r--. 1 63103 63103 0 17 août  07:25 foo

only the read permissions is missing.
Thanks

Comment 4 Milos Malik 2022-08-17 07:42:43 UTC

Thanks for the information.

I misunderstood the location (/var/lib/myservice0 vs. /var/lib/private/myservice0).

Comment 5 Zdenek Pytela 2022-08-18 08:54:06 UTC

This commit is needed to backport:

commit 90b328406aea1168714563924a291d4673be58c0
Author: Lukas Vrabec <lvrabec>
Date:   Wed Nov 27 20:21:33 2019 +0100

    Allow systemd to read symlinks in /var/lib

Comment 20 errata-xmlrpc 2023-05-16 09:03:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965

Note You need to log in before you can comment on or make changes to this bug.