On a host with unconfined disabled, running this as a staff_u/staff_t user:
[sampre_mw@jukni ~]$ systemctl --user status Failed to read server status: Access denied
worked until recently. I just upgraded to Fedora 27, but I *think* this worked after the upgrade, so I don't know what's going on there.
I get nothing whatever in auditd, which is weird. In syslog I get:
Dec 25 09:48:07 jukni systemd[669]: selinux: avc: denied { status } for auid=n/a uid=1086 gid=1086 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=system permissive=0
Further, this:
[sampre_mw@jukni ~]$ systemctl --user restart lojban_mediawiki_web Failed to restart lojban_mediawiki_web.service: Access denied See user logs and 'systemctl --user status lojban_mediawiki_web.service' for details.
Gives this in syslog:
Dec 25 09:49:06 jukni systemd[669]: selinux: avc: denied { start } for auid=n/a uid=1086 gid=1086 path="/home/sampre_mw/.config/systemd/user/lojban_mediawiki_web.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0
I can't find anything in sesearch about self:system, and all I can find in https://github.com/TresysTechnology/refpolicy.git or https://github.com/TresysTechnology/refpolicy-contrib.git is:
policy/modules/kernel/kernel.te 481: allow can_load_kernmodule self:system module_load;
policy/modules/system/init.te 225: allow init_t self:system { status reboot halt reload };
It strikes me as unlikely that F27 *actually* shipped with a setup that makes systemctl user operations not work.
I don't have a comparable user to test with, really, but at first glance my other F27 systems seem OK.
Any idea what I broke?
On Mon, Dec 25, 2017 at 10:01:16AM -0800, Robin Lee Powell wrote:
On a host with unconfined disabled, running this as a staff_u/staff_t user:
[sampre_mw@jukni ~]$ systemctl --user status Failed to read server status: Access denied
worked until recently. I just upgraded to Fedora 27, but I *think* this worked after the upgrade, so I don't know what's going on there.
I get nothing whatever in auditd, which is weird. In syslog I get:
Dec 25 09:48:07 jukni systemd[669]: selinux: avc: denied { status } for auid=n/a uid=1086 gid=1086 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=system permissive=0
Further, this:
[sampre_mw@jukni ~]$ systemctl --user restart lojban_mediawiki_web Failed to restart lojban_mediawiki_web.service: Access denied See user logs and 'systemctl --user status lojban_mediawiki_web.service' for details.
Gives this in syslog:
Dec 25 09:49:06 jukni systemd[669]: selinux: avc: denied { start } for auid=n/a uid=1086 gid=1086 path="/home/sampre_mw/.config/systemd/user/lojban_mediawiki_web.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0
I can't find anything in sesearch about self:system, and all I can find in https://github.com/TresysTechnology/refpolicy.git or https://github.com/TresysTechnology/refpolicy-contrib.git is:
policy/modules/kernel/kernel.te 481: allow can_load_kernmodule self:system module_load;
policy/modules/system/init.te 225: allow init_t self:system { status reboot halt reload };
It strikes me as unlikely that F27 *actually* shipped with a setup that makes systemctl user operations not work.
I don't have a comparable user to test with, really, but at first glance my other F27 systems seem OK.
Any idea what I broke?
I have confirmed that a comparable user on one of my other F27 systems works fine.
Does it seem like a relabel reboot would be worthwhile?
Also, what should the type of user unit files be?
[sampre@vrici ~]$ ls -lZ ~/.config/systemd/user/ total 8 drwxr-xr-x. 2 sampre sampre staff_u:object_r:user_home_t:s0 66 Feb 6 2017 default.target.wants -rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 417 Jul 14 00:32 jbotcan_database.service -rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 419 Jul 14 00:32 jbotcan_site.service
^^ that's on the system that's working, but setting it to user_home_t on the other system doesn't seem to help anything.
On Mon, Dec 25, 2017 at 10:08:33AM -0800, Robin Lee Powell wrote:
On Mon, Dec 25, 2017 at 10:01:16AM -0800, Robin Lee Powell wrote:
On a host with unconfined disabled, running this as a staff_u/staff_t user:
[sampre_mw@jukni ~]$ systemctl --user status Failed to read server status: Access denied
worked until recently. I just upgraded to Fedora 27, but I *think* this worked after the upgrade, so I don't know what's going on there.
I get nothing whatever in auditd, which is weird. In syslog I get:
Dec 25 09:48:07 jukni systemd[669]: selinux: avc: denied { status } for auid=n/a uid=1086 gid=1086 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=system permissive=0
Further, this:
[sampre_mw@jukni ~]$ systemctl --user restart lojban_mediawiki_web Failed to restart lojban_mediawiki_web.service: Access denied See user logs and 'systemctl --user status lojban_mediawiki_web.service' for details.
Gives this in syslog:
Dec 25 09:49:06 jukni systemd[669]: selinux: avc: denied { start } for auid=n/a uid=1086 gid=1086 path="/home/sampre_mw/.config/systemd/user/lojban_mediawiki_web.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0
I can't find anything in sesearch about self:system, and all I can find in https://github.com/TresysTechnology/refpolicy.git or https://github.com/TresysTechnology/refpolicy-contrib.git is:
policy/modules/kernel/kernel.te 481: allow can_load_kernmodule self:system module_load;
policy/modules/system/init.te 225: allow init_t self:system { status reboot halt reload };
It strikes me as unlikely that F27 *actually* shipped with a setup that makes systemctl user operations not work.
I don't have a comparable user to test with, really, but at first glance my other F27 systems seem OK.
Any idea what I broke?
I have confirmed that a comparable user on one of my other F27 systems works fine.
Does it seem like a relabel reboot would be worthwhile?
Also, what should the type of user unit files be?
[sampre@vrici ~]$ ls -lZ ~/.config/systemd/user/ total 8 drwxr-xr-x. 2 sampre sampre staff_u:object_r:user_home_t:s0 66 Feb 6 2017 default.target.wants -rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 417 Jul 14 00:32 jbotcan_database.service -rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 419 Jul 14 00:32 jbotcan_site.service
^^ that's on the system that's working, but setting it to user_home_t on the other system doesn't seem to help anything.
I have done a relabel reboot; it didn't help. I've upgraded everything to F27 latest.
I have no idea where to go from here; any hints? Is there a more active place to ask SELinux questions?
On Thu, Dec 28, 2017 at 10:36:05PM -0800, Robin Lee Powell wrote:
On Mon, Dec 25, 2017 at 10:08:33AM -0800, Robin Lee Powell wrote:
On Mon, Dec 25, 2017 at 10:01:16AM -0800, Robin Lee Powell wrote:
On a host with unconfined disabled, running this as a staff_u/staff_t user:
[sampre_mw@jukni ~]$ systemctl --user status Failed to read server status: Access denied
worked until recently. I just upgraded to Fedora 27, but I *think* this worked after the upgrade, so I don't know what's going on there.
I get nothing whatever in auditd, which is weird. In syslog I get:
Dec 25 09:48:07 jukni systemd[669]: selinux: avc: denied { status } for auid=n/a uid=1086 gid=1086 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=system permissive=0
Further, this:
[sampre_mw@jukni ~]$ systemctl --user restart lojban_mediawiki_web Failed to restart lojban_mediawiki_web.service: Access denied See user logs and 'systemctl --user status lojban_mediawiki_web.service' for details.
Gives this in syslog:
Dec 25 09:49:06 jukni systemd[669]: selinux: avc: denied { start } for auid=n/a uid=1086 gid=1086 path="/home/sampre_mw/.config/systemd/user/lojban_mediawiki_web.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0
I can't find anything in sesearch about self:system, and all I can find in https://github.com/TresysTechnology/refpolicy.git or https://github.com/TresysTechnology/refpolicy-contrib.git is:
policy/modules/kernel/kernel.te 481: allow can_load_kernmodule self:system module_load;
policy/modules/system/init.te 225: allow init_t self:system { status reboot halt reload };
It strikes me as unlikely that F27 *actually* shipped with a setup that makes systemctl user operations not work.
I don't have a comparable user to test with, really, but at first glance my other F27 systems seem OK.
Any idea what I broke?
I have confirmed that a comparable user on one of my other F27 systems works fine.
Does it seem like a relabel reboot would be worthwhile?
Also, what should the type of user unit files be?
[sampre@vrici ~]$ ls -lZ ~/.config/systemd/user/ total 8 drwxr-xr-x. 2 sampre sampre staff_u:object_r:user_home_t:s0 66 Feb 6 2017 default.target.wants -rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 417 Jul 14 00:32 jbotcan_database.service -rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 419 Jul 14 00:32 jbotcan_site.service
^^ that's on the system that's working, but setting it to user_home_t on the other system doesn't seem to help anything.
I have done a relabel reboot; it didn't help. I've upgraded everything to F27 latest.
I have no idea where to go from here; any hints? Is there a more active place to ask SELinux questions?
I also checked that sysadm_u and user_u can't run "systemctl --user status" either, so it's not just that staff_u is broken in some way.
On 12/29/2017 07:56 AM, Robin Lee Powell wrote:
On Thu, Dec 28, 2017 at 10:36:05PM -0800, Robin Lee Powell wrote:
On Mon, Dec 25, 2017 at 10:08:33AM -0800, Robin Lee Powell wrote:
On Mon, Dec 25, 2017 at 10:01:16AM -0800, Robin Lee Powell wrote:
On a host with unconfined disabled, running this as a staff_u/staff_t user:
[sampre_mw@jukni ~]$ systemctl --user status Failed to read server status: Access denied
worked until recently. I just upgraded to Fedora 27, but I *think* this worked after the upgrade, so I don't know what's going on there.
I get nothing whatever in auditd, which is weird. In syslog I get:
Dec 25 09:48:07 jukni systemd[669]: selinux: avc: denied { status } for auid=n/a uid=1086 gid=1086 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=system permissive=0
Further, this:
[sampre_mw@jukni ~]$ systemctl --user restart lojban_mediawiki_web Failed to restart lojban_mediawiki_web.service: Access denied See user logs and 'systemctl --user status lojban_mediawiki_web.service' for details.
Gives this in syslog:
Dec 25 09:49:06 jukni systemd[669]: selinux: avc: denied { start } for auid=n/a uid=1086 gid=1086 path="/home/sampre_mw/.config/systemd/user/lojban_mediawiki_web.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0
I can't find anything in sesearch about self:system, and all I can find in https://github.com/TresysTechnology/refpolicy.git or https://github.com/TresysTechnology/refpolicy-contrib.git is:
policy/modules/kernel/kernel.te 481: allow can_load_kernmodule self:system module_load;
policy/modules/system/init.te 225: allow init_t self:system { status reboot halt reload };
It strikes me as unlikely that F27 *actually* shipped with a setup that makes systemctl user operations not work.
I don't have a comparable user to test with, really, but at first glance my other F27 systems seem OK.
Any idea what I broke?
I have confirmed that a comparable user on one of my other F27 systems works fine.
Does it seem like a relabel reboot would be worthwhile?
Also, what should the type of user unit files be?
[sampre@vrici ~]$ ls -lZ ~/.config/systemd/user/ total 8 drwxr-xr-x. 2 sampre sampre staff_u:object_r:user_home_t:s0 66 Feb 6 2017 default.target.wants -rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 417 Jul 14 00:32 jbotcan_database.service -rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 419 Jul 14 00:32 jbotcan_site.service
^^ that's on the system that's working, but setting it to user_home_t on the other system doesn't seem to help anything.
I have done a relabel reboot; it didn't help. I've upgraded everything to F27 latest.
I have no idea where to go from here; any hints? Is there a more active place to ask SELinux questions?
I also checked that sysadm_u and user_u can't run "systemctl --user status" either, so it's not just that staff_u is broken in some way. _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Hi Robin,
Sorry for late reply.
I worked on this issue. At first, I allowed SELinux denial related to using systemctl command for SELInux users sysadm_t and staff_t:
# sesearch -A -s staff_t -t staff_t -c system -p status allow staff_t staff_t:system { disable enable halt ipc_info module_load module_request reboot reload start status stop syslog_console syslog_mod syslog_read undefined };
# sesearch -A -s sysadm_t -t sysadm_t -c system -p status allow sysadm_t sysadm_t:system { disable enable halt ipc_info module_load module_request reboot reload start status stop syslog_console syslog_mod syslog_read undefined };
Next thing, I label HOME_DIR/.config/systemd/user/ as systemd_unit_file_t which means that all user systemd unit files will have label systemd_unit_file_t and confined user can access it:
# sesearch -A -s staff_t -t systemd_unit_file_t -c service allow staff_t systemd_unit_file_type:service { disable enable reload start status stop };
# sesearch -A -s sysadm_t -t systemd_unit_file_t -c service allow sysadm_t systemd_unit_file_type:service { disable enable reload start status stop };
I created nightly build for Rawhide with all fixes: https://copr.fedorainfracloud.org/coprs/lvrabec/selinux-policy-nightly/build...
It should be also part of next selinux-policy update for Fedora 27.
Thanks, Lukas.
On Mon, Jan 22, 2018 at 11:11:34AM +0100, Lukas Vrabec wrote:
On 12/29/2017 07:56 AM, Robin Lee Powell wrote:
On Thu, Dec 28, 2017 at 10:36:05PM -0800, Robin Lee Powell wrote:
On Mon, Dec 25, 2017 at 10:08:33AM -0800, Robin Lee Powell wrote:
On Mon, Dec 25, 2017 at 10:01:16AM -0800, Robin Lee Powell wrote:
On a host with unconfined disabled, running this as a staff_u/staff_t user:
[sampre_mw@jukni ~]$ systemctl --user status Failed to read server status: Access denied
worked until recently. I just upgraded to Fedora 27, but I *think* this worked after the upgrade, so I don't know what's going on there.
I get nothing whatever in auditd, which is weird. In syslog I get:
Dec 25 09:48:07 jukni systemd[669]: selinux: avc: denied { status } for auid=n/a uid=1086 gid=1086 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=system permissive=0
Further, this:
[sampre_mw@jukni ~]$ systemctl --user restart lojban_mediawiki_web Failed to restart lojban_mediawiki_web.service: Access denied See user logs and 'systemctl --user status lojban_mediawiki_web.service' for details.
Gives this in syslog:
Dec 25 09:49:06 jukni systemd[669]: selinux: avc: denied { start } for auid=n/a uid=1086 gid=1086 path="/home/sampre_mw/.config/systemd/user/lojban_mediawiki_web.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0
I can't find anything in sesearch about self:system, and all I can find in https://github.com/TresysTechnology/refpolicy.git or https://github.com/TresysTechnology/refpolicy-contrib.git is:
policy/modules/kernel/kernel.te 481: allow can_load_kernmodule self:system module_load;
policy/modules/system/init.te 225: allow init_t self:system { status reboot halt reload };
It strikes me as unlikely that F27 *actually* shipped with a setup that makes systemctl user operations not work.
I don't have a comparable user to test with, really, but at first glance my other F27 systems seem OK.
Any idea what I broke?
I have confirmed that a comparable user on one of my other F27 systems works fine.
Does it seem like a relabel reboot would be worthwhile?
Also, what should the type of user unit files be?
[sampre@vrici ~]$ ls -lZ ~/.config/systemd/user/ total 8 drwxr-xr-x. 2 sampre sampre staff_u:object_r:user_home_t:s0 66 Feb 6 2017 default.target.wants -rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 417 Jul 14 00:32 jbotcan_database.service -rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 419 Jul 14 00:32 jbotcan_site.service
^^ that's on the system that's working, but setting it to user_home_t on the other system doesn't seem to help anything.
I have done a relabel reboot; it didn't help. I've upgraded everything to F27 latest.
I have no idea where to go from here; any hints? Is there a more active place to ask SELinux questions?
I also checked that sysadm_u and user_u can't run "systemctl --user status" either, so it's not just that staff_u is broken in some way. _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Hi Robin,
Sorry for late reply.
I worked on this issue. At first, I allowed SELinux denial related to using systemctl command for SELInux users sysadm_t and staff_t:
# sesearch -A -s staff_t -t staff_t -c system -p status allow staff_t staff_t:system { disable enable halt ipc_info module_load module_request reboot reload start status stop syslog_console syslog_mod syslog_read undefined };
# sesearch -A -s sysadm_t -t sysadm_t -c system -p status allow sysadm_t sysadm_t:system { disable enable halt ipc_info module_load module_request reboot reload start status stop syslog_console syslog_mod syslog_read undefined };
Next thing, I label HOME_DIR/.config/systemd/user/ as systemd_unit_file_t which means that all user systemd unit files will have label systemd_unit_file_t and confined user can access it:
# sesearch -A -s staff_t -t systemd_unit_file_t -c service allow staff_t systemd_unit_file_type:service { disable enable reload start status stop };
# sesearch -A -s sysadm_t -t systemd_unit_file_t -c service allow sysadm_t systemd_unit_file_type:service { disable enable reload start status stop };
I created nightly build for Rawhide with all fixes: https://copr.fedorainfracloud.org/coprs/lvrabec/selinux-policy-nightly/build...
It should be also part of next selinux-policy update for Fedora 27.
Excellent! Thank you so much, both for the work and the explanation.
selinux@lists.fedoraproject.org
-
Lukas Vrabec -
Robin Lee Powell