Bug 1328956

Summary: systemd labelling problem (or maybe audit2allow problem?) on rawhide
Product: [Fedora] Fedora Reporter: Robin Powell <rlpowell>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, rlpowell
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-22 17:42:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Robin Powell 2016-04-20 17:48:57 UTC 
root@vrici# cat /tmp/crap2.txt | audit2allow -R

require {
        type svirt_lxc_net_t;
        type rkt_var_lib_t;
        class file entrypoint;
}

#============= svirt_lxc_net_t ==============

#!!!! The file '/usr/lib/systemd/systemd' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /usr/lib/systemd/systemd
allow svirt_lxc_net_t rkt_var_lib_t:file entrypoint;


OK, fine, I'll run the command, but it doesn't do anything:

root@vrici# ls -lZ /usr/lib/systemd/systemd
-rwxr-xr-x. 1 root root system_u:object_r:init_exec_t:s0 1641144 Apr 18 19:37 /usr/lib/systemd/systemd
root@vrici# restorecon -R -v /usr/lib/systemd/systemd
root@vrici# ls -lZ /usr/lib/systemd/systemd
-rwxr-xr-x. 1 root root system_u:object_r:init_exec_t:s0 1641144 Apr 18 19:37 /usr/lib/systemd/systemd
root@vrici#


The AVC in question:

root@vrici# cat /tmp/crap2.txt

type=AVC msg=audit(1461174118.340:6117): avc:  denied  { entrypoint } for  pid=3232 comm="systemd-nspawn" path="/usr/lib/systemd/systemd" dev="overlay" ino=263237 scontext=system_u:system_r:svirt_lxc_net_t:s0:c142,c457 tcontext=staff_u:object_r:rkt_var_lib_t:s0 tclass=file permissive=1
root@vrici#
Comment 1 Daniel Walsh 2016-04-21 04:57:03 UTC 
THis /usr/lib/systemd/systemd is under /var/lib/rkt

I believe the problem is this content should be labele svirt_sandbox_file_t.  If you allow this rule, does the container work?
Comment 2 Robin Powell 2016-04-22 06:54:51 UTC 
Ah!  I think you must be correct.

In fact, with --no-overlay (per the other ticket), this doesn't even come up, and it's certainly not an issue with my actual systemd, so nevermind, sorry about that.
Comment 3 Lukas Vrabec 2016-04-22 07:51:52 UTC 
Hi Robin, 

So everything working now? Can we close this BZ?