1277987 – SELinux is preventing systemd-logind from 'rename' accesses on the file .#scheduledhAaMOb.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1277987 - SELinux is preventing systemd-logind from 'rename' accesses on the file .#scheduledhAaMOb.

Summary: SELinux is preventing systemd-logind from 'rename' accesses on the file .#sch...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	23
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Vit Mojzis
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:feb858c84f5452692e828d8693f...
Duplicates (1):	1278659 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-11-04 13:37 UTC by Vinicius Reis
Modified:	2015-11-26 20:57 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.13.1-155.fc23
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-26 20:57:50 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1276424	0	unspecified	CLOSED	Shutdown with a TIME parameter fails, and immediately shuts down the system.	2022-05-16 11:32:56 UTC
Red Hat Bugzilla	1285019	0	high	CLOSED	SELinux is preventing systemd-logind from 'create' accesses on the file .#nologinDUxFTb.	2022-05-16 11:32:56 UTC

Internal Links: 1276424 1285019

Description Vinicius Reis 2015-11-04 13:37:45 UTC

Description of problem:
Trying to shutdown with a TIME argument:
$ sudo shutdown -h 12:00
SELinux is preventing systemd-logind from 'rename' accesses on the file .#scheduledhAaMOb.

*****  Plugin catchall (100. confidence) suggests   **************************

If você acredita que o systemd-logind deva ser permitido acesso de rename em .#scheduledhAaMOb file  por default.
Then você precisa reportar este como um erro.
Você pode gerar um módulo de política local para permitir este acesso.
Do
permitir este acesso agora executando:
# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_logind_t:s0
Target Context                system_u:object_r:init_var_run_t:s0
Target Objects                .#scheduledhAaMOb [ file ]
Source                        systemd-logind
Source Path                   systemd-logind
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-152.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.2.3-300.fc23.x86_64 #1 SMP Mon
                              Oct 5 15:42:54 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-11-04 11:35:40 BRST
Last Seen                     2015-11-04 11:35:40 BRST
Local ID                      5da228d9-44cc-4bbf-9045-1ddab94d799a

Raw Audit Messages
type=AVC msg=audit(1446644140.979:1086): avc:  denied  { rename } for  pid=742 comm="systemd-logind" name=".#scheduledhAaMOb" dev="tmpfs" ino=1487023 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1


Hash: systemd-logind,systemd_logind_t,init_var_run_t,file,rename

Version-Release number of selected component:
selinux-policy-3.13.1-152.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.3-300.fc23.x86_64
type:           libreport

Potential duplicate: bug 804236

Comment 1 Vinicius Reis 2015-11-06 05:41:10 UTC

Description of problem:
I was trying to schedule a shutdown:
$ sudo shutdown -h 4:30

It was possible to do that because SELinux is in permissive mode.  Otherwise, scheduled shutdown fails and turn off the system immediately.

Version-Release number of selected component:
selinux-policy-3.13.1-152.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.5-300.fc23.x86_64
type:           libreport

Comment 2 Alexander Ploumistos 2015-11-08 23:18:07 UTC

The latest selinux-policy package on F22, where you can schedule a shutdown, is selinux-policy-3.13.1-128.19, so the bug was introduced somewhere between that and 3.13.1-152. Within that range, grep'ing for systemctl yields releases 142 and 148 (commits 1ba0a986f6f7a8c6960a1643878498c68659573b and ec0c1bc01ebca0b2927b75b53836fd2ed0e40be9 respectively). I don't know the first thing about the internals of SELinux, but those two might be worth investigating.

Comment 3 Vinicius Reis 2015-11-08 23:39:00 UTC

Good point.
Systemd has a known bug (introduced in newer releases, but already fixed on upstream I guess) that prevents shutdown to work properly with a TIME parameter (https://github.com/systemd/systemd/issues/1120).
Perhaps this bug in systemd is triggering some unexpected behavior that is blocked or affected by SELinux. But it's just a guess, unfortunately I know nothing about SELinux and Systemd internals.

Comment 4 Miroslav Grepl 2015-11-10 12:10:08 UTC

*** Bug 1278659 has been marked as a duplicate of this bug. ***

Comment 5 Vit Mojzis 2015-11-11 14:27:28 UTC

https://github.com/fedora-selinux/selinux-policy/commit/278db282fc299d63fc65dd5ceb2755ae35772019
https://github.com/fedora-selinux/selinux-policy/commit/e8b47663ab68ae38a80da83965fd8f901dd8d4f1
https://github.com/fedora-selinux/selinux-policy/commit/04bb898e69498c9c51746e12081e0c6fcd2ef342
https://github.com/fedora-selinux/selinux-policy/commit/02f981d4a2d0d483e0c91dcc1fe7f4af4d3f79f4

Comment 6 Fedora Update System 2015-11-20 13:15:36 UTC

selinux-policy-3.13.1-155.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f

Comment 7 Fedora Update System 2015-11-22 14:25:48 UTC

selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f

Comment 8 Vinicius Reis 2015-11-24 17:05:32 UTC

It's working fine while SELinux is in permissive mode, no more warnings are shown and at the scheduled time, the system shuts down itself. 


But when I set SELinux to enforcing mode (and do a reboot to changes take effect), the warnings are shown again if I try to shutdown with a TIME argument, but even with the warning, the system shuts down itself on the correct scheduled time.

Please, see here:  https://bugzilla.redhat.com/show_bug.cgi?id=1285019

Comment 9 Fedora Update System 2015-11-26 20:56:59 UTC

selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.