1284066 – SELinux is preventing /usr/lib/systemd/systemd-logind from create access on the file .#nologinoPzXni.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1284066 - SELinux is preventing /usr/lib/systemd/systemd-logind from create access on the file .#nologinoPzXni.

Summary: SELinux is preventing /usr/lib/systemd/systemd-logind from create access on t...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	systemd
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	systemd-maint
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-11-20 17:15 UTC by Alexander Ploumistos
Modified:	2016-03-30 12:58 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-03-30 12:58:25 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Alexander Ploumistos 2015-11-20 17:15:50 UTC

Description of problem:

SELinux is preventing /usr/lib/systemd/systemd-logind from create access on the file .#nologinoPzXni.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-logind should be allowed create access on the .#nologinoPzXni file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_logind_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                .#nologinoPzXni [ file ]
Source                        systemd-logind
Source Path                   /usr/lib/systemd/systemd-logind
Port                          <Unknown>
Host                          <Host>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <Host>
Platform                      Linux <Host> 4.2.6-300.fc23.x86_64 #1 SMP Tue
                              Nov 10 19:32:21 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-11-20 18:12:50 EET
Last Seen                     2015-11-20 18:12:50 EET
Local ID                      2d7bb6c1-cba4-445a-b370-91984605ce0a

Raw Audit Messages
type=AVC msg=audit(1448035970.231:245): avc:  denied  { create } for  pid=1039 comm="systemd-logind" name=".#nologinoPzXni" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0


Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-155.fc23.noarch.rpm


How reproducible:

Everytime I schedule a shutdown or reboot. The command runs as expected, but I keep getting this message.


Steps to Reproduce:

Schedule a shutdown or reboot with something like
shutdown -r +10


Additional info:

This started happening right after I installed FEDORA-2015-0d84d6c75f packages, so I'm fairly certain about the selinux-policy version (it didn't happen with 3.13.1-154, but I could not schedule a shutdown with that one).

Comment 1 Lukas Vrabec 2015-11-24 12:01:57 UTC

Where is file ".#nologinoPzXni" stored?

Comment 2 Alexander Ploumistos 2015-11-24 13:08:50 UTC

I can't find any of the ".#nologinABCXYZ" files anywhere, but I guess that's to be expected, since systemd-logind is not allowed to create them.

In the past couple of days, I haven't had any SELinux alerts pop up, but whenever there is about a minute left on the shutdown, or if I schedule the shutdown in one minute, I get these in the journal:

Nov 24 14:49:41 <hostname> systemd[1]: Starting Cleanup of Temporary Directories...
Nov 24 14:49:42 <hostname> systemd[1]: Started Cleanup of Temporary Directories.
Nov 24 14:49:42 <hostname> audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-tmpfiles-clean comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 24 14:49:42 <hostname> audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-tmpfiles-clean comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 24 14:57:33 <hostname> systemd-logind[993]: Creating /run/nologin, blocking further logins...
Nov 24 14:57:33 <hostname> systemd-logind[993]: Failed to create /run/nologin: Permission denied
Nov 24 14:57:33 <hostname> audit[993]: AVC avc:  denied  { create } for  pid=993 comm="systemd-logind" name=".#nologinXo434m" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0
Nov 24 14:57:33 <hostname> audit[993]: SYSCALL arch=c000003e syscall=2 success=no exit=-13 a0=55accaffa850 a1=800c2 a2=180 a3=0 items=0 ppid=1 pid=993 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/usr/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
Nov 24 14:57:33 <hostname> audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-logind"

Comment 3 Miroslav Grepl 2015-11-24 14:17:27 UTC

Thank you for reporting. This is a systemd bug. They need to backport fixes related to nologin labeling.

Comment 4 Mike McCune 2016-03-28 23:38:32 UTC

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 5 Michal Sekletar 2016-03-30 09:32:26 UTC

This should be already fixed in systemd-222-10.fc23.x86_64.

*** This bug has been marked as a duplicate of bug 1287592 ***

Comment 6 Michal Sekletar 2016-03-30 09:42:04 UTC

Related fix appeared upstream in the meantime. 

https://github.com/systemd/systemd/commit/4b51966cf6c06250036e428608da92f8640beb96

However I didn't observe any problems regarding labeling of /run/user/$UID directories on Fedora.

Comment 7 Zbigniew Jędrzejewski-Szmek 2016-03-30 12:39:24 UTC

There were follow-up commits, e.g. c3dacc8bbf2dc2f5d498072418289c3ba79160ac. I think we need to backport at least some of them.

Comment 8 Lukas Vrabec 2016-03-30 12:58:25 UTC

All fixes relates to selinux and #nologinXXXXXX files are fixed in F23.

Note You need to log in before you can comment on or make changes to this bug.