Loading...
Loading...
What were you trying to do that didn't work? When a service is of type "Notify" and its startup script executes systemd-notify to tell systemd it's ready, the following AVCs pop up, preventing the service from starting: ---- type=PROCTITLE msg=audit(02/15/2024 02:30:53.641:324) : proctitle=systemd-notify --ready type=SOCKADDR msg=audit(02/15/2024 02:30:53.641:324) : saddr={ saddr_fam=local path=/run/systemd/notify } type=SYSCALL msg=audit(02/15/2024 02:30:53.641:324) : arch=x86_64 syscall=sendmsg success=no exit=EPERM(Operation not permitted) a0=0x3 a1=0x7fff369c3650 a2=MSG_NOSIGNAL a3=0x2b items=0 ppid=5986 pid=5988 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-notify exe=/usr/bin/systemd-notify subj=system_u:system_r:systemd_notify_t:s0 key=(null) type=AVC msg=audit(02/15/2024 02:30:53.641:324) : avc: denied { sys_admin } for pid=5988 comm=systemd-notify capability=sys_admin scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:system_r:systemd_notify_t:s0 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(02/15/2024 02:30:53.641:325) : proctitle=systemd-notify --ready type=PATH msg=audit(02/15/2024 02:30:53.641:325) : item=0 name=/run/systemd/notify inode=11799 dev=00:18 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(02/15/2024 02:30:53.641:325) : cwd=/ type=SOCKADDR msg=audit(02/15/2024 02:30:53.641:325) : saddr={ saddr_fam=local path=/run/systemd/notify } type=SYSCALL msg=audit(02/15/2024 02:30:53.641:325) : arch=x86_64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7fff369c3650 a2=MSG_NOSIGNAL a3=0x2b items=1 ppid=5986 pid=5988 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-notify exe=/usr/bin/systemd-notify subj=system_u:system_r:systemd_notify_t:s0 key=(null) type=AVC msg=audit(02/15/2024 02:30:53.641:325) : avc: denied { sendto } for pid=5988 comm=systemd-notify path=/run/systemd/notify scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0 ---- Note the AVC on sys_admin is unrelated. Here above we can see target context being kernel_t, even though the socket file itself looks ok: # ls -Zd /run/systemd/notify system_u:object_r:init_var_run_t:s0 /run/systemd/notify Please provide the package NVR for which bug is seen: systemd-239-79.el8.x86_64 it is reproducible on RHEL8 and RHEL9 and Fedora 38 How reproducible: Always Steps to reproduce Create /etc/systemd/system/repro.service with content below [Service] Type=notify NotifyAccess=all ExecStart=/bin/sh -c "sleep 3; systemd-notify --ready; sleep 30" Reload systemd and start the service # systemctl daemon-reload # systemctl start repro Expected results No failure Actual results AVCs + failure: Feb 15 02:30:53 machine sh[5988]: Failed to notify init system: Permission denied
Won't Do
Red Hat Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.