1413047 – Failed at step USER spawning /usr/lib/systemd/systemd: Permission denied

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1413047 - Failed at step USER spawning /usr/lib/systemd/systemd: Permission denied

Summary: Failed at step USER spawning /usr/lib/systemd/systemd: Permission denied

Keywords:
Status:	CLOSED DUPLICATE of bug 1412750
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	systemd
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	systemd-maint
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-01-13 13:16 UTC by Lukas Slebodnik
Modified:	2017-01-17 20:57 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-01-17 20:57:50 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1412750	0	unspecified	CLOSED	Multiple services in recent Rawhide fail to start with: Failed at step USER spawning (executable): Permission denied	2022-05-16 11:32:56 UTC

Internal Links: 1412750

Description Lukas Slebodnik 2017-01-13 13:16:58 UTC

Description of problem:


Version-Release number of selected component (if applicable):
sh$ rpm -q systemd selinux-policy
systemd-232-6.fc26.x86_64
selinux-policy-3.13.1-233.fc26.noarch

How reproducible:
Deterministic

Steps to Reproduce:
1. #Boot rawhide in SELinux Enforcing mode
2. #login as an ordinary user
3. systemctl status --user


Actual results:
Failed to read server status: Input/output error

Expected results:
Displayed all user services

Additional info:
Related part of journal log with disabled dontaudit rules.
I could not see any AVCs by default.


Jan 13 14:06:47 host.example.com audit[4036]: CRED_ACQ pid=4036 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_sss acct="lslebodn" exe="/usr/bin/login" hostname=? addr=? terminal=tty2 res=success'
Jan 13 14:06:47 host.example.com audit[4036]: USER_ROLE_CHANGE pid=4036 uid=0 auid=20728 ses=2 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/bin/login" hostname=? addr=? terminal=tty2 res=success'
Jan 13 14:06:47 host.example.com audit[4036]: AVC avc:  denied  { net_admin } for  pid=4036 comm="login" capability=12  scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability permissive=0
Jan 13 14:06:47 host.example.com audit[4036]: AVC avc:  denied  { net_admin } for  pid=4036 comm="login" capability=12  scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability permissive=0
Jan 13 14:06:47 host.example.com systemd[1]: Created slice User Slice of lslebodn.
Jan 13 14:06:47 host.example.com audit[4133]: AVC avc:  denied  { write } for  pid=4133 comm="(systemd)" path="socket:[14684]" dev="sockfs" ino=14684 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
Jan 13 14:06:47 host.example.com systemd[4133]: user: Failed at step USER spawning /usr/lib/systemd/systemd: Permission denied
Jan 13 14:06:47 host.example.com systemd[1]: Starting User Manager for UID 20728...
Jan 13 14:06:47 host.example.com systemd[1]: Started User Manager for UID 20728.
Jan 13 14:06:47 host.example.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@20728 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 13 14:06:47 host.example.com audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@20728 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 13 14:06:47 host.example.com systemd-logind[1034]: New session 2 of user lslebodn.
Jan 13 14:06:47 host.example.com systemd[1]: Started Session 2 of user lslebodn.


There was access denied to the inode 14684
sh# find /sys/ -inum 14684
/sys/devices/platform/serial8250/tty/ttyS21/dev

sh matchpathcon /sys/devices/platform/serial8250/tty/ttyS21/dev
/sys/devices/platform/serial8250/tty/ttyS21/dev system_u:object_r:sysfs_t:s0

sh# ls -lZ /sys/devices/platform/serial8250/tty/ttyS21/dev
-r--r--r--. 1 root root system_u:object_r:sysfs_t:s0 4096 Jan 13 14:15 /sys/devices/platform/serial8250/tty/ttyS21/dev

Comment 1 Lukas Slebodnik 2017-01-13 13:27:35 UTC

And few SELinux reports which I saw a second before login
I am not sure which are related and which are caused by disabled dontaudit rule

SELinux is preventing login from using the rlimitinh access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that login should be allowed rlimitinh access on processes labeled local_login_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'login' --raw | audit2allow -M my-login
# semodule -X 300 -i my-login.pp


Additional Information:
Source Context                system_u:system_r:getty_t:s0-s0:c0.c1023
Target Context                system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        login
Source Path                   login
Port                          <Unknown>
Host                          host.example.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-233.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.example.com
Platform                      Linux host.example.com
                              4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49
                              UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-01-13 14:06:42 CET
Last Seen                     2017-01-13 14:06:42 CET
Local ID                      a289469d-e0d2-47a4-84bb-55514a8ee52a

Raw Audit Messages
type=AVC msg=audit(1484312802.410:934): avc:  denied  { rlimitinh } for  pid=4036 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: login,getty_t,local_login_t,process,rlimitinh


SELinux is preventing login from using the siginh access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that login should be allowed siginh access on processes labeled local_login_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'login' --raw | audit2allow -M my-login
# semodule -X 300 -i my-login.pp


Additional Information:
Source Context                system_u:system_r:getty_t:s0-s0:c0.c1023
Target Context                system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        login
Source Path                   login
Port                          <Unknown>
Host                          host.example.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-233.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.example.com
Platform                      Linux host.example.com
                              4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49
                              UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-01-13 14:06:42 CET
Last Seen                     2017-01-13 14:06:42 CET
Local ID                      10f45660-99a6-413c-b502-9aaf2aff560f

Raw Audit Messages
type=AVC msg=audit(1484312802.410:935): avc:  denied  { siginh } for  pid=4036 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: login,getty_t,local_login_t,process,siginh

SELinux is preventing login from using the noatsecure access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that login should be allowed noatsecure access on processes labeled local_login_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'login' --raw | audit2allow -M my-login
# semodule -X 300 -i my-login.pp


Additional Information:
Source Context                system_u:system_r:getty_t:s0-s0:c0.c1023
Target Context                system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        login
Source Path                   login
Port                          <Unknown>
Host                          host.example.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-233.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.example.com
Platform                      Linux host.example.com
                              4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49
                              UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-01-13 14:06:42 CET
Last Seen                     2017-01-13 14:06:42 CET
Local ID                      63541f56-cff2-45d8-b609-2a15a56d3d1d

Raw Audit Messages
type=AVC msg=audit(1484312802.411:936): avc:  denied  { noatsecure } for  pid=4036 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: login,getty_t,local_login_t,process,noatsecure

SELinux is preventing systemd from 'read, write' accesses on the unix_stream_socket unix_stream_socket.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed read write access on the unix_stream_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:kernel_t:s0-s0:c0.c1023
Target Objects                unix_stream_socket [ unix_stream_socket ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          host.example.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-233.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.example.com
Platform                      Linux host.example.com
                              4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49
                              UTC 2017 x86_64 x86_64
Alert Count                   45
First Seen                    2017-01-13 13:51:30 CET
Last Seen                     2017-01-13 14:17:46 CET
Local ID                      fe48d463-6f29-45c3-8a69-f62cb5d5fbee

Raw Audit Messages
type=AVC msg=audit(1484313466.915:974): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[141825]" dev="sockfs" ino=141825 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0


Hash: systemd,init_t,kernel_t,unix_stream_socket,read,write

Comment 2 Lukas Slebodnik 2017-01-13 14:58:02 UTC

Here are AVCs which I used for fixing the issue with "systemctl status --user"

type=AVC msg=audit(1484313466.915:974): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[141825]" dev="sockfs" ino=141825 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1484315059.928:498): avc:  denied  { write } for  pid=1395 comm="(systemd)" path="socket:[14492]" dev="sockfs" ino=14492 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0

Comment 3 Lukas Slebodnik 2017-01-13 17:43:34 UTC

I do not have a problem with "systemctl status --user" on older kernel 4.8.15-300.fc25.x86_64

The problem is only with 4.8.16-300.fc25.x86_64
Yes; kernel is from f25 and not from rawhide

Comment 4 Lukas Slebodnik 2017-01-13 20:06:39 UTC

It works well with f25 systemd and f25 kernel

sh$ uname -a
Linux vm-115.example.com 4.8.16-300.fc25.x86_64 #1 SMP Fri Jan 6 18:11:49 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

sh$ rpm -q systemd
systemd-231-10.fc25.x86_64



And there is still problem with latest rawhide kernel
sh$ uname -a
Linux vm-118.example.com 4.10.0-0.rc3.git1.1.fc26.x86_64 #1 SMP Tue Jan 10 15:32:37 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

sh$ rpm -q systemd
systemd-232-6.fc26.x86_64

Comment 5 Adam Williamson 2017-01-17 00:52:37 UTC

Probably the same as https://bugzilla.redhat.com/show_bug.cgi?id=1412750 ?

Comment 6 Adam Williamson 2017-01-17 06:26:18 UTC

ah, apparently not, says zbyszek.

Comment 7 Lukas Slebodnik 2017-01-17 14:10:02 UTC

See also bug after change to permissive mode https://bugzilla.redhat.com/show_bug.cgi?id=1413075

Comment 8 Zbigniew Jędrzejewski-Szmek 2017-01-17 20:57:50 UTC


*** This bug has been marked as a duplicate of bug 1412750 ***

Note You need to log in before you can comment on or make changes to this bug.