Description of problem: SELinux is preventing sulogin from using the 'checkpoint_restore' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** Wenn Sie denken, dass sulogin standardmäßig checkpoint_restore Berechtigung haben sollten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # ausearch -c 'sulogin' --raw | audit2allow -M my-sulogin # semodule -X 300 -i my-sulogin.pp Additional Information: Source Context system_u:system_r:sulogin_t:s0-s0:c0.c1023 Target Context system_u:system_r:sulogin_t:s0-s0:c0.c1023 Target Objects Unbekannt [ capability2 ] Source sulogin Source Path sulogin Port <Unbekannt> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-39.4-1.fc39.noarch Local Policy RPM selinux-policy-targeted-39.4-1.fc39.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.7.4-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Feb 5 22:21:14 UTC 2024 x86_64 Alert Count 3 First Seen 2024-02-14 00:28:06 CET Last Seen 2024-02-21 13:33:10 CET Local ID 39fe8ca8-fb67-4918-8161-8f776d4ce138 Raw Audit Messages type=AVC msg=audit(1708518790.257:1208): avc: denied { checkpoint_restore } for pid=220682 comm="sulogin" capability=40 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tclass=capability2 permissive=0 Hash: sulogin,sulogin_t,sulogin_t,capability2,checkpoint_restore Version-Release number of selected component: selinux-policy-targeted-39.4-1.fc39.noarch Additional info: reporter: libreport-2.17.11 reason: SELinux is preventing sulogin from using the 'checkpoint_restore' capabilities. package: selinux-policy-targeted-39.4-1.fc39.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.7.4-200.fc39.x86_64 component: selinux-policy
Created attachment 2018036 [details] File: description
Created attachment 2018037 [details] File: os_info
Dirk, Do you know when this issue appears?
Unfortunately I can't. It could have been triggered by using sudo, I guess. It is a FreeIPA client, if this helps.
I was unable to reproduce this issue with our freeipa test. However, sulogin is used when the system fails to boot regularly and requests root's password to proceed - wasn't it this case? Did it work successfully afterwards?
Yes, right, I had a filesystem problem and was able to repair ist using the emergency shell.
(In reply to Dirk Gottschalk from comment #6) > Yes, right, I had a filesystem problem and was able to repair ist using the > emergency shell. OK, so did the rescueing go well and only thing you are concerned with is this denial?
Test coverage for this bug exists in a form of PR: * https://src.fedoraproject.org/tests/selinux/pull-request/483 The PR waits for a review.
Steps to Reproduce before applying any bug fix: # service rescue start # service rescue stop SELinux denials caught in enforcing mode: ---- type=PROCTITLE msg=audit(03/22/2024 07:49:15.117:336) : proctitle=/usr/sbin/sulogin type=SYSCALL msg=audit(03/22/2024 07:49:15.117:336) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x3 a1=0x5457 a2=0x7ffddf7ec870 a3=0x8 items=0 ppid=1427 pid=1428 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty1 ses=unset comm=sulogin exe=/usr/sbin/sulogin subj=system_u:system_r:sulogin_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(03/22/2024 07:49:15.117:336) : avc: denied { checkpoint_restore } for pid=1428 comm=sulogin capability=checkpoint_restore scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tclass=capability2 permissive=0 ---- type=PROCTITLE msg=audit(03/22/2024 07:49:20.034:337) : proctitle=/usr/sbin/sulogin type=PATH msg=audit(03/22/2024 07:49:20.034:337) : item=0 name=(null) inode=20 dev=00:05 mode=character,620 ouid=root ogid=tty rdev=04:01 obj=system_u:object_r:tty_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(03/22/2024 07:49:20.034:337) : cwd=/root type=SYSCALL msg=audit(03/22/2024 07:49:20.034:337) : arch=x86_64 syscall=fsetxattr success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7f0dbd81c197 a2=0x55762fa45f60 a3=0x22 items=1 ppid=1427 pid=1428 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sulogin exe=/usr/sbin/sulogin subj=system_u:system_r:sulogin_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(03/22/2024 07:49:20.034:337) : avc: denied { relabelfrom } for pid=1428 comm=sulogin name=tty1 dev="devtmpfs" ino=20 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0 ---- SELinux denials caught in permissive mode: ---- type=PROCTITLE msg=audit(03/22/2024 07:50:31.556:342) : proctitle=/usr/sbin/sulogin type=SYSCALL msg=audit(03/22/2024 07:50:31.556:342) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x3 a1=0x5457 a2=0x7ffe2c4d7d50 a3=0x8 items=0 ppid=1447 pid=1448 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty1 ses=unset comm=sulogin exe=/usr/sbin/sulogin subj=system_u:system_r:sulogin_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(03/22/2024 07:50:31.556:342) : avc: denied { checkpoint_restore } for pid=1448 comm=sulogin capability=checkpoint_restore scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tclass=capability2 permissive=1 ---- type=PROCTITLE msg=audit(03/22/2024 07:50:38.458:343) : proctitle=/usr/sbin/sulogin type=PATH msg=audit(03/22/2024 07:50:38.458:343) : item=0 name=(null) inode=20 dev=00:05 mode=character,620 ouid=root ogid=tty rdev=04:01 obj=system_u:object_r:tty_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(03/22/2024 07:50:38.458:343) : cwd=/root type=SYSCALL msg=audit(03/22/2024 07:50:38.458:343) : arch=x86_64 syscall=fsetxattr success=yes exit=0 a0=0x3 a1=0x7f9e30a19197 a2=0x55fab9038f60 a3=0x22 items=1 ppid=1 pid=1448 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sulogin exe=/usr/sbin/sulogin subj=system_u:system_r:sulogin_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(03/22/2024 07:50:38.458:343) : avc: denied { relabelto } for pid=1448 comm=sulogin name=tty1 dev="devtmpfs" ino=20 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(03/22/2024 07:50:38.458:343) : avc: denied { relabelfrom } for pid=1448 comm=sulogin name=tty1 dev="devtmpfs" ino=20 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=1 ----
FEDORA-2024-98cd1ec226 (selinux-policy-39.6-1.fc39) has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-98cd1ec226
FEDORA-2024-98cd1ec226 has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-98cd1ec226` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-98cd1ec226 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-98cd1ec226 (selinux-policy-39.6-1.fc39) has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.