On Mon, Jan 22, 2018 at 11:11:34AM +0100, Lukas Vrabec wrote:
> On 12/29/2017 07:56 AM, Robin Lee Powell wrote:
> >
> >
> > On Thu, Dec 28, 2017 at 10:36:05PM -0800, Robin Lee Powell wrote:
> > > On Mon, Dec 25, 2017 at 10:08:33AM -0800, Robin Lee Powell wrote:
> > > > On Mon, Dec 25, 2017 at 10:01:16AM -0800, Robin Lee Powell wrote:
> > > > >
> > > > > On a host with unconfined disabled, running this as a
> > > > > staff_u/staff_t user:
> > > > >
> > > > > [sampre_mw@jukni ~]$ systemctl --user status
> > > > > Failed to read server status: Access denied
> > > > >
> > > > > worked until recently. I just upgraded to Fedora 27, but I *think*
> > > > > this worked after the upgrade, so I don't know what's going on
> > > > > there.
> > > > >
> > > > > I get nothing whatever in auditd, which is weird. In syslog I get:
> > > > >
> > > > > Dec 25 09:48:07 jukni systemd[669]: selinux: avc: denied { status } for auid=n/a uid=1086 gid=1086 cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=system permissive=0
> > > > >
> > > > > Further, this:
> > > > >
> > > > > [sampre_mw@jukni ~]$ systemctl --user restart lojban_mediawiki_web
> > > > > Failed to restart lojban_mediawiki_web.service: Access denied
> > > > > See user logs and 'systemctl --user status lojban_mediawiki_web.service' for details.
> > > > >
> > > > > Gives this in syslog:
> > > > >
> > > > > Dec 25 09:49:06 jukni systemd[669]: selinux: avc: denied { start } for auid=n/a uid=1086 gid=1086 path="/home/sampre_mw/.config/systemd/user/lojban_mediawiki_web.service" cmdline="" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0
> > > > >
> > > > > I can't find anything in sesearch about self:system, and all I can
> > > > > find in
> > > > > https://github.com/TresysTechnology/refpolicy.git or
> > > > > https://github.com/TresysTechnology/refpolicy-contrib.git is:
> > > > >
> > > > > policy/modules/kernel/kernel.te
> > > > > 481: allow can_load_kernmodule self:system module_load;
> > > > >
> > > > > policy/modules/system/init.te
> > > > > 225: allow init_t self:system { status reboot halt reload };
> > > > >
> > > > > It strikes me as unlikely that F27 *actually* shipped with a setup
> > > > > that makes systemctl user operations not work.
> > > > >
> > > > > I don't have a comparable user to test with, really, but at first
> > > > > glance my other F27 systems seem OK.
> > > > >
> > > > > Any idea what I broke?
> > > >
> > > > I have confirmed that a comparable user on one of my other F27
> > > > systems works fine.
> > > >
> > > > Does it seem like a relabel reboot would be worthwhile?
> > > >
> > > > Also, what should the type of user unit files be?
> > > >
> > > > [sampre@vrici ~]$ ls -lZ ~/.config/systemd/user/
> > > > total 8
> > > > drwxr-xr-x. 2 sampre sampre staff_u:object_r:user_home_t:s0 66 Feb 6 2017 default.target.wants
> > > > -rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 417 Jul 14 00:32 jbotcan_database.service
> > > > -rw-rw-r--. 1 sampre sampre staff_u:object_r:user_home_t:s0 419 Jul 14 00:32 jbotcan_site.service
> > > >
> > > > ^^ that's on the system that's working, but setting it to
> > > > user_home_t on the other system doesn't seem to help anything.
> > >
> > > I have done a relabel reboot; it didn't help. I've upgraded
> > > everything to F27 latest.
> > >
> > > I have no idea where to go from here; any hints? Is there a more
> > > active place to ask SELinux questions?
> >
> > I also checked that sysadm_u and user_u can't run "systemctl --user
> > status" either, so it's not just that staff_u is broken in some way.
> > _______________________________________________
> > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> >
>
> Hi Robin,
>
> Sorry for late reply.
>
> I worked on this issue. At first, I allowed SELinux denial related to using
> systemctl command for SELInux users sysadm_t and staff_t:
>
> # sesearch -A -s staff_t -t staff_t -c system -p status
> allow staff_t staff_t:system { disable enable halt ipc_info module_load
> module_request reboot reload start status stop syslog_console syslog_mod
> syslog_read undefined };
>
> # sesearch -A -s sysadm_t -t sysadm_t -c system -p status
> allow sysadm_t sysadm_t:system { disable enable halt ipc_info module_load
> module_request reboot reload start status stop syslog_console syslog_mod
> syslog_read undefined };
>
>
> Next thing, I label HOME_DIR/.config/systemd/user/ as systemd_unit_file_t
> which means that all user systemd unit files will have label
> systemd_unit_file_t and confined user can access it:
>
> # sesearch -A -s staff_t -t systemd_unit_file_t -c service
> allow staff_t systemd_unit_file_type:service { disable enable reload start
> status stop };
>
> # sesearch -A -s sysadm_t -t systemd_unit_file_t -c service
> allow sysadm_t systemd_unit_file_type:service { disable enable reload start
> status stop };
>
> I created nightly build for Rawhide with all fixes:
> https://copr.fedorainfracloud.org/coprs/lvrabec/selinux-policy-nightly/build/703997/
>
>
> It should be also part of next selinux-policy update for Fedora 27.
Excellent! Thank you so much, both for the work and the
explanation.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
