Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-25703

AVCs "sys_admin" when executing systemd-notify from a service unit

XMLWordPrintable

    • None
    • Moderate
    • 1
    • sst_security_selinux
    • ssg_security
    • 25
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • CY24Q2
    • Hide

      The reproducer does not trigger any SELinux denials when executed on a freshly installed machine.

      Show
      The reproducer does not trigger any SELinux denials when executed on a freshly installed machine.
    • Pass
    • Automated
    • Unspecified Release Note Type - Unknown
    • None

      What were you trying to do that didn't work?

      When a service is of type "Notify" and its startup script executes systemd-notify to tell systemd it's ready, the following AVC pop up:

      type=PROCTITLE msg=audit(02/15/2024 10:55:23.848:260) : proctitle=systemd-notify --ready 
type=SYSCALL msg=audit(02/15/2024 10:55:23.848:260) : arch=x86_64 syscall=sendmsg success=no exit=EPERM(Operation not permitted) a0=0x3 a1=0x7fff3972ed90 a2=MSG_NOSIGNAL a3=0x7fff3972ed14 items=0 ppid=25967 pid=25969 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-notify exe=/usr/bin/systemd-notify subj=system_u:system_r:systemd_notify_t:s0 key=(null) 
type=AVC msg=audit(02/15/2024 10:55:23.848:260) : avc:  denied  { sys_admin } for  pid=25969 comm=systemd-notify capability=sys_admin  scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:system_r:systemd_notify_t:s0 tclass=capability permissive=0

      This is a continuation of RHEL-25605 .

      The reason is unclear to me, we can see in systemd-notify code that a first attempt to send the message with "fake credentials" is performed, which fails, then tried again, which is then a success:

      437 _public_ int sd_pid_notify_with_fds(
438                 pid_t pid,
439                 int unset_environment,
440                 const char *state,
441                 const int *fds,
442                 unsigned n_fds) {
 :
525         /* First try with fake ucred data, as requested */
526         if (sendmsg(fd, &msghdr, MSG_NOSIGNAL) >= 0) {
527                 r = 1;
528                 goto finish;
529         }
530 
531         /* If that failed, try with our own ucred instead */
532         if (send_ucred) {
533                 msghdr.msg_controllen -= CMSG_SPACE(sizeof(struct ucred));
534                 if (msghdr.msg_controllen == 0)
535                         msghdr.msg_control = NULL;
536 
537                 if (sendmsg(fd, &msghdr, MSG_NOSIGNAL) >= 0) {
538                         r = 1;
539                         goto finish;
540                 }
541         }
 :

      The AVC pops up on line 526.
      It's unclear to me whether systemd code has to be fixed or if SYS_ADMIN should be granted, I believe it should be harmless to grant SYS_ADMIN to systemd_notify_t type.

      Please provide the package NVR for which bug is seen:

      selinux-policy

      How reproducible:

      Always

      Steps to reproduce

       Create /etc/systemd/system/repro.service with content below
      [Service]
      Type=notify
      NotifyAccess=all
      ExecStart=/bin/sh -c "sleep 3; systemd-notify --ready; sleep 30"
      Reload systemd and start the service

      1. systemctl daemon-reload
      2. systemctl start repro

      Expected results

      No failure

      Actual results

      AVC

            rhn-support-zpytela Zdenek Pytela
            rhn-support-rmetrich Renaud Métrich
            Zdenek Pytela Zdenek Pytela
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: