1878094 – SELinux prevents systemd from creating objects in /run/user/1001/systemd/inaccessible

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1878094 - SELinux prevents systemd from creating objects in /run/user/1001/systemd/inaccessible

Summary: SELinux prevents systemd from creating objects in /run/user/1001/systemd/inac...

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	33
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1931131 (view as bug list)
Depends On:	1812955
Blocks:
TreeView+	depends on / blocked

Reported:	2020-09-11 10:10 UTC by Milos Malik
Modified:	2021-06-09 06:05 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milos Malik 2020-09-11 10:10:24 UTC

Description of problem:
 * confined users can log in successfully
 * SELinux denials appear I don't see any negative effect

Version-Release number of selected component (if applicable):
selinux-policy-3.14.6-25.fc33.noarch
selinux-policy-devel-3.14.6-25.fc33.noarch
selinux-policy-targeted-3.14.6-25.fc33.noarch
systemd-246.4-1.fc33.x86_64
systemd-bootchart-233-7.fc33.x86_64
systemd-container-246.4-1.fc33.x86_64
systemd-journal-remote-246.4-1.fc33.x86_64
systemd-libs-246.4-1.fc33.x86_64
systemd-pam-246.4-1.fc33.x86_64
systemd-rpm-macros-246.4-1.fc33.noarch
systemd-udev-246.4-1.fc33.x86_64

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 33 machine (targeted policy is active)
2. create some confined users (at least user_u, staff_u)
3. log in as the confined user via console or ssh
4. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(09/11/2020 12:04:17.031:697) : proctitle=(systemd) 
type=PATH msg=audit(09/11/2020 12:04:17.031:697) : item=1 name=/run/user/1002/systemd/inaccessible nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/11/2020 12:04:17.031:697) : item=0 name=/run/user/1002/systemd/ inode=130566 dev=00:2d mode=dir,755 ouid=user-user ogid=user-user rdev=00:00 obj=user_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/11/2020 12:04:17.031:697) : cwd=/ 
type=SYSCALL msg=audit(09/11/2020 12:04:17.031:697) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x5612d623b470 a1=0755 a2=0x3 a3=0x0 items=2 ppid=1 pid=1520 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=5 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(09/11/2020 12:04:17.031:697) : avc:  denied  { create } for  pid=1520 comm=systemd name=inaccessible scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 
----

Expected results:
 * either allow the access or dontaudit the SELinux denials

Additional info: seen in the journal
Sep 11 12:04:17 localhost.localdomain systemd[1520]: Failed to allocate manager object: Permission denied

Comment 1 Milos Malik 2020-09-11 10:20:07 UTC

When logged in as staff_u:
----
type=PROCTITLE msg=audit(09/11/2020 12:10:39.886:785) : proctitle=(systemd) 
type=PATH msg=audit(09/11/2020 12:10:39.886:785) : item=1 name=/run/user/1001/systemd/inaccessible/chr nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/11/2020 12:10:39.886:785) : item=0 name=/run/user/1001/systemd/inaccessible/ inode=139748 dev=00:2d mode=dir,755 ouid=staff-user ogid=staff-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/11/2020 12:10:39.886:785) : cwd=/ 
type=SYSCALL msg=audit(09/11/2020 12:10:39.886:785) : arch=x86_64 syscall=mknod success=no exit=EACCES(Permission denied) a0=0x55800059f470 a1=character,000 a2=0x0 a3=0x0 items=2 ppid=1 pid=1648 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=8 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/11/2020 12:10:39.886:785) : avc:  denied  { create } for  pid=1648 comm=systemd name=chr scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=0 
----

Comment 2 Zdenek Pytela 2020-09-11 11:39:59 UTC

Confirming for unconfined_u and sysadm_u it should work:

policy/modules/system/systemd.te:userdom_manage_user_tmp_chr_files(systemd_logind_t)
policy/modules/roles/sysadm.te:userdom_manage_user_tmp_chr_files(sysadm_t)

Comment 3 Milos Malik 2020-09-11 13:20:40 UTC

Unfortunately, audit2allow says:

#============= user_t ==============

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#	constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#	Possible cause is the source user (user_u) and target user (system_u) are different.
allow user_t user_tmp_t:dir create;

Comment 4 Milos Malik 2020-09-11 13:55:26 UTC

Following SELinux denials appear when user_u and staff_u log into the machine in permissive mode:
----
type=PROCTITLE msg=audit(09/11/2020 15:50:22.999:1865) : proctitle=(systemd) 
type=PATH msg=audit(09/11/2020 15:50:22.999:1865) : item=1 name=/run/user/1001/systemd/inaccessible/chr inode=372206 dev=00:2b mode=character,000 ouid=staff-user ogid=staff-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/11/2020 15:50:22.999:1865) : item=0 name=/run/user/1001/systemd/inaccessible/ inode=372201 dev=00:2b mode=dir,755 ouid=staff-user ogid=staff-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/11/2020 15:50:22.999:1865) : cwd=/ 
type=SYSCALL msg=audit(09/11/2020 15:50:22.999:1865) : arch=x86_64 syscall=mknod success=yes exit=0 a0=0x56279d2ae470 a1=character,000 a2=0x0 a3=0x0 items=2 ppid=1 pid=2863 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=28 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/11/2020 15:50:22.999:1865) : avc:  denied  { create } for  pid=2863 comm=systemd name=chr scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 
----
type=PROCTITLE msg=audit(09/11/2020 15:50:55.258:1888) : proctitle=(systemd) 
type=OBJ_PID msg=audit(09/11/2020 15:50:55.258:1888) : opid=2937 oauid=staff-user ouid=staff-user oses=28 obj=staff_u:staff_r:mount_t:s0-s0:c0.c1023 ocomm=fusermount3 
type=SYSCALL msg=audit(09/11/2020 15:50:55.258:1888) : arch=x86_64 syscall=kill success=yes exit=0 a0=0xb79 a1=SIGTERM a2=0x3 a3=0xd83128119570932f items=0 ppid=1 pid=2863 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=28 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/11/2020 15:50:55.258:1888) : avc:  denied  { signal } for  pid=2863 comm=systemd scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:mount_t:s0-s0:c0.c1023 tclass=process permissive=1 
----
type=PROCTITLE msg=audit(09/11/2020 15:50:57.342:1902) : proctitle=(systemd) 
type=PATH msg=audit(09/11/2020 15:50:57.342:1902) : item=1 name=/run/user/1002/systemd/inaccessible inode=374613 dev=00:2b mode=dir,755 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/11/2020 15:50:57.342:1902) : item=0 name=/run/user/1002/systemd/ inode=374611 dev=00:2b mode=dir,755 ouid=user-user ogid=user-user rdev=00:00 obj=user_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/11/2020 15:50:57.342:1902) : cwd=/ 
type=SYSCALL msg=audit(09/11/2020 15:50:57.342:1902) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x5629f104a470 a1=0755 a2=0x3 a3=0x0 items=2 ppid=1 pid=2943 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=30 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(09/11/2020 15:50:57.342:1902) : avc:  denied  { create } for  pid=2943 comm=systemd name=inaccessible scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(09/11/2020 15:50:57.345:1903) : proctitle=(systemd) 
type=PATH msg=audit(09/11/2020 15:50:57.345:1903) : item=1 name=/run/user/1002/systemd/inaccessible/reg inode=374614 dev=00:2b mode=file,000 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/11/2020 15:50:57.345:1903) : item=0 name=/run/user/1002/systemd/inaccessible/ inode=374613 dev=00:2b mode=dir,755 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/11/2020 15:50:57.345:1903) : cwd=/ 
type=SYSCALL msg=audit(09/11/2020 15:50:57.345:1903) : arch=x86_64 syscall=mknod success=yes exit=0 a0=0x5629f104a470 a1=file,000 a2=0x0 a3=0x0 items=2 ppid=1 pid=2943 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=30 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(09/11/2020 15:50:57.345:1903) : avc:  denied  { create } for  pid=2943 comm=systemd name=reg scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(09/11/2020 15:50:57.346:1904) : proctitle=(systemd) 
type=PATH msg=audit(09/11/2020 15:50:57.346:1904) : item=1 name=/run/user/1002/systemd/inaccessible/fifo inode=374616 dev=00:2b mode=fifo,000 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/11/2020 15:50:57.346:1904) : item=0 name=/run/user/1002/systemd/inaccessible/ inode=374613 dev=00:2b mode=dir,755 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/11/2020 15:50:57.346:1904) : cwd=/ 
type=SYSCALL msg=audit(09/11/2020 15:50:57.346:1904) : arch=x86_64 syscall=mknod success=yes exit=0 a0=0x5629f10af2b0 a1=fifo,000 a2=0x0 a3=0x0 items=2 ppid=1 pid=2943 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=30 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(09/11/2020 15:50:57.346:1904) : avc:  denied  { create } for  pid=2943 comm=systemd name=fifo scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=fifo_file permissive=1 
----
type=PROCTITLE msg=audit(09/11/2020 15:50:57.347:1905) : proctitle=(systemd) 
type=PATH msg=audit(09/11/2020 15:50:57.347:1905) : item=1 name=/run/user/1002/systemd/inaccessible/sock inode=374617 dev=00:2b mode=socket,000 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/11/2020 15:50:57.347:1905) : item=0 name=/run/user/1002/systemd/inaccessible/ inode=374613 dev=00:2b mode=dir,755 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/11/2020 15:50:57.347:1905) : cwd=/ 
type=SYSCALL msg=audit(09/11/2020 15:50:57.347:1905) : arch=x86_64 syscall=mknod success=yes exit=0 a0=0x5629f10af2b0 a1=socket,000 a2=0x0 a3=0x0 items=2 ppid=1 pid=2943 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=30 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(09/11/2020 15:50:57.347:1905) : avc:  denied  { create } for  pid=2943 comm=systemd name=sock scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(09/11/2020 15:50:57.348:1906) : proctitle=(systemd) 
type=PATH msg=audit(09/11/2020 15:50:57.348:1906) : item=1 name=/run/user/1002/systemd/inaccessible/chr inode=374618 dev=00:2b mode=character,000 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/11/2020 15:50:57.348:1906) : item=0 name=/run/user/1002/systemd/inaccessible/ inode=374613 dev=00:2b mode=dir,755 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/11/2020 15:50:57.348:1906) : cwd=/ 
type=SYSCALL msg=audit(09/11/2020 15:50:57.348:1906) : arch=x86_64 syscall=mknod success=yes exit=0 a0=0x5629f104a470 a1=character,000 a2=0x0 a3=0x0 items=2 ppid=1 pid=2943 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=30 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(09/11/2020 15:50:57.348:1906) : avc:  denied  { create } for  pid=2943 comm=systemd name=chr scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 
----

Comment 5 Zdenek Pytela 2020-09-23 12:44:55 UTC

Switching the component based on discussion with Michal. Particular note the problem is in the user part of the context, not type: user_u vs system_u.

The problem currently seems to be in the user-runtime-dir@ service.

As a workaround (e. g. for testing), a static chcon command can be added for a particular user as an additional ExecStart line.# 

This command can be used to check the mapping between linux users and SELinux users:

  # semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
staffuser            staff_u              s0-s0:c0.c1023       *
useruser             user_u               s0                   *

Comment 7 Zbigniew Jędrzejewski-Szmek 2020-11-11 14:03:00 UTC

Creation of the "inaccessible" nodes was moved from user-runtime-dir@.service to pid1.
That patch is also present in v246.4. So I don't think that user-runtime-dir@.service
is relevant. The avcs all mention proctitle=(systemd).

> Particular note the problem is in the user part of the context, not type: user_u vs system_u.

I think those labels match the configuration. On my machine:
$ ls -lZ /run/user/1000/systemd/inaccessible/
c---------. 1 test test system_u:object_r:user_tmp_t:s0 0, 0 Nov  9 19:06 chr
d---------. 2 test test system_u:object_r:user_tmp_t:s0   40 Nov  9 19:06 dir
p---------. 1 test test system_u:object_r:user_tmp_t:s0    0 Nov  9 19:06 fifo
----------. 1 test test system_u:object_r:user_tmp_t:s0    0 Nov  9 19:06 reg
s---------. 1 test test system_u:object_r:user_tmp_t:s0    0 Nov  9 19:06 sock

Maybe the policy needs to be adjusted to assign different labels there.

Comment 8 Milos Malik 2020-11-27 09:46:40 UTC

This issue appears in many automated tests. Especially in those where confined users log into localhost via ssh.

Comment 9 Milos Malik 2021-02-08 15:33:55 UTC

Our automated TCs, which typically involve 3 confined users (user_u, staff_u, sysadm_u), used to trigger multiple SELinux denials for user_u and staff_u. Now, they trigger only 1 SELinux denial:
----
type=PROCTITLE msg=audit(02/08/2021 09:44:28.292:683) : proctitle=(systemd) 
type=PATH msg=audit(02/08/2021 09:44:28.292:683) : item=1 name=/run/user/1000/systemd/inaccessible/chr nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/08/2021 09:44:28.292:683) : item=0 name=/run/user/1000/systemd/inaccessible/ inode=3 dev=00:2c mode=dir,755 ouid=user20469 ogid=user20469 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/08/2021 09:44:28.292:683) : cwd=/ 
type=SYSCALL msg=audit(02/08/2021 09:44:28.292:683) : arch=x86_64 syscall=mknodat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x563afbd8a680 a2=0000 a3=0x0 items=2 ppid=1 pid=138043 auid=user20469 uid=user20469 gid=user20469 euid=user20469 suid=user20469 fsuid=user20469 egid=user20469 sgid=user20469 fsgid=user20469 tty=(none) ses=7 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(02/08/2021 09:44:28.292:683) : avc:  denied  { create } for  pid=138043 comm=systemd name=chr scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=0
----

After applying this workaround, the automated TCs (with confined users) pass:

# cat mypolicy.cil 
( allow staff_t user_tmp_t ( chr_file ( create )))
# semodule -i mypolicy.cil

Comment 10 Milos Malik 2021-03-04 14:48:45 UTC

I see the same picture on Fedora 34 and RHEL-9.0:

After logging in as user_u user:
========
$ id
uid=1001(user-user) gid=1001(user-user) groups=1001(user-user) context=user_u:user_r:user_t:s0
$ ls -aZ /run/user/1001
system_u:object_r:user_tmp_t:s0 .  system_u:object_r:user_tmp_t:s0 ..
$ ls -aZ /run/user/1001/systemd
ls: cannot access '/run/user/1001/systemd': No such file or directory
$ ls -aZ /run/user/1001/systemd/inaccessible
ls: cannot access '/run/user/1001/systemd/inaccessible': No such file or directory
$ 

After logging in as staff_u user:
========
$ id
uid=1000(staff-user) gid=1000(staff-user) groups=1000(staff-user) context=staff_u:staff_r:staff_t:s0-s0:c0.c1023
$ ls -Z /run/user/1000/systemd/inaccessible
system_u:object_r:user_tmp_t:s0 chr   system_u:object_r:user_tmp_t:s0 reg
system_u:object_r:user_tmp_t:s0 dir   system_u:object_r:user_tmp_t:s0 sock
system_u:object_r:user_tmp_t:s0 fifo
$ 

Following policy module fixes the SELinux denials generated by the staff_u processes:

# cat mypolicy.cil 
( allow staff_t user_tmp_t ( chr_file ( create getattr )))
( allow user_t user_tmp_t ( dir ( create )))
#

but it does NOT fix the SELinux denials generated by user_u processes, because:

#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#	constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#	Possible cause is the source user (user_u) and target user (system_u) are different.
allow user_t user_tmp_t:dir create;

and here are details of the problematic AVC:
----
type=PROCTITLE msg=audit(03/04/2021 08:45:20.296:1994) : proctitle=(systemd) 
type=PATH msg=audit(03/04/2021 08:45:20.296:1994) : item=1 name=/run/user/1001/systemd nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(03/04/2021 08:45:20.296:1994) : item=0 name=/run/user/1001/ inode=1 dev=00:2b mode=dir,700 ouid=user-user ogid=user-user rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/04/2021 08:45:20.296:1994) : cwd=/ 
type=SYSCALL msg=audit(03/04/2021 08:45:20.296:1994) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x7ffddba512b0 a1=0755 a2=0x0 a3=0x0 items=2 ppid=1 pid=34939 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=56 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(03/04/2021 08:45:20.296:1994) : avc:  denied  { create } for  pid=34939 comm=systemd name=systemd scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 
----

# rpm -qa selinux\* systemd\* | sort
selinux-policy-3.14.7-22.fc34.noarch
selinux-policy-targeted-3.14.7-22.fc34.noarch
systemd-247.3-3.fc34.x86_64
systemd-libs-247.3-3.fc34.x86_64
systemd-networkd-247.3-3.fc34.x86_64
systemd-oomd-defaults-247.3-3.fc34.x86_64
systemd-pam-247.3-3.fc34.x86_64
systemd-rpm-macros-247.3-3.fc34.noarch
systemd-udev-247.3-3.fc34.x86_64
#

Comment 12 Petr Lautrbach 2021-06-07 18:21:01 UTC

It turned out to be selinux policy bug, see https://github.com/systemd/systemd/pull/19825

There's also a comment which suggest that refpolicy uses user_runtime_t type instead of user_tmp_t for /run/user

Comment 13 Petr Lautrbach 2021-06-09 06:05:01 UTC

*** Bug 1931131 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.