Ubuntu
systemd package

systemd-tmpfiles-setup.service fails after switching SELinux to enforcing

Bug #1563354 reported by Andreas Florath
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
systemd (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

After switching SELinux to enforcing, the systemd-tmpfiles-setup.service failed:

Mar 29 16:12:42 systemd-tmpfiles[546]: [/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log", ignoring.
Mar 29 16:12:42 systemd-tmpfiles[546]: Unable to fix SELinux security context of /var: Permission denied
Mar 29 16:12:42 systemd-tmpfiles[546]: Unable to fix SELinux security context of /var/log: Permission denied
Mar 29 16:12:42 systemd-tmpfiles[546]: Unable to fix SELinux security context of /var/lib: Permission denied
Mar 29 16:12:42 systemd-tmpfiles[546]: Unable to fix SELinux security context of /home: Permission denied
Mar 29 16:12:42 systemd-tmpfiles[546]: Unable to fix SELinux security context of /srv: Permission denied
Mar 29 16:12:42 systemd-tmpfiles[546]: Unable to fix SELinux security context of /var/lib/systemd: Permission denied
Mar 29 16:12:42 systemd-tmpfiles[546]: Unable to fix SELinux security context of /var/lib/systemd/coredump: Permission denied
Mar 29 16:12:43 systemd-tmpfiles[546]: Unable to fix SELinux security context of /var/cache: Permission denied
Mar 29 16:12:43 systemd[1]: systemd-tmpfiles-setup.service: Main process exited, code=exited, status=1/FAILURE
Mar 29 16:12:43 systemd[1]: Failed to start Create Volatile Files and Directories.
Mar 29 16:12:43 systemd[1]: systemd-tmpfiles-setup.service: Unit entered failed state.
Mar 29 16:12:43 systemd[1]: systemd-tmpfiles-setup.service: Failed with result 'exit-code'.

No further AVC or audit.log is logged. When manually setting 'setenforce 0' and starting this service, it obviously works fine.

My environment:

# lsb_release -rd
Description: Ubuntu Xenial Xerus (development branch)
Release: 16.04

(Build / packages from last night)

# apt-cache policy systemd
systemd:
  Installed: 229-3ubuntu1
  Candidate: 229-3ubuntu1

If you need more infos, please drop a short note.

Revision history for this message
Martin Pitt (pitti) wrote :

We don't support SELinux in Ubuntu (only AppArmor), and I'm afraid this doesn't tell me anything. Can you please report this upstream directly (https://github.com/systemd/systemd/issues), as most people there actually use SELinux? Thanks!

Revision history for this message
Andreas Florath (florath) wrote :

> We don't support SELinux in Ubuntu (only AppArmor),

That sounds more than strange:
There are many hints, that Ubuntu (also) supports SELinux [1] [2].

I'm not sure how you work together with the people of AppArmor or SELinux:
typically the application developers / maintainers should discuss the MAC rules with the maintainers of the appropriate MAC implementation (because those are the people who should know what the application should be allowed to). Therefore my idea was, that you tell those people: my application needs those rules , please implement them.

One thing I could imagine (after reading your answer) is, that this bug might be related to the selinux-policy-default package?

I'm somewhat convinced, that the problem is Ubuntu-related: the appropriate policy packages were especially created for Debian / Ubuntu - this has nothing to do with the upstream systemd (therefore I see no sense in reporting this there).
(I have a running Debian Jessie using systemd with SELinux set to enforcing for a year now - without these problems.)

Would it be possible that you discuss this with the SELinux-Ubuntu people, how to handle such kind of problem?

[1] https://wiki.ubuntu.com/Security/Features
[2] http://packages.ubuntu.com/search?keywords=selinux&searchon=names&suite=xenial&section=all

Revision history for this message
Martin Pitt (pitti) wrote :

> I have a running Debian Jessie using systemd with SELinux set to enforcing for a year now - without these problems.

Yes, SELinux is actually maintained in Debian.

> Would it be possible that you discuss this with the SELinux-Ubuntu people,

There are no "SELinux Ubuntu" people. As I said, this isn't supported in Ubuntu and nobody works on this, so the profiles available in universe are a best-effort basis. Personally I don't know the first thing about SElinux, and I'm afraid I don't have the time to deal with this myself.

Dan Streetman (ddstreet)
Changed in systemd (Ubuntu):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.