Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-25514

AVC "sendto" when executing systemd-notify from a service unit [rhel-9]

XMLWordPrintable

    • rhel-sst-security-selinux
    • ssg_security
    • 25
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • CY24Q2
    • Hide

      The reproducer does not trigger any SELinux denials on a freshly installed machine.

      Show
      The reproducer does not trigger any SELinux denials on a freshly installed machine.
    • Pass
    • Automated
    • Unspecified Release Note Type - Unknown
    • None

      What were you trying to do that didn't work?

      When a service is of type "Notify" and its startup script executes systemd-notify to tell systemd it's ready, the following AVCs pop up, preventing the service from starting:

      type=PROCTITLE msg=audit(02/14/2024 14:52:56.812:248) : proctitle=systemd-notify --ready 
type=SYSCALL msg=audit(02/14/2024 14:52:56.812:248) : arch=x86_64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffe64bf5510 a2=MSG_NOSIGNAL a3=0x7ffe64bf5494 items=0 ppid=1798 pid=1802 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-notify exe=/usr/bin/systemd-notify subj=system_u:system_r:systemd_notify_t:s0 key=(null) 
type=AVC msg=audit(02/14/2024 14:52:56.812:248) : avc:  denied  { sendto } for  pid=1802 comm=systemd-notify path=/run/systemd/notify scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0 
----
type=PROCTITLE msg=audit(02/14/2024 14:52:56.813:249) : proctitle=systemd-notify --ready 
type=SYSCALL msg=audit(02/14/2024 14:52:56.813:249) : arch=x86_64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffe64bf5410 a2=MSG_NOSIGNAL a3=0x7ffe64bf5394 items=0 ppid=1798 pid=1802 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-notify exe=/usr/bin/systemd-notify subj=system_u:system_r:systemd_notify_t:s0 key=(null) 
type=AVC msg=audit(02/14/2024 14:52:56.813:249) : avc:  denied  { sendto } for  pid=1802 comm=systemd-notify path=/run/systemd/notify scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0

      There is actually also an AVC on sys_admin but it doesn't have same root cause, hence not handled here.

      Here above we can see target context being kernel_t, even though the socket file itself looks ok:

      # ls -Zd /run/systemd/notify 
system_u:object_r:init_var_run_t:s0 /run/systemd/notify

      Please provide the package NVR for which bug is seen:

      systemd-252-26.el9.x86_64

      it is reproducible on RHEL8 and RHEL9 and Fedora 38

      How reproducible:

      Always

      Steps to reproduce

      1.  Create /etc/systemd/system/repro.service with content below 
        [Service]
Type=notify
NotifyAccess=all
ExecStart=/bin/sh -c "sleep 3; systemd-notify --ready; sleep 30"
      2. Reload systemd and start the service 
        # systemctl daemon-reload
# systemctl start repro

      Expected results

      No failure

      Actual results

      AVCs + failure:

      Feb 14 14:58:02 p1 sh[222047]: Failed to notify init system: Permission denied

              rhn-support-zpytela Zdenek Pytela
              rhn-support-rmetrich Renaud Métrich
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: