Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2031668 - SELinux is preventing systemd-networkd from watch access on the directory /
Summary: SELinux is preventing systemd-networkd from watch access on the directory /
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 35
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 2049696 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-12-13 07:54 UTC by Zbigniew Jędrzejewski-Szmek
Modified: 2022-03-04 07:44 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-35.13-1.fc35
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-02-04 01:22:52 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1965720 1 medium CLOSED SELinux is preventing systemd-timesyncd from watch access on the directory /run/dbus 2021-12-16 19:38:35 UTC

Description Zbigniew Jędrzejewski-Szmek 2021-12-13 07:54:43 UTC
Description of problem:
This is the same as #1965720, but for systemd-networkd now.

Dec 13 08:39:24 fedora-new audit[565]: SYSCALL arch=c000003e syscall=254 success=no exit=-13 a0=9 a1=7f1b4010a565 a2=180 a3=561ebb6fadb0 items=0 ppid=1 pid=565 auid=4294967295 uid=192 gid=192 euid=192 suid=192 fsuid=192 egid=192 sgid=192 fsgid=192 tty=(none) ses=4294967295 comm="systemd-network" exe="/usr/lib/systemd/systemd-networkd" subj=system_u:system_r:systemd_networkd_t:s0 key=(null)
Dec 13 08:39:24 fedora-new audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-networkd"
Dec 13 08:39:24 fedora-new systemd-networkd[565]: Failed to connect to bus: Permission denied
Dec 13 08:39:24 fedora-new systemd-networkd[565]: Could not setup manager: Permission denied

The service tries to start 5 times, immediately fails 5 times, and is marked as permanently failed, no network on the machine.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-35.6-1.fc36.noarch
systemd-networkd-250~rc1-2.fc36.x86_64

How reproducible:
I assume that there's a race here: if systemd-networkd is started a bit later, dbus-broker will have established the socket already, and the issue will not appear.

Steps to Reproduce:
1. Install a Fedora rawhide machine
2. systemctl disable NetworkManager && systemctl enable systemd-networkd
3. reboot

I think it'd make sense to just allow watch on /, /run, /run/dbus for everyone. We don't want to play whack-a-mole with each service that tries to connect to dbus asynchronously.

Comment 1 Milos Malik 2021-12-13 08:16:38 UTC
We need more information for analysis of this issue.

Please collect SELinux denials and attach them here:

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

Thank you.

Comment 2 Zbigniew Jędrzejewski-Szmek 2021-12-13 08:40:04 UTC
'sudo dnf install /usr/sbin/ausearch' pulls in initscripts, uggggh.

Anyway, it doesn't work and ausearch always prints "<no matches>".
I think audit doesn't pick up the events, because it starts too late. 

$ journalctl -b --grep avc|cat
-- Journal begins at Sun 2021-12-12 22:24:06 CET, ends at Mon 2021-12-13 09:37:38 CET. --
Dec 13 09:34:14 fedora-new audit[553]: AVC avc:  denied  { read } for  pid=553 comm="systemd-sysctl" name="suid_dumpable" dev="proc" ino=15573 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
Dec 13 09:34:14 fedora-new audit[553]: AVC avc:  denied  { read } for  pid=553 comm="systemd-sysctl" name="suid_dumpable" dev="proc" ino=15573 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
Dec 13 09:34:14 fedora-new audit[553]: AVC avc:  denied  { read } for  pid=553 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=15593 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
Dec 13 09:34:14 fedora-new audit[553]: AVC avc:  denied  { read } for  pid=553 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=15593 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
Dec 13 09:34:14 fedora-new audit[553]: AVC avc:  denied  { read } for  pid=553 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=15594 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
Dec 13 09:34:14 fedora-new audit[553]: AVC avc:  denied  { read } for  pid=553 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=15594 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
Dec 13 09:34:15 fedora-new audit[564]: AVC avc:  denied  { watch } for  pid=564 comm="systemd-network" path="/" dev="vda2" ino=256 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0
Dec 13 09:34:16 fedora-new audit[587]: AVC avc:  denied  { watch } for  pid=587 comm="systemd-network" path="/" dev="vda2" ino=256 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0
Dec 13 09:34:16 fedora-new audit[588]: AVC avc:  denied  { watch } for  pid=588 comm="systemd-network" path="/" dev="vda2" ino=256 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0
Dec 13 09:34:16 fedora-new audit[589]: AVC avc:  denied  { watch } for  pid=589 comm="systemd-network" path="/" dev="vda2" ino=256 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0
Dec 13 09:34:16 fedora-new audit[591]: AVC avc:  denied  { watch } for  pid=591 comm="systemd-network" path="/" dev="vda2" ino=256 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0

Comment 3 Zdenek Pytela 2021-12-13 16:36:02 UTC
(In reply to Zbigniew Jędrzejewski-Szmek from comment #2)
> 'sudo dnf install /usr/sbin/ausearch' pulls in initscripts, uggggh.
I suppose initscripts-service should be enough, but this anyway is a different component.

Summary fixed.

> Anyway, it doesn't work and ausearch always prints "<no matches>".
> I think audit doesn't pick up the events, because it starts too late. 
Right.

These ones are not related: 
> $ journalctl -b --grep avc|cat
> -- Journal begins at Sun 2021-12-12 22:24:06 CET, ends at Mon 2021-12-13
> 09:37:38 CET. --
> Dec 13 09:34:14 fedora-new audit[553]: AVC avc:  denied  { read } for 
> pid=553 comm="systemd-sysctl" name="suid_dumpable" dev="proc" ino=15573
> scontext=system_u:system_r:systemd_sysctl_t:s0
> tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
> Dec 13 09:34:14 fedora-new audit[553]: AVC avc:  denied  { read } for 
> pid=553 comm="systemd-sysctl" name="suid_dumpable" dev="proc" ino=15573
> scontext=system_u:system_r:systemd_sysctl_t:s0
> tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
> Dec 13 09:34:14 fedora-new audit[553]: AVC avc:  denied  { read } for 
> pid=553 comm="systemd-sysctl" name="protected_hardlinks" dev="proc"
> ino=15593 scontext=system_u:system_r:systemd_sysctl_t:s0
> tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
> Dec 13 09:34:14 fedora-new audit[553]: AVC avc:  denied  { read } for 
> pid=553 comm="systemd-sysctl" name="protected_hardlinks" dev="proc"
> ino=15593 scontext=system_u:system_r:systemd_sysctl_t:s0
> tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
> Dec 13 09:34:14 fedora-new audit[553]: AVC avc:  denied  { read } for 
> pid=553 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=15594
> scontext=system_u:system_r:systemd_sysctl_t:s0
> tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
> Dec 13 09:34:14 fedora-new audit[553]: AVC avc:  denied  { read } for 
> pid=553 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=15594
> scontext=system_u:system_r:systemd_sysctl_t:s0
> tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0

Comment 4 Zdenek Pytela 2022-01-26 13:49:47 UTC
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/1028

Comment 5 Fedora Update System 2022-02-02 12:10:58 UTC
FEDORA-2022-20f36a8b0e has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-20f36a8b0e

Comment 6 Fedora Update System 2022-02-03 01:35:15 UTC
FEDORA-2022-20f36a8b0e has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-20f36a8b0e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-20f36a8b0e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2022-02-04 01:22:52 UTC
FEDORA-2022-20f36a8b0e has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 8 Zbigniew Jędrzejewski-Szmek 2022-03-04 07:44:40 UTC
*** Bug 2049696 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.