Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1688671 - SELinux is preventing init_t to read session_dbusd_tmp_t directories
Summary: SELinux is preventing init_t to read session_dbusd_tmp_t directories
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.2
Hardware: Unspecified
OS: Linux
medium
high
Target Milestone: rc
: 8.1
Assignee: Lukas Vrabec
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-14 08:06 UTC by Cédric Jeanneret
Modified: 2019-04-09 18:00 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Launchpad 1820019 None None None 2019-03-14 08:07:59 UTC

Description Cédric Jeanneret 2019-03-14 08:06:15 UTC
Description of problem:


Version-Release number of selected component (if applicable):
rpm-plugin-systemd-inhibit-4.14.2-9.el8.x86_64                                                                                                                                                                                                
python3-systemd-234-8.el8.x86_64                                                                                                                                                                                                              
systemd-libs-239-13.el8.x86_64                                                                                                                                                                                                                
systemd-pam-239-13.el8.x86_64                                                                                                                                                                                                                 
systemd-udev-239-13.el8.x86_64                                                                                                                                                                                                                
systemd-239-13.el8.x86_64                                                                                                                                                                                                                     
oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8+2769+577ad176.x86_64                                                                                                                                                                          

How reproducible:
Always


Steps to Reproduce:
1. Install a rhel8 system
2. Deploy RHOSP-15
3.

Actual results:
audit.log is spammed with:
type=AVC msg=audit(1552550628.422:5188): avc:  denied  { read } for  pid=95952 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=605557 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1552550628.423:5189): avc:  denied  { read } for  pid=95952 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=605557 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0

Expected results:
Nothing like this should show up

Additional info:
journald log shows:
Mar 14 08:03:49 undercloud.localdomain setroubleshoot[95890]: SELinux is preventing /usr/lib/systemd/systemd-user-runtime-dir from read access on the directory dbus-1. For complete SELinux messages run: sealert -l d74972a4-9c79-48f7-83b3->
Mar 14 08:03:49 undercloud.localdomain platform-python[95890]: SELinux is preventing /usr/lib/systemd/systemd-user-runtime-dir from read access on the directory dbus-1.
                                                               
                                                               *****  Plugin catchall (100. confidence) suggests   **************************
                                                               
                                                               If you believe that systemd-user-runtime-dir should be allowed read access on the dbus-1 directory by default.
                                                               Then you should report this as a bug.
                                                               You can generate a local policy module to allow this access.
                                                               Do
                                                               allow this access for now by executing:
                                                               # ausearch -c 'systemd-user-ru' --raw | audit2allow -M my-systemduserru
                                                               # semodule -X 300 -i my-systemduserru.pp


The policy looks like:
allow init_t session_dbusd_tmp_t:dir read;

I'm not sure we won't need write or other rights (will test on my own and report update here).

Thank you for your support!

Cheers,

C.


Note You need to log in before you can comment on or make changes to this bug.