Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1613635
Summary: | SELinux is preventing systemd-user-ru from 'unlink' accesses on the lnk_file .flatpak-cache. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mikhail <mikhail.v.gavrilov> | ||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 29 | CC: | 7d28c752, bugzilla, dwalsh, fedora, kparal, lvrabec, mgrepl, plautrba, xzj8b3 | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Unspecified | ||||||
Whiteboard: | abrt_hash:26169c0c66560f7d9bf47493543eb5eafb5a0443dfb275e9c3d0a33dcef3c4dd;VARIANT_ID=workstation; | ||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-11-04 10:21:15 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Mikhail
2018-08-08 03:46:40 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'. *** Bug 1619567 has been marked as a duplicate of this bug. *** I see this with selinux-policy-3.14.2-34.fc29.noarch It's happening when the user logs out of a GNOME user session (back to login screen), and I get this sequence: [15498.950104] f29h.local systemd-logind[710]: New session c2 of user gdm. [15498.954264] f29h.local systemd[1]: user: Killing process 5145 (gpg-agent) with signal SIGKILL. [15498.954444] f29h.local systemd[1]: user-runtime-dir: Unit not needed anymore. Stopping. [15498.957437] f29h.local systemd[1]: Started Session c2 of user gdm. [15498.960091] f29h.local systemd[1]: Stopped User Manager for UID 1000. [15498.960277] f29h.local systemd[1]: user-runtime-dir: Unit not needed anymore. Stopping. [15498.960666] f29h.local audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [15498.961357] f29h.local systemd[1]: Removed slice User Slice of UID 1000. [15498.963540] f29h.local systemd[1]: Stopping /run/user/1000 mount wrapper... [15498.974430] f29h.local audit[9294]: AVC avc: denied { unlink } for pid=9294 comm="systemd-user-ru" name=".flatpak-cache" dev="tmpfs" ino=59188 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=0 [15498.974925] f29h.local systemd-user-runtime-dir[9294]: Failed to remove runtime directory /run/user/1000 (before unmounting): Permission denied [15498.985511] f29h.local systemd[1]: Stopped /run/user/1000 mount wrapper. Created attachment 1482723 [details]
journal snippet
Slightly longer range leading up to the AVC.
If you believe that systemd-user-ru should be allowed unlink access on the .flatpak-cache lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-user-ru' --raw | audit2allow -M my-systemduserru # semodule -X 300 -i my-systemduserru.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:object_r:user_tmp_t:s0 Target Objects .flatpak-cache [ lnk_file ] Source systemd-user-ru Source Path systemd-user-ru Port <Unknown> Host flap.local Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-40.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name flap.local Platform Linux flap.local 4.19.0-1.fc30.x86_64 #1 SMP Mon Oct 22 14:04:41 UTC 2018 x86_64 x86_64 Alert Count 6 First Seen 2018-10-16 17:25:58 MDT Last Seen 2018-10-28 13:16:15 MDT Local ID 57f1a8cc-272f-4fea-b45c-4bd87cefed80 Raw Audit Messages type=AVC msg=audit(1540754175.946:1240): avc: denied { unlink } for pid=19455 comm="systemd-user-ru" name=".flatpak-cache" dev="tmpfs" ino=3116743 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=0 *** This bug has been marked as a duplicate of bug 1644313 *** |