On Mon, Dec 25, 2017 at 10:08:33AM -0800, Robin Lee Powell wrote:
> On Mon, Dec 25, 2017 at 10:01:16AM -0800, Robin Lee Powell wrote:
> >
> > On a host with unconfined disabled, running this as a
> > staff_u/staff_t user:
> >
> > [sampre_mw@jukni ~]$ systemctl --user status
> > Failed to read server status: Access denied
> >
> > worked until recently. I just upgraded to Fedora 27, but I *think*
> > this worked after the upgrade, so I don't know what's going on
> > there.
> >
> > I get nothing whatever in auditd, which is weird. In syslog I get:
> >
> > Dec 25 09:48:07 jukni systemd[669]: selinux: avc: denied { status } for auid=n/a uid=1086 gid=1086 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=system permissive=0
> >
> > Further, this:
> >
> > [sampre_mw@jukni ~]$ systemctl --user restart lojban_mediawiki_web
> > Failed to restart lojban_mediawiki_web.service: Access denied
> > See user logs and 'systemctl --user status lojban_mediawiki_web.service' for details.
> >
> > Gives this in syslog:
> >
> > Dec 25 09:49:06 jukni systemd[669]: selinux: avc: denied { start } for auid=n/a uid=1086 gid=1086 path="/home/sampre_mw/.config/systemd/user/lojban_mediawiki_web.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0
> >
> > I can't find anything in sesearch about self:system, and all I can
> > find in
> > https://github.com/TresysTechnology/refpolicy.git or
> > https://github.com/TresysTechnology/refpolicy-contrib.git is:
> >
> > policy/modules/kernel/kernel.te
> > 481: allow can_load_kernmodule self:system module_load;
> >
> > policy/modules/system/init.te
> > 225: allow init_t self:system { status reboot halt reload };
> >
> > It strikes me as unlikely that F27 *actually* shipped with a setup
> > that makes systemctl user operations not work.
> >
> > I don't have a comparable user to test with, really, but at first
> > glance my other F27 systems seem OK.
> >
> > Any idea what I broke?
>
> I have confirmed that a comparable user on one of my other F27
> systems works fine.
>
> Does it seem like a relabel reboot would be worthwhile?
>
> Also, what should the type of user unit files be?
>
> [sampre@vrici ~]$ ls -lZ ~/.config/systemd/user/
> total 8
> drwxr-xr-x. 2 sampre sampre staff_u:object_r:user_home_t:s0 66 Feb 6 2017 default.target.wants
> -rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 417 Jul 14 00:32 jbotcan_database.service
> -rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 419 Jul 14 00:32 jbotcan_site.service
>
> ^^ that's on the system that's working, but setting it to
> user_home_t on the other system doesn't seem to help anything.
I have done a relabel reboot; it didn't help. I've upgraded
everything to F27 latest.
I have no idea where to go from here; any hints? Is there a more
active place to ask SELinux questions?
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
