-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-9.4
-
selinux-policy-38.1.40-1.el9
-
None
-
None
-
rhel-sst-security-selinux
-
ssg_security
-
17
-
None
-
QE ack
-
False
-
-
No
-
Red Hat Enterprise Linux
-
None
-
-
Pass
-
Automated
-
Unspecified Release Note Type - Unknown
-
None
What were you trying to do that didn't work?
I have a user mapped to the SELinux user staff_u
When they log in, systemctl --user --failed shows that systemd-tmpfiles-setup.service failed to start.
After a few minutes, systemd-tmpfiles-clean.service gets started by a timer and also fails.
[sam.admin@ipa6 ~]$ id
uid=1673100503(sam.admin) gid=1673100503(sam.admin) groups=1673100503(sam.admin),1673000000(admins) context=staff_u:staff_r:staff_t:s0-s0:c0.c1023
[sam.admin@ipa6 ~]$ systemctl status --user --failed
× systemd-tmpfiles-clean.service - Cleanup of User's Temporary Files and Directories
Loaded: loaded (/usr/lib/systemd/user/systemd-tmpfiles-clean.service; static)
Active: failed (Result: exit-code) since Fri 2024-06-07 09:51:40 UTC; 1min 47s ago
TriggeredBy: ● systemd-tmpfiles-clean.timer
Docs: man:tmpfiles.d(5)
man:systemd-tmpfiles(8)
Process: 4722 ExecStart=systemd-tmpfiles --user --clean (code=exited, status=203/EXEC)
Main PID: 4722 (code=exited, status=203/EXEC)
CPU: 2ms
× systemd-tmpfiles-setup.service - Create User's Volatile Files and Directories
Loaded: loaded (/usr/lib/systemd/user/systemd-tmpfiles-setup.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Fri 2024-06-07 09:46:36 UTC; 6min ago
Docs: man:tmpfiles.d(5)
man:systemd-tmpfiles(8)
Process: 4443 ExecStart=systemd-tmpfiles --user --create --remove --boot (code=exited, status=203/EXEC)
Main PID: 4443 (code=exited, status=203/EXEC)
CPU: 2ms
After disabling dontaudit rules, systemctl --user start systemd-tempfiles-clean triggers this AVC denial:
type=AVC msg=audit(1717754142.988:228): avc: denied { getattr } for pid=4878 comm="(tmpfiles)" path="/usr/bin/systemd-tmpfiles" dev="vda4" ino=25175233 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd0
type=SYSCALL msg=audit(1717754142.988:228): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff7bdd9570 a2=0 a3=0 items=0 ppid=4436 pid=4878 auid=1673100503 uid=1673100503 gid=1673100503 euid=1673100503 suid=1673100503 fsuid=1673100"
type=PROCTITLE msg=audit(1717754142.988:228): proctitle="(tmpfiles)"
I can't run systemd-tmpfiles manually either:
[sam.admin@ipa6 ~]$ /usr/bin/systemd-tmpfiles -bash: /usr/bin/systemd-tmpfiles: Permission denied
AVC events:
type=AVC msg=audit(1717754742.568:290): avc: denied { execute } for pid=5213 comm="bash" name="systemd-tmpfiles" dev="vda4" ino=25175233 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t
:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1717754742.568:290): arch=c000003e syscall=59 success=no exit=-13 a0=55f6692b1b30 a1=55f6692b0ba0 a2=55f6692b6350 a3=8 items=0 ppid=4445 pid=5213 auid=1673100503 uid=1673100503 gid=1673100503 euid=1673100503 suid=16
73100503 fsuid=1673100503 egid=1673100503 sgid=1673100503 fsgid=1673100503 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=execve AUID="sam.admin" UID="sam.admin" GI
D="sam.admin" EUID="sam.admin" SUID="sam.admin" FSUID="sam.admin" EGID="sam.admin" SGID="sam.admin" FSGID="sam.admin"
type=PROCTITLE msg=audit(1717754742.568:290): proctitle="-bash"
type=AVC msg=audit(1717754742.568:291): avc: denied { getattr } for pid=5213 comm="bash" path="/usr/bin/systemd-tmpfiles" dev="vda4" ino=25175233 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfil
es_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1717754742.568:291): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=55f6692b1b30 a2=7fff6c34ac20 a3=0 items=0 ppid=4445 pid=5213 auid=1673100503 uid=1673100503 gid=1673100503 euid=1673100503 suid=16731
00503 fsuid=1673100503 egid=1673100503 sgid=1673100503 fsgid=1673100503 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=newfstatat AUID="sam.admin" UID="sam.admin" G
ID="sam.admin" EUID="sam.admin" SUID="sam.admin" FSUID="sam.admin" EGID="sam.admin" SGID="sam.admin" FSGID="sam.admin"
type=PROCTITLE msg=audit(1717754742.568:291): proctitle="-bash"
type=AVC msg=audit(1717754742.569:292): avc: denied { getattr } for pid=5213 comm="bash" path="/usr/bin/systemd-tmpfiles" dev="vda4" ino=25175233 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfil
es_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1717754742.569:292): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=55f6692b1b30 a2=7fff6c34ab50 a3=0 items=0 ppid=4445 pid=5213 auid=1673100503 uid=1673100503 gid=1673100503 euid=1673100503 suid=16731
00503 fsuid=1673100503 egid=1673100503 sgid=1673100503 fsgid=1673100503 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=newfstatat AUID="sam.admin" UID="sam.admin" G
ID="sam.admin" EUID="sam.admin" SUID="sam.admin" FSUID="sam.admin" EGID="sam.admin" SGID="sam.admin" FSGID="sam.admin"
type=PROCTITLE msg=audit(1717754742.569:292): proctitle="-bash"
This testing was performed after a full relabel touch /.autorelabel && reboot
Please provide the package NVR for which bug is seen:
selinux-policy-38.1.35-2.el9_4.noarch
How reproducible:
Steps to reproduce
- Create a user mapped to staff_u
- Log in as the user
- Run systemctl --user --failed
Expected results
No failed services
Actual results
systemd-tmpfiles-setup user service is failed
- links to
-
RHBA-2024:130707
selinux-policy bug fix and enhancement update
