Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1613635

Summary:

SELinux is preventing systemd-user-ru from 'unlink' accesses on the lnk_file .flatpak-cache.

Product:

[Fedora] Fedora

Reporter:

Mikhail <mikhail.v.gavrilov>

Component:

selinux-policy

Assignee:

Lukas Vrabec <lvrabec>

Status:

CLOSED DUPLICATE

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

CC:

7d28c752, bugzilla, dwalsh, fedora, kparal, lvrabec, mgrepl, plautrba, xzj8b3

Target Milestone:

---

Target Release:

---

Hardware:

x86_64

OS:

Unspecified

Whiteboard:

abrt_hash:26169c0c66560f7d9bf47493543eb5eafb5a0443dfb275e9c3d0a33dcef3c4dd;VARIANT_ID=workstation;

Fixed In Version:

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2018-11-04 10:21:15 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
journal snippet	none

Description Mikhail 2018-08-08 03:46:40 UTC

Description of problem:
SELinux is preventing systemd-user-ru from 'unlink' accesses on the lnk_file .flatpak-cache.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-user-ru should be allowed unlink access on the .flatpak-cache lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-user-ru' --raw | audit2allow -M my-systemduserru
# semodule -X 300 -i my-systemduserru.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                .flatpak-cache [ lnk_file ]
Source                        systemd-user-ru
Source Path                   systemd-user-ru
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-30.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.18.0-0.rc7.git1.1.fc29.x86_64 #1
                              SMP Wed Aug 1 16:46:20 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-08-08 08:10:15 +05
Last Seen                     2018-08-08 08:10:15 +05
Local ID                      0131d677-bed6-44ad-b527-992494451e4d

Raw Audit Messages
type=AVC msg=audit(1533697815.785:910): avc:  denied  { unlink } for  pid=8767 comm="systemd-user-ru" name=".flatpak-cache" dev="tmpfs" ino=5201491 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1


Hash: systemd-user-ru,init_t,user_tmp_t,lnk_file,unlink

Version-Release number of selected component:
selinux-policy-3.14.2-30.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.18.0-0.rc7.git1.1.fc29.x86_64
type:           libreport

Comment 1 Jan Kurik 2018-08-14 08:38:02 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.

Comment 2 Chris Murphy 2018-09-12 15:02:51 UTC

*** Bug 1619567 has been marked as a duplicate of this bug. ***

Comment 3 Chris Murphy 2018-09-12 15:12:32 UTC

I see this with selinux-policy-3.14.2-34.fc29.noarch

It's happening when the user logs out of a GNOME user session (back to login screen), and I get this sequence:

[15498.950104] f29h.local systemd-logind[710]: New session c2 of user gdm.
[15498.954264] f29h.local systemd[1]: user: Killing process 5145 (gpg-agent) with signal SIGKILL.
[15498.954444] f29h.local systemd[1]: user-runtime-dir: Unit not needed anymore. Stopping.
[15498.957437] f29h.local systemd[1]: Started Session c2 of user gdm.
[15498.960091] f29h.local systemd[1]: Stopped User Manager for UID 1000.
[15498.960277] f29h.local systemd[1]: user-runtime-dir: Unit not needed anymore. Stopping.
[15498.960666] f29h.local audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[15498.961357] f29h.local systemd[1]: Removed slice User Slice of UID 1000.
[15498.963540] f29h.local systemd[1]: Stopping /run/user/1000 mount wrapper...
[15498.974430] f29h.local audit[9294]: AVC avc:  denied  { unlink } for  pid=9294 comm="systemd-user-ru" name=".flatpak-cache" dev="tmpfs" ino=59188 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=0
[15498.974925] f29h.local systemd-user-runtime-dir[9294]: Failed to remove runtime directory /run/user/1000 (before unmounting): Permission denied
[15498.985511] f29h.local systemd[1]: Stopped /run/user/1000 mount wrapper.

Comment 4 Chris Murphy 2018-09-12 15:17:15 UTC

Created attachment 1482723 [details]
journal snippet

Slightly longer range leading up to the AVC.

Comment 5 Chris Murphy 2018-11-02 18:20:01 UTC

If you believe that systemd-user-ru should be allowed unlink access on the .flatpak-cache lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-user-ru' --raw | audit2allow -M my-systemduserru
# semodule -X 300 -i my-systemduserru.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                .flatpak-cache [ lnk_file ]
Source                        systemd-user-ru
Source Path                   systemd-user-ru
Port                          <Unknown>
Host                          flap.local
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-40.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     flap.local
Platform                      Linux flap.local 4.19.0-1.fc30.x86_64 #1 SMP Mon
                              Oct 22 14:04:41 UTC 2018 x86_64 x86_64
Alert Count                   6
First Seen                    2018-10-16 17:25:58 MDT
Last Seen                     2018-10-28 13:16:15 MDT
Local ID                      57f1a8cc-272f-4fea-b45c-4bd87cefed80

Raw Audit Messages
type=AVC msg=audit(1540754175.946:1240): avc:  denied  { unlink } for  pid=19455 comm="systemd-user-ru" name=".flatpak-cache" dev="tmpfs" ino=3116743 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=0

Comment 6 Lukas Vrabec 2018-11-04 10:21:15 UTC


*** This bug has been marked as a duplicate of bug 1644313 ***