Bug 2383215 - AVCs for /var/lib/lastlog/lastlog2.db
Summary: AVCs for /var/lib/lastlog/lastlog2.db
Keywords:
Status: CLOSED DUPLICATE of bug 2382799
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-07-24 11:48 UTC by Zbigniew Jędrzejewski-Szmek
Modified: 2025-07-24 19:04 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2025-07-24 15:46:25 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Zbigniew Jędrzejewski-Szmek 2025-07-24 11:48:54 UTC 
This is from fedora-43-updates-server-x86_64-BuildUpdate-FEDORA-2025-3a5164d83a-realmd_join_cockpit@64bit openqa run:

lip 24 11:42:43 localhost.localdomain systemd[1]: Started user - User Manager for UID 0.
lip 24 11:42:43 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
lip 24 11:42:43 localhost.localdomain systemd[1]: Started session-1.scope - Session 1 of User root.
lip 24 11:42:43 localhost.localdomain login[1134]: pam_unix(login:session): session opened for user root(uid=0) by root(uid=0)
lip 24 11:42:43 localhost.localdomain audit[1134]: AVC avc:  denied  { create } for  pid=1134 comm="login" name="lastlog2.db" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
lip 24 11:42:43 localhost.localdomain login[1134]: pam_lastlog2(login:session): Cannot create/open database (/var/lib/lastlog/lastlog2.db): unable to open database file
lip 24 11:42:43 localhost.localdomain audit[1134]: USER_START pid=1134 uid=0 auid=0 ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask acct="root" exe="/usr/bin/login" hostname=localhost.localdomain addr=? terminal=/dev/tty1 res=success'
lip 24 11:42:43 localhost.localdomain audit[1134]: CRED_REFR pid=1134 uid=0 auid=0 ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/login" hostname=localhost.localdomain addr=? terminal=/dev/tty1 res=success'
lip 24 11:42:43 localhost.localdomain audit[1134]: USER_LOGIN pid=1134 uid=0 auid=0 ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/bin/login" hostname=localhost.localdomain addr=? terminal=tty1 res=success'
lip 24 11:42:43 localhost.localdomain login[1134]: ROOT LOGIN ON tty1

I'm pretty sure this is related to the switch to lastlog2:
https://src.fedoraproject.org/rpms/util-linux/c/e873a14a1d864adc9912834adb50e2237ea8c0b0



Reproducible: Always
Comment 1 Paul Holzinger 2025-07-24 12:41:41 UTC 
It looks like this AVC is breaking systemd user sessions in the systemd-258 update, ref https://bodhi.fedoraproject.org/updates/FEDORA-2025-3a5164d83a
Comment 2 Zdenek Pytela 2025-07-24 15:46:25 UTC 

*** This bug has been marked as a duplicate of bug 2382799 ***
Comment 3 Adam Williamson 2025-07-24 19:04:26 UTC 
Note the logs also show other denials:

Jul 24 03:12:42 adclient002.samdom.openqa.fedoraproject.org audit[2517]: AVC avc:  denied  { getattr } for  pid=2517 comm="cockpit-session" name="/" dev="pidfs" ino=1 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:pidfs_t:s0 tclass=filesystem permissive=0
Jul 24 03:12:42 adclient002.samdom.openqa.fedoraproject.org audit[2517]: AVC avc:  denied  { getattr } for  pid=2517 comm="cockpit-session" name="/" dev="pidfs" ino=1 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:pidfs_t:s0 tclass=filesystem permissive=0
Note You need to log in before you can comment on or make changes to this bug.