Why is SELinux blocking systemctl –user / systemd user instance commands

fedoraselinuxsystemd

I have a number of Fedora 27 systems. I am reasonably comfortable with SELinux. I run it on all my systems, with the "unconfined" module disabled.

On this particular system, SELinux is blocking all "systemctl –user" commands:

$ systemctl --user status
Failed to read server status: Access denied

This worked until recently. I don't know what changed. I did upgrade from Fedora 26 to Fedora 27 recently, but the timing is not the same as this problem, I don't think.

The part that's weirding me out, and making it hard to know what to do next, is that there's nothing about it in auditd, at all.

In syslog I get:

Dec 25 09:48:07 jukni systemd[669]: selinux: avc:  denied  { status } for auid=n/a uid=1086 gid=1086 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=system permissive=0

Further, this:

$ systemctl --user restart lojban_mediawiki_web
Failed to restart lojban_mediawiki_web.service: Access denied
See user logs and 'systemctl --user status lojban_mediawiki_web.service' for details.

Gives this in syslog:

Dec 25 09:49:06 jukni systemd[669]: selinux: avc:  denied  { start } for auid=n/a uid=1086 gid=1086 path="/home/sampre_mw/.config/systemd/user/lojban_mediawiki_web.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0

I can't find anything in sesearch about self:system, and all I can
find in https://github.com/TresysTechnology/refpolicy.git or
https://github.com/TresysTechnology/refpolicy-contrib.git is:

policy/modules/kernel/kernel.te
481:    allow can_load_kernmodule self:system module_load;

policy/modules/system/init.te
225:    allow init_t self:system { status reboot halt reload };

My other similar systems don't have this problem. A relabel reboot
did not help. The contexts of the user unit files are:

$ ls -lZ ~/.config/systemd/user/
total 8
drwxr-xr-x. 2 sampre sampre staff_u:object_r:user_home_t:s0  66 Feb  6  2017 default.target.wants
-rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 417 Jul 14 00:32 jbotcan_database.service
-rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 419 Jul 14 00:32 jbotcan_site.service

, which I have no idea if that's correct or not.

Changing this user's login to sysadm_u or user_u didn't help either.

I have no idea where to even go from here. I mean, I could make a
custom module to implement the AVCs that are going to syslog, but
that seems like The Wrong Thing ™, since clearly the OS didn't
ship without this working.

Added:

$ cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Added #2:

I've now rebooted one of my other Fedora 27 boxes and:

Jan  5 23:31:38 vrici systemd[5992]: selinux: avc:  denied  { status } for auid=n/a uid=1000 gid=1000 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcla

ss=system permissive=0

which makes it feel a lot more like a bug with systemd or selinux.

Best Answer

I think you need to change to the sysadm_r role, maybe try:

sudo -u <your_user> -r sysadm_r -t sysadm_t systemctl --user status?

That could indeed be a bug in the policy, users should be able to manage their own services IMVHO (compared to the system ones). I guess you should report that to fedora selinux-policy package.

Also, did you try to relabel the filesystem with restorecon -RFv /? This will force (-F) some extra identifier to be reset.

Related Solutions

Redhat Apache fast-cgi selinux permissions

Running FastCGI your way leaves a big security hole: the PHP interpreter is run as user "httpd" (at least I can't see anything about suexec here).

We have a working setup with SELinux and PHP as FastCGI here at CentOS 6, but it was really tricky to get everything working.

A few tips for the start:

you don't need to reboot to disable/enable selinux - just use the command "setenforce 0" or "setenforce 1" :)
always try to get everything working with SELinux disabled, then enable it and have a look at audit.log

Here we go:

enable suexec
change SELinux type for php.fcgi to httpd_fastcgi_script_exec_t
your FastCGI starter (php.fcgi) should not be writable by the user owning it (otherwise he can tweak many settings and limits). Give it the "immutable" flag: chattr +i php.fcgi

suexec has some trouble with FastCGI, so we have to make it permissive:

yum install policycoreutils-python
semanage permissive -a httpd_suexec_t

Good luck!

Centos – Configure selinux to allow openldap on CentOS 6.4

If you filter the audit logs through audit2allow(1) and audit2why you'll get an approximate idea of what is happening:

#============= slapd_t ==============
allow slapd_t self:capability sys_nice;
allow slapd_t var_log_t:file { write read };
------------------------------------

    Was caused by:
            Missing type enforcement (TE) allow rule.

            You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1372888328.408:3263): avc:  denied  { sys_nice } for  pid=1492 comm=slapd capability=23  scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:system_r:slapd_t:s0 tclass=capability

    Was caused by:
            Missing type enforcement (TE) allow rule.

            You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1372888328.424:3264): avc:  denied  { read } for  pid=1493 comm=slapd name=log.0000000001 dev=dm-0 ino=263969 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file

    Was caused by:
            Missing type enforcement (TE) allow rule.

            You can use audit2allow to generate a loadable module to allow this access.

Checking labeling

It is unlikely a label restore prevents you from starting a service if SELinux is in permissive mode. Also, why the -F switch?

To know if you have to restore the labeling of a directory or file, first find out what context a file or directory is supposed to have:

# matchpathcon /etc/openldap/
/etc/openldap   system_u:object_r:etc_t:s0

Then list its security context:

# ls -ldZ /etc/openldap/
drwxr-xr-x. root root system_u:object_r:etc_t:s0       /etc/openldap//

In this example, no further action is needed.

With regards to your issue, the problem is not labeling per se, but a missing type enforcement rule, i.e., a rule that allows a labeled process to transition from one confined domain to another, or to read files with an specific label, for example.

Creating an SELinux module

You can try to build a module that allows the slapd_t to perform the operations which appeared in the audit.log. It is probable that you need further adjustments in your code. Use audit2allow, and make for this task. All commands are very well documented in their respective manpages. The process will look roughly like this (after copying the relevant messages into audit.txt):

audit2allow -i audit.txt -m slapd -o slapd.te
make -f /usr/share/selinux/devel/Makefile load

Also, check if a bug report for the SELinux policy regarding this issue already exists.