systemd-logind IPC cleanup issue for distro_debian

[21sw-clayton]

Problem

By default, systemd-logind searches /dev/shm for user-owned IPC objects to clean up.

systemd-logind can appropriately interact with the default /dev/shm FC.

When RefPolicy is built using distro_debian, a file transition exists which causes initrc_t domains to create initrc_runtime_t directories instead of tmpfs_t.

The file transition was added prior to systemd.

Sample errors

Failed to stat() POSIX shared memory segment /dev/shm/[SNIP]: Permission denied

type=PROCTITLE proctitle=/usr/lib/systemd/systemd-logind

type=PATH item=0 name=[SNIP] inode=2 dev=00:16 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:initrc_runtime_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0

type=CWD cwd=/

type=SYSCALL arch=aarch64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xa a1=0x555602ab60c3 a2=0x7ffffcc3b488 a3=0x100 items=1 ppid=1 pid=411 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null)

type=AVC avc:  denied  { getattr } for  pid=411 comm=systemd-logind path=/dev/shm/[SNIP] dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:initrc_runtime_t:s0 tclass=dir permissive=0

Potential remedies

Remove the (potentially) obsolete transition
Allow systemd-logind to properly interact with initrc_runtime_t

Real world sample

Applications using IPC (semaphores, shared memory, message queues) have problems after update to RHEL 7.2

[pebenito]

@etbe do you have any thoughts on this?

[dsugar100]

I'm confused why you are using 'distro_debian' and RHEL 7.2? Why not distro_rhel?
And I think current head of main will not build on RHEL7 at all (at least last time I tired).

[21sw-clayton]

I'm confused why you are using 'distro_debian' and RHEL 7.2? Why not distro_rhel? And I think current head of main will not build on RHEL7 at all (at least last time I tired).

I included that link to demonstrate specific uses of /dev/shm and validate some of the details provided in the "Problem".

Any application running as initrc_t with distro_debian would generate the "Sample errors" provided.

[21sw-clayton]

@yizhao1