Bug 1391118

Summary:	Attempt to start a container via systemd-nspawn@.service results in 'Access denied'
Product:	Red Hat Enterprise Linux 7	Reporter:	Frantisek Sumsal <fsumsal>
Component:	systemd	Assignee:	systemd-maint
Status:	CLOSED WONTFIX	QA Contact:	qe-baseos-daemons
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.3	CC:	dwalsh, g.d0b3rm4n, lvrabec, mmalik, plautrba, pvrabec, ssekidde, systemd-maint-list
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1481971 1481972 1481973 (view as bug list)		Environment:
Last Closed:	2021-01-15 07:28:09 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Bug Depends On:
Bug Blocks:	1481971, 1481972, 1481973, 1481974, 1481975, 1643936

Description Frantisek Sumsal 2016-11-02 15:28:44 UTC

Description of problem:
systemd-nspawn container fails to boot when executed via systemd-nspawn@.service due to selinux restrictions. This worked on RHEL 7.2., but fails on RHEL 7.3. It looks pretty similar to BZ#1369541.

Version-Release number of selected component (if applicable):
systemd-libs-219-30.el7.x86_64
libselinux-2.5-6.el7.x86_64
libselinux-utils-2.5-6.el7.x86_64
libselinux-python-2.5-6.el7.x86_64
selinux-policy-3.13.1-102.el7.noarch
systemd-219-30.el7.x86_64
systemd-sysv-219-30.el7.x86_64
selinux-policy-targeted-3.13.1-102.el7.noarch

How reproducible:
always

Steps to Reproduce:
# yum -y install policycoreutils-python
# mkdir -p /var/lib/machines/rhel7
# yum -y --nogpgcheck --installroot /var/lib/machines/rhel7 groupinstall minimal
# semanage fcontext -a -t svirt_sandbox_file_t '/var/lib/machines/rhel7(/.*)?'
# restorecon -R /var/lib/machines/rhel7
# timeout 10 systemd-nspawn -b --machine rhel7
# systemctl start systemd-nspawn@rhel7
# systemctl status systemd-nspawn@rhel7

Actual results:
# systemctl status systemd-nspawn@rhel7
● systemd-nspawn - Container rhel7
   Loaded: loaded (/usr/lib/systemd/system/systemd-nspawn@.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2016-11-02 11:23:07 EDT; 7s ago
     Docs: man:systemd-nspawn(1)
  Process: 4310 ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --machine=%I (code=exited, status=1/FAILURE)
 Main PID: 4310 (code=exited, status=1/FAILURE)
   Status: "Terminating..."

Nov 02 11:23:07 qeos-234.lab.eng.rdu2.redhat.com systemd[1]: Starting Container rhel7...
Nov 02 11:23:07 qeos-234.lab.eng.rdu2.redhat.com systemd[1]: systemd-nspawn: main process exited, code=exited, status=1/FAILURE
Nov 02 11:23:07 qeos-234.lab.eng.rdu2.redhat.com systemd-nspawn[4310]: Failed to register machine: Access denied
Nov 02 11:23:07 qeos-234.lab.eng.rdu2.redhat.com systemd[1]: Failed to start Container rhel7.
Nov 02 11:23:07 qeos-234.lab.eng.rdu2.redhat.com systemd[1]: Unit systemd-nspawn entered failed state.
Nov 02 11:23:07 qeos-234.lab.eng.rdu2.redhat.com systemd[1]: systemd-nspawn failed.

Expected results:
# systemctl status systemd-nspawn@rhel7
● systemd-nspawn - Container rhel7
   Loaded: loaded (/usr/lib/systemd/system/systemd-nspawn@.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2016-11-02 11:18:11 EDT; 37s ago
     Docs: man:systemd-nspawn(1)
 Main PID: 10021 (systemd-nspawn)
   Status: "Container running.
...

Additional info:
AVC generated by systemd-nspawn@.service:

type=SYSCALL msg=audit(11/02/2016 11:23:07.843:390) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7fff3fd5d5d0 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=1 pid=2849 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-machine exe=/usr/lib/systemd/systemd-machined subj=system_u:system_r:systemd_machined_t:s0 key=(null) 
type=AVC msg=audit(11/02/2016 11:23:07.843:390) : avc:  denied  { search } for  pid=2849 comm=systemd-machine name=4311 dev="proc" ino=27330 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir

Comment 2 Milos Malik 2016-11-04 06:39:24 UTC

The reproducer causes following SELinux denials in enforcing mode:
----
type=USER_AVC msg=audit(11/04/2016 02:35:38.693:402) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { stop } for auid=root uid=root gid=root path=/run/systemd/system/machine-rhel7.scope cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=PATH msg=audit(11/04/2016 02:35:47.010:403) : item=0 name=/proc/4360/cgroup objtype=UNKNOWN 
type=CWD msg=audit(11/04/2016 02:35:47.010:403) :  cwd=/ 
type=SYSCALL msg=audit(11/04/2016 02:35:47.010:403) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7ffd08338fa0 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=1 ppid=1 pid=2897 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-machine exe=/usr/lib/systemd/systemd-machined subj=system_u:system_r:systemd_machined_t:s0 key=(null) 
type=AVC msg=audit(11/04/2016 02:35:47.010:403) : avc:  denied  { search } for  pid=2897 comm=systemd-machine name=4360 dev="proc" ino=27883 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir 
----

Comment 3 Milos Malik 2016-11-04 06:42:14 UTC

The reproducer causes following SELinux denials in permissive mode:
----
type=USER_AVC msg=audit(11/04/2016 02:40:06.344:483) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { stop } for auid=root uid=root gid=root path=/run/systemd/system/machine-rhel7.scope cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=PATH msg=audit(11/04/2016 02:40:59.555:486) : item=0 name=/proc/5740/cgroup inode=33500 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:unconfined_service_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/04/2016 02:40:59.555:486) :  cwd=/ 
type=SYSCALL msg=audit(11/04/2016 02:40:59.555:486) : arch=x86_64 syscall=open success=yes exit=8 a0=0x7ffc760fd720 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=1 ppid=1 pid=5746 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-machine exe=/usr/lib/systemd/systemd-machined subj=system_u:system_r:systemd_machined_t:s0 key=(null) 
type=AVC msg=audit(11/04/2016 02:40:59.555:486) : avc:  denied  { open } for  pid=5746 comm=systemd-machine path=/proc/5740/cgroup dev="proc" ino=33500 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file 
type=AVC msg=audit(11/04/2016 02:40:59.555:486) : avc:  denied  { read } for  pid=5746 comm=systemd-machine name=cgroup dev="proc" ino=33500 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file 
type=AVC msg=audit(11/04/2016 02:40:59.555:486) : avc:  denied  { search } for  pid=5746 comm=systemd-machine name=5740 dev="proc" ino=33324 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(11/04/2016 02:40:59.556:487) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x8 a1=0x7ffc760fd5a0 a2=0x7ffc760fd5a0 a3=0x0 items=0 ppid=1 pid=5746 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-machine exe=/usr/lib/systemd/systemd-machined subj=system_u:system_r:systemd_machined_t:s0 key=(null) 
type=AVC msg=audit(11/04/2016 02:40:59.556:487) : avc:  denied  { getattr } for  pid=5746 comm=systemd-machine path=/proc/5740/cgroup dev="proc" ino=33500 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file 
----

Comment 6 Daniel Walsh 2018-04-30 10:39:55 UTC

Changing the label of systemd-nspawn to container_runtime_exec_t would be a step in the right direction, since it would at least run services launched by systemd as container_runtime_t.  Then we could run transition rules that would allow it to transition from container_runtime_t to spc_t.  
Getting systemd-nspawn to handle transitions to container_t would be good, but podman and docker take advantage of COW file systems implemented in container/storage.  While I believe that systemd-nspawn requires the user to setup the storage and therefore the labeling by herself.

Comment 7 David Tardon 2020-01-02 09:41:17 UTC

*** Bug 1481971 has been marked as a duplicate of this bug. ***

Comment 9 RHEL Program Management 2021-01-15 07:28:09 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.