-
Bug
-
Resolution: Won't Do
-
Minor
-
rhel-8.9.0
-
None
-
None
-
Moderate
-
rhel-sst-security-selinux
-
ssg_security
-
None
-
QE ack
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
None
-
Automated
-
None
What were you trying to do that didn't work?
When a service is of type "Notify" and its startup script executes systemd-notify to tell systemd it's ready, the following AVCs pop up, preventing the service from starting:
----
type=PROCTITLE msg=audit(02/15/2024 02:30:53.641:324) : proctitle=systemd-notify --ready
type=SOCKADDR msg=audit(02/15/2024 02:30:53.641:324) : saddr={ saddr_fam=local path=/run/systemd/notify }
type=SYSCALL msg=audit(02/15/2024 02:30:53.641:324) : arch=x86_64 syscall=sendmsg success=no exit=EPERM(Operation not permitted) a0=0x3 a1=0x7fff369c3650 a2=MSG_NOSIGNAL a3=0x2b items=0 ppid=5986 pid=5988 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-notify exe=/usr/bin/systemd-notify subj=system_u:system_r:systemd_notify_t:s0 key=(null)
type=AVC msg=audit(02/15/2024 02:30:53.641:324) : avc: denied { sys_admin } for pid=5988 comm=systemd-notify capability=sys_admin scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:system_r:systemd_notify_t:s0 tclass=capability permissive=0
----
type=PROCTITLE msg=audit(02/15/2024 02:30:53.641:325) : proctitle=systemd-notify --ready
type=PATH msg=audit(02/15/2024 02:30:53.641:325) : item=0 name=/run/systemd/notify inode=11799 dev=00:18 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/15/2024 02:30:53.641:325) : cwd=/
type=SOCKADDR msg=audit(02/15/2024 02:30:53.641:325) : saddr={ saddr_fam=local path=/run/systemd/notify }
type=SYSCALL msg=audit(02/15/2024 02:30:53.641:325) : arch=x86_64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7fff369c3650 a2=MSG_NOSIGNAL a3=0x2b items=1 ppid=5986 pid=5988 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-notify exe=/usr/bin/systemd-notify subj=system_u:system_r:systemd_notify_t:s0 key=(null)
type=AVC msg=audit(02/15/2024 02:30:53.641:325) : avc: denied { sendto } for pid=5988 comm=systemd-notify path=/run/systemd/notify scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
----
Note the AVC on sys_admin is unrelated.
Here above we can see target context being kernel_t, even though the socket file itself looks ok:
# ls -Zd /run/systemd/notify system_u:object_r:init_var_run_t:s0 /run/systemd/notify
Please provide the package NVR for which bug is seen:
systemd-239-79.el8.x86_64
it is reproducible on RHEL8 and RHEL9 and Fedora 38
How reproducible:
Always
Steps to reproduce
- Create /etc/systemd/system/repro.service with content below
[Service] Type=notify NotifyAccess=all ExecStart=/bin/sh -c "sleep 3; systemd-notify --ready; sleep 30"
- Reload systemd and start the service
# systemctl daemon-reload # systemctl start repro
Expected results
No failure
Actual results
AVCs + failure:
Feb 15 02:30:53 machine sh[5988]: Failed to notify init system: Permission denied
- clones
-
-
- Closed
-
- links to
