Bug 2121734 - AVCs when runtime directory for the user is cleaned up on session exit
Summary: AVCs when runtime directory for the user is cleaned up on session exit
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: selinux-policy
Version: 9.0
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: 9.3
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-08-26 13:01 UTC by Renaud Métrich
Modified: 2023-08-04 20:52 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-132442 0 None None None 2022-08-26 13:14:51 UTC

Description Renaud Métrich 2022-08-26 13:01:31 UTC 
Description of problem:

When `systemd-logind` executes `/usr/lib/systemd/systemd-user-runtime-dir` to clean up the user's session on exit, AVCs can be seen when the latter cannot delete files due to their label, e.g.:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=PROCTITLE msg=audit(08/26/2022 14:54:01.976:473) : proctitle=/usr/lib/systemd/systemd-user-runtime-dir stop 1000 
type=SYSCALL msg=audit(08/26/2022 14:54:01.976:473) : arch=x86_64 syscall=unlinkat success=no exit=EACCES(Permission denied) a0=0x3 a1=0x558372fa6d03 a2=0x0 a3=0x9b items=0 ppid=1 pid=2633 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-ru exe=/usr/lib/systemd/systemd-user-runtime-dir subj=system_u:system_r:systemd_logind_t:s0 key=(null) 
type=AVC msg=audit(08/26/2022 14:54:01.976:473) : avc:  denied  { unlink } for  pid=2633 comm=systemd-user-ru name=foo dev="tmpfs" ino=18 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This kind of AVCs should be hidden or a transition to some new context should be created to allow `/usr/lib/systemd/systemd-user-runtime-dir` to delete everything it wants in that directory.

Version-Release number of selected component (if applicable):

selinux-policy-34.1.29-1.el9_0.2.noarch

How reproducible:

Always

Steps to Reproduce:
1. Create a user on the system

    # useradd user
    # echo "redhat" | passwd --stdin user

2. Login as the user and create a file in its runtime directory

    # ssh user@localhost
    ...
    $ touch /run/user/$(id -u)/foo
    $ chcon -t container_file_t /run/user/$(id -u)/foo

3. Exit and wait for session to be cleaned up (10 seconds by default)

    $ exit

4. Checks audit log for AVCs

    # ausearch -i -m avc -ts recent

Actual results:

type=PROCTITLE msg=audit(08/26/2022 14:54:01.976:473) : proctitle=/usr/lib/systemd/systemd-user-runtime-dir stop 1000 
type=SYSCALL msg=audit(08/26/2022 14:54:01.976:473) : arch=x86_64 syscall=unlinkat success=no exit=EACCES(Permission denied) a0=0x3 a1=0x558372fa6d03 a2=0x0 a3=0x9b items=0 ppid=1 pid=2633 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-ru exe=/usr/lib/systemd/systemd-user-runtime-dir subj=system_u:system_r:systemd_logind_t:s0 key=(null) 
type=AVC msg=audit(08/26/2022 14:54:01.976:473) : avc:  denied  { unlink } for  pid=2633 comm=systemd-user-ru name=foo dev="tmpfs" ino=18 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=file permissive=0 

Expected results:

No AVC

Additional info:

Files disappear anyway because the runtime directory is tmpfs and gets unmounted, so it's harmless.
Comment 1 Zdenek Pytela 2023-01-05 17:11:36 UTC 
We will consider this bz for RHEL 9.3 and assign a separate type for systemd-user-runtime-dir.
Note You need to log in before you can comment on or make changes to this bug.