1514795 – SELinux is preventing systemd from 'create' accesses on the unix_stream_socket Unknown.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1514795 - SELinux is preventing systemd from 'create' accesses on the unix_stream_socket Unknown.

Summary: SELinux is preventing systemd from 'create' accesses on the unix_stream_socke...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	container-selinux
Sub Component:
Version:	27
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lokesh Mandvekar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:3105d14f21e59edb726bf898f98...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-11-18 17:19 UTC by Predrag
Modified:	2019-04-29 09:17 UTC (History)
CC List:	18 users (show)
Fixed In Version:	container-selinux-2.40-1.fc26 container-selinux-2.42-1.fc27
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-01-23 21:17:38 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Predrag 2017-11-18 17:19:43 UTC

Description of problem:
SELinux is preventing systemd from 'create' accesses on the unix_stream_socket Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed create access on the Unknown unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                Unknown [ unix_stream_socket ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-224.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.8.8-300.fc25.x86_64 #1 SMP Tue
                              Nov 15 18:10:06 UTC 2016 x86_64 x86_64
Alert Count                   3
First Seen                    2016-12-06 20:53:18 CET
Last Seen                     2016-12-06 20:53:18 CET
Local ID                      f61f5e4e-a165-4724-b45e-0d96921bfe31

Raw Audit Messages
type=AVC msg=audit(1481053998.273:283): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0


Hash: systemd,init_t,unconfined_service_t,unix_stream_socket,create

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.13.12-300.fc27.x86_64
type:           libreport

Potential duplicate: bug 1459076

Comment 1 lowfatevil 2017-11-21 18:18:03 UTC

*** Bug 1515990 has been marked as a duplicate of this bug. ***

Comment 2 Godfrey 2017-12-09 03:17:13 UTC

Description of problem:
Tyring to start docker service using the command 

systemctl  start docker.service

Version-Release number of selected component:
selinux-policy-3.13.1-283.17.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.13.16-302.fc27.x86_64
type:           libreport

Comment 3 Lukas Vrabec 2017-12-12 09:33:28 UTC

Hi, 

Could you attach output of: 

# ps -efZ | grep unconfined_service_t 

Thanks.

Comment 4 Godfrey 2017-12-12 15:52:36 UTC

As requested here are the details - 


[root@ideapad ~]# ps -efZ | grep unconfined_service_t
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 9225 9191  0 10:47 pts/1 00:00:00 grep --color=auto unconfined_service_t

Comment 5 Lukas Vrabec 2017-12-18 14:20:38 UTC

Hmm, I don't see any service runs as unconfined_service_t. Are you able to reproduce the AVC?

Comment 6 Godfrey 2017-12-19 03:00:03 UTC

Issuing the command 'systemctl start docker.service' from sudo user I got the AVC again.
-----------------------------------------------------------------------
SELinux is preventing systemd-logind from unlink access on the file ora_XE_32768_66.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-logind should be allowed unlink access on the ora_XE_32768_66 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-logind' --raw | audit2allow -M my-systemdlogind
# semodule -X 300 -i my-systemdlogind.pp

Additional Information:
Source Context                system_u:system_r:systemd_logind_t:s0
Target Context                system_u:object_r:initrc_state_t:s0
Target Objects                ora_XE_32768_66 [ file ]
Source                        systemd-logind
Source Path                   systemd-logind
Port                          <Unknown>
Host                          ideapad
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.17.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ideapad
Platform                      Linux ideapad 4.14.5-300.fc27.x86_64 #1 SMP Mon
                              Dec 11 16:00:36 UTC 2017 x86_64 x86_64
Alert Count                   1791
First Seen                    2017-11-19 20:33:58 EST
Last Seen                     2017-12-18 07:31:55 EST
Local ID                      65edb0ed-3569-4b8f-bdec-7e62049d2bd2

Raw Audit Messages
type=AVC msg=audit(1513600315.683:382): avc:  denied  { unlink } for  pid=1010 comm="systemd-logind" name="ora_XE_32768_66" dev="tmpfs" ino=29798 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=file permissive=0


Hash: systemd-logind,systemd_logind_t,initrc_state_t,file,unlink
-----------------------------------------------------------------------

And this time around I was able to get something different as the output for the command you had requested -

system_u:system_r:unconfined_service_t:s0 root 909 1  0 07:29 ?        00:00:02 /usr/libexec/docker/docker-containerd-current --listen unix:///run/containerd.sock --shim /usr/libexec/docker/docker-containerd-shim-current --start-timeout 2m
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 7329 6771  0 21:57 pts/1 00:00:00 grep --color=auto unconfined_service_t

-----------------------------------------------------------------------
Please note, its quite possible that with the docker/kubernetes package still not verified with Fedora 27 I'm encountering the error.

Comment 7 Lukas Vrabec 2017-12-19 08:56:35 UTC

Godfrey, 

What is output of command:

# rpm -q container-selinux

If this package is not installed please install it and try to reproduce the issue. 

Also please add output of:

# ls -Z /usr/libexec/docker/docker-containerd-current

# semodule -lfull | grep container

Thanks,
Lukas.

Comment 8 Godfrey 2017-12-19 11:12:56 UTC

The container-selinux seems to be installed - 
[root@ideapad ~]# rpm -q container-selinux
container-selinux-2.36-1.fc27.noarch

As requested here is the output of the other two commands - 

[root@ideapad ~]# ls -Z /usr/libexec/docker/docker-containerd-current
system_u:object_r:bin_t:s0 /usr/libexec/docker/docker-containerd-current
[root@ideapad ~]# semodule -lfull | grep container
200 container         pp

Comment 9 Lukas Vrabec 2017-12-19 13:09:04 UTC

Please use:
# semanage fcontext -a -t container_runtime_exec_t /usr/libexec/docker/docker-containerd-current
# restorecon -v /usr/libexec/docker/docker-containerd-current 

It looks like in F27 there is no labeling for docker-containerd-current, but in Rawhide it looks fine. 

Guys could you backport it? 

Thanks,
Lukas.

Comment 10 Daniel Walsh 2017-12-19 13:56:30 UTC

I think we have labeling for those

# matchpathcon /usr/libexec/docker/docker-*
/usr/libexec/docker/docker-containerd-current	system_u:object_r:container_runtime_exec_t:s0
/usr/libexec/docker/docker-containerd-shim-current	system_u:object_r:container_runtime_exec_t:s0
/usr/libexec/docker/docker-ctr-current	system_u:object_r:container_runtime_exec_t:s0
/usr/libexec/docker/docker-init-current	system_u:object_r:container_runtime_exec_t:s0
/usr/libexec/docker/docker-proxy-current	system_u:object_r:container_runtime_exec_t:s0
/usr/libexec/docker/docker-runc-current	system_u:object_r:container_runtime_exec_t:s0
(reverse-i-search)`': ^
# ls -lZ /usr/libexec/docker/docker-*
-rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 7885728 Nov 17 10:26 /usr/libexec/docker/docker-containerd-current
-rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 1919840 Nov 17 10:26 /usr/libexec/docker/docker-containerd-shim-current
-rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 7290360 Nov 17 10:26 /usr/libexec/docker/docker-ctr-current
-rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0  781904 Nov 17 10:25 /usr/libexec/docker/docker-init-current
-rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 1707240 Nov 17 10:26 /usr/libexec/docker/docker-proxy-current
-rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 5189024 Nov 17 10:26 /usr/libexec/docker/docker-runc-current
sh-4.4# exit
# rpm -q container-selinux
container-selinux-2.36-1.fc27.noarch

grep /usr/libexec/docker /etc/selinux/targeted/contexts/files/file_contexts
/usr/libexec/docker/.*	--	system_u:object_r:container_runtime_exec_t:s0
/usr/libexec/docker/docker.*	--	system_u:object_r:container_runtime_exec_t:s0

Comment 11 Daniel Walsh 2017-12-21 11:10:06 UTC

Godfrey can you reinstall container-selinux

dnf reinstall container-selinux

matchpathcon /usr/libexec/docker/*

Comment 12 Godfrey 2017-12-21 12:23:30 UTC

Daniel,

That did not help. Here is the AVC update that got in the SELinux Alert Browser - 

--------
SELinux is preventing systemd from create access on the unix_stream_socket Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed create access on the Unknown unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                Unknown [ unix_stream_socket ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          ideapad
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.17.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ideapad
Platform                      Linux ideapad 4.14.6-300.fc27.x86_64 #1 SMP Thu
                              Dec 14 15:31:24 UTC 2017 x86_64 x86_64
Alert Count                   2
First Seen                    2017-12-21 07:18:58 EST
Last Seen                     2017-12-21 07:20:20 EST
Local ID                      3c4369fa-79e5-42da-b91e-13300956728c

Raw Audit Messages
type=AVC msg=audit(1513858820.772:511): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0


Hash: systemd,init_t,unconfined_service_t,unix_stream_socket,create
---------

Trying to generate the policy rule --

[root@ideapad ~]# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-systemd.pp

[root@ideapad ~]# semodule -X 300 -i my-systemd.pp
libsemanage.semanage_make_sandbox: Could not copy files to sandbox /var/lib/selinux/targeted/tmp. (Input/output error).
semodule:  Failed on my-systemd.pp!
[root@ideapad ~]# systemctl start docker.service
A dependency job for docker.service failed. See 'journalctl -xe' for details.

Comment 13 Daniel Walsh 2017-12-21 12:49:45 UTC

What is the output of matchpathcon /usr/libexec/docker/*

Comment 14 Godfrey 2017-12-21 13:59:43 UTC

[root@ideapad ~]# matchpathcon /usr/libexec/docker/*
/usr/libexec/docker/docker-containerd-current   system_u:object_r:bin_t:s0
/usr/libexec/docker/docker-containerd-shim-current      system_u:object_r:bin_t:s0
/usr/libexec/docker/docker-ctr-current  system_u:object_r:bin_t:s0
/usr/libexec/docker/docker-init-current system_u:object_r:bin_t:s0
/usr/libexec/docker/docker-proxy-current        system_u:object_r:bin_t:s0
/usr/libexec/docker/docker-runc-current system_u:object_r:bin_t:s0
/usr/libexec/docker/rhel-push-plugin    system_u:object_r:bin_t:s0

Comment 15 Garry T. Williams 2017-12-21 15:49:50 UTC

I receive the same AVC whenever I run the fedora kernel-tests.  Nothing here remotely related to docker.

Comment 16 Daniel Walsh 2017-12-21 17:23:29 UTC

And when you executed

dnf reinstall container-selinux 

do you see any errors?

Comment 17 Godfrey 2017-12-21 18:32:20 UTC

[root@ideapad ~]# dnf reinstall container-selinux
Last metadata expiration check: 1:41:37 ago on Thu 21 Dec 2017 05:29:13 AM EST.
Dependencies resolved.
========================================================================================================================================================================
 Package                                       Arch                               Version                                     Repository                           Size
========================================================================================================================================================================
Reinstalling:
 container-selinux                             noarch                             2:2.36-1.fc27                               updates                              36 k

Transaction Summary
========================================================================================================================================================================

Total download size: 36 k
Is this ok [y/N]: y
Downloading Packages:
container-selinux-2.36-1.fc27.noarch.rpm                                                                                                 70 kB/s |  36 kB     00:00    
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                    27 kB/s |  36 kB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                1/1 
  Reinstalling     : container-selinux-2:2.36-1.fc27.noarch                                                                                                         1/2 
  Running scriptlet: container-selinux-2:2.36-1.fc27.noarch                                                                                                         1/2 
libsemanage.semanage_make_sandbox: Could not copy files to sandbox /var/lib/selinux/targeted/tmp. (Input/output error).
/usr/sbin/semodule:  Failed on /usr/share/selinux/packages/container.pp.bz2!
  Erasing          : container-selinux-2:2.36-1.fc27.noarch                                                                                                         2/2 
  Running scriptlet: container-selinux-2:2.36-1.fc27.noarch                                                                                                         2/2 
  Verifying        : container-selinux-2:2.36-1.fc27.noarch                                                                                                         1/2 
  Verifying        : container-selinux-2:2.36-1.fc27.noarch                                                                                                         2/2 

Reinstalled:
  container-selinux.noarch 2:2.36-1.fc27                                                                                                                                

Complete!

Comment 18 Daniel Walsh 2017-12-21 20:55:38 UTC

So that is the issue for some reason container-selinux is failing to install.

Lukas do you have any idea what is going on here?

Comment 19 Petr Lautrbach 2017-12-22 12:05:01 UTC

(In reply to Godfrey from comment #12)
> [root@ideapad ~]# semodule -X 300 -i my-systemd.pp
> libsemanage.semanage_make_sandbox: Could not copy files to sandbox
> /var/lib/selinux/targeted/tmp. (Input/output error).
> semodule:  Failed on my-systemd.pp!

Something in /var/lib/selinux seems to be broken.

       EIO    A  low-level I/O error occurred while modifying the inode.  This error may relate to the write-back of data written by an earlier write(2), which may have been issued to a different file descriptor on  the same  file.  Since Linux 4.13, errors from write-back come with a promise that they may be reported by subsequent.  write(2) requests, and will be reported by a subsequent fsync(2)  (whether  or  not  they were also reported by write(2)).

Is there /var/lib/selinux/targeted/tmp directory in your filesystem? If it's there, try to remove it and run reinstall again.

Comment 20 Godfrey 2017-12-22 16:04:29 UTC

No tmp directory in the targeted folder - 

[root@ideapad ~]# ls -ltr /var/lib/selinux/targeted/tmp
ls: cannot access '/var/lib/selinux/targeted/tmp': No such file or directory
[root@ideapad ~]# ls -ltr /var/lib/selinux/targeted
total 4
-rw-------. 1 root root    0 Nov 21 11:05 semanage.trans.LOCK
-rw-------. 1 root root    0 Nov 21 11:05 semanage.read.LOCK
drwx------. 3 root root 4096 Nov 29 20:09 active


I created the /var/lib/selinux/targeted/tmp directory to check if that may be the reason but reinstalling seems to be removing that directory and again causing it to fail - 

Running transaction
  Preparing        :                                                                                                                              1/1 
  Reinstalling     : container-selinux-2:2.36-1.fc27.noarch                                                                                       1/2 
  Running scriptlet: container-selinux-2:2.36-1.fc27.noarch                                                                                       1/2 
libsemanage.semanage_make_sandbox: Could not copy files to sandbox /var/lib/selinux/targeted/tmp. (Input/output error).
/usr/sbin/semodule:  Failed on /usr/share/selinux/packages/container.pp.bz2!
  Erasing          : container-selinux-2:2.36-1.fc27.noarch                                                                                       2/2 
  Running scriptlet: container-selinux-2:2.36-1.fc27.noarch                                                                                       2/2 
  Verifying        : container-selinux-2:2.36-1.fc27.noarch                                                                                       1/2 
  Verifying        : container-selinux-2:2.36-1.fc27.noarch

Comment 21 Garry T. Williams 2017-12-23 23:23:09 UTC

Description of problem:
I ran Fedora kernel tests from the command line.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch
selinux-policy-3.13.1-225.1.fc25.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.8-300.fc27.x86_64
type:           libreport

Comment 22 Fedora Update System 2018-01-08 14:02:00 UTC

container-selinux-2.39-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1d288c81a2

Comment 23 Fedora Update System 2018-01-08 14:02:22 UTC

container-selinux-2.39-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e513053ca9

Comment 24 Fedora Update System 2018-01-08 17:42:47 UTC

container-selinux-2.39-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1d288c81a2

Comment 25 Fedora Update System 2018-01-08 20:30:29 UTC

container-selinux-2.39-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e513053ca9

Comment 26 Fedora Update System 2018-01-09 16:55:16 UTC

container-selinux-2.41-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-8d78cc34a3

Comment 27 Fedora Update System 2018-01-09 16:55:37 UTC

container-selinux-2.40-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-827888cfdd

Comment 28 Fedora Update System 2018-01-10 15:54:12 UTC

container-selinux-2.40-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-827888cfdd

Comment 29 Fedora Update System 2018-01-10 16:14:09 UTC

container-selinux-2.41-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-8d78cc34a3

Comment 30 Fedora Update System 2018-01-16 19:09:46 UTC

container-selinux-2.42-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-324df658f1

Comment 31 Fedora Update System 2018-01-21 10:39:41 UTC

container-selinux-2.42-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-324df658f1

Comment 32 Fedora Update System 2018-01-23 21:17:38 UTC

container-selinux-2.40-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 33 Fedora Update System 2018-01-23 21:46:46 UTC

container-selinux-2.42-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 34 robert fairbrother 2018-01-26 23:38:01 UTC

Description of problem:
 https://bugzilla.redhat.com/show_bug.cgi?id=1539213

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch
selinux-policy-3.13.1-225.23.fc25.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.14-300.fc27.i686+PAE
type:           libreport

Comment 35 Peter Parsons 2018-02-02 12:34:15 UTC

Description of problem:
Occured at boot time

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.14-300.fc27.x86_64
type:           libreport

Note You need to log in before you can comment on or make changes to this bug.