0000498: SELinux blocks systemd from using LoadCredentials - Rocky Linux BugTracker

ID	Project	Category	View Status	Date Submitted	Last Update

0000498	Rocky-Linux-9	selinux-policy	public	2022-10-09 17:29	2022-10-09 19:03

Reporter	Clinton Bunch	Assigned To
Priority	normal	Severity	minor	Reproducibility	always
Status	new	Resolution	open
Platform	x86_64	OS	Rocky Linux	OS Version	9

Summary	0000498: SELinux blocks systemd from using LoadCredentials
Description	Using LoadCrential in systemd service unit fails with a protocol error. audit2why shows selinux blocked the creation of a ramfs that systemd uses to store the credentials.
Steps To Reproduce	cat /etc/systemd/system/test-cred.service [Unit] Description=Processes IMAP mailbox for DMARC messages, parses them into a database [Service] Type=oneshot LoadCredential=rr:/etc/redhat-release ExecStart=/bin/cat ${CREDENTIALS_DIRECTORY}/rr DynamicUser=true [root@montes ~]# systemctl start test-cred.service Job for test-cred.service failed because the control process exited with error code. See "systemctl status test-cred.service" and "journalctl -xeu test-cred.service" for details.
Additional Information	journalctl output: Oct 09 12:25:41 montes.int.zentaur.org systemd[1]: Starting Processes IMAP mailbox for DMARC messages, parses them into a database... Oct 09 12:25:41 montes.int.zentaur.org systemd[5323]: test-cred.service: Failed to set up credentials: Protocol error Oct 09 12:25:41 montes.int.zentaur.org systemd[5323]: test-cred.service: Failed at step CREDENTIALS spawning /bin/cat: Protocol error Oct 09 12:25:41 montes.int.zentaur.org systemd[1]: test-cred.service: Main process exited, code=exited, status=243/CREDENTIALS Oct 09 12:25:41 montes.int.zentaur.org systemd[1]: test-cred.service: Failed with result 'exit-code'. Oct 09 12:25:41 montes.int.zentaur.org systemd[1]: Failed to start Processes IMAP mailbox for DMARC messages, parses them into a database. auth2why output: type=AVC msg=audit(1665336341.298:119): avc: denied { create } for pid=5324 comm="(sd-mkdcreds)" name=".#credb116a97193b48e33" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access.
Tags	ramfs, selinux, systemd

Clinton Bunch 2022-10-09 17:35 reporter ~0000696	Fedora seems to have addressed this/a similar issue with this commit: https://github.com/fedora-selinux/selinux-policy/commit/a7697467e082ffd4f68a9e03539db3578b5f34d5

Clinton Bunch 2022-10-09 18:46 reporter ~0000697	This SELinux type enforcement file (generated from audit2allow) is a quick and dirty solution to the problem, but someone with far more experience with SELinux should make the determination as to what is the correct solution. module systemd-loadcredentials 1.0; require { type ramfs_t; type init_t; class file { create open read rename setattr write }; } #============= init_t ============== allow init_t ramfs_t:file { create open read rename setattr write };

Date Modified	Username	Field	Change
2022-10-09 17:29	Clinton Bunch	New Issue
2022-10-09 17:29	Clinton Bunch	Tag Attached: systemd selinux ramfs
2022-10-09 17:34	Clinton Bunch	Tag Detached: systemd selinux ramfs
2022-10-09 17:34	Clinton Bunch	Tag Attached: systemd
2022-10-09 17:34	Clinton Bunch	Tag Attached: selinux
2022-10-09 17:34	Clinton Bunch	Tag Attached: ramfs
2022-10-09 17:35	Clinton Bunch	Note Added: 0000696
2022-10-09 18:46	Clinton Bunch	Note Added: 0000697