Bug 1416540
| Summary: | machinectl user experience is completely broken | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Germano Massullo <germano.massullo> | ||||
| Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | Ben Levenson <benl> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 29 | CC: | alan.christopher.jenkins, amessina, dustymabe, dwalsh, enrico.tagliavini, fedora, gary.tierney, gujemutu, harald, kay, mathieu-acct, mschmidt, philip, ssahani, systemd-maint, taocrismon | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-04-02 16:42:08 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1244512 [details]
audit.log
sfix user helped me doing some tries. At the end of them we managed to use
# machinectl start foo
# machinectl stop foo
but
# machinectl login foo
still does not work.
We inserted
(type nspawn_unit_file_t)
(roletype object_r nspawn_unit_file_t)
(typeattributeset systemd_unit_file_type nspawn_unit_file_t)
(typeattributeset file_type nspawn_unit_file_t)
(context nspawn_unit_file_context (system_u object_r nspawn_unit_file_t ((s0) (s0))))
(filecon "/usr/lib/systemd/system/systemd\-nspawn@\.service" file nspawn_unit_file_context)
(allow systemd_machined_t spc_t (process (signal)))
(allow systemd_machined_t self (cap_userns (all)))
(allow systemd_machined_t nspawn_unit_file_t (service (all))
into machined_patch.cil
then
# semodule -i machined_patch.cil
# restorecon -vF /usr/lib/systemd/system/systemd-nspawn@.service
and tried playing with
# machinectl start foo
# machinectl login foo
# machinectl stop foo
I attach /var/log/audit/audit.log
Based on the above policy that we created after stepping through the previous AVCs in the initial report, it seems to me when machined wants these access vectors:
type=AVC msg=audit(1485387994.833:13154): avc: denied { read } for pid=7456 comm="systemd-machine" name="ptmx" dev="tmpfs" ino=5689160 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:container_runtime_tmpfs_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1485387994.833:13155): avc: denied { open } for pid=7456 comm="systemd-machine" path="/dev/pts/ptmx" dev="devpts" ino=2 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:container_devpts_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1485387994.838:13156): avc: denied { write } for pid=7460 comm="systemd-machine" name="system_bus_socket" dev="tmpfs" ino=5694845 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:container_runtime_tmpfs_t:s0 tclass=sock_file permissive=1
That it should be running in the container_runtime_t domain (Or equivalent for nspawn. Currently systemd-nspawn has no private type in Fedora's policy).
container_runtime_t has permissions on these access vectors:
> $ sesearch -ACS -d -s container_runtime_t -t container_runtime_tmpfs_t
Found 6 semantic av rules:
allow container_runtime_t container_runtime_tmpfs_t : dir { ioctl read write create getattr setattr lock relabelfrom unlink link rename add_name remove_name reparent search rmdir open } ;
allow container_runtime_t container_runtime_tmpfs_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ;
allow container_runtime_t container_runtime_tmpfs_t : file { ioctl read write create getattr setattr lock append unlink link rename execute execute_no_trans open } ;
allow container_runtime_t container_runtime_tmpfs_t : chr_file { ioctl read write create getattr setattr lock append unlink link rename mounton open } ;
allow container_runtime_t container_runtime_tmpfs_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow container_runtime_t container_runtime_tmpfs_t : blk_file { ioctl read write create getattr setattr lock append unlink link rename open } ;
I have limited experience with machined and user namespaces, so the above is based on an observation of the current container-selinux policy.
Still not fixed in Fedora 26, please change the version to 26. This makes systemd-nspawn completely unusable without disabling selinux. I would too like to voice my support for this bug. It is understandable that something like machinectl trips SELinux, but that makes it all the more important that a fine grained SELinux policy is supplied on installation. In the current situation users must disable SELinux or at best (I don't know) apply some overly broad SELinux policy, potentially leaving them open for rogue containers. This message is a reminder that Fedora 26 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '26'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 26 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'. *** This bug has been marked as a duplicate of bug 1257990 *** |
Version-Release number of selected component (if applicable): selinux-policy.noarch 3.13.1-225.3.fc25 @updates selinux-policy-targeted.noarch 3.13.1-225.3.fc25 @updates Description of problem: # machinectl login foo # machinectl start foo # machinectl stop foo user experience is completely broken due SELinux denials. # ausearch -c 'machine' ---- time->Wed Jan 25 19:14:08 2017 type=AVC msg=audit(1485368048.890:12384): avc: denied { search } for pid=27120 comm="systemd-machine" name="2465" dev="proc" ino=5639308 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0 ---- time->Wed Jan 25 19:20:04 2017 type=AVC msg=audit(1485368404.674:12546): avc: denied { search } for pid=27120 comm="systemd-machine" name="3230" dev="proc" ino=5647183 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0 ---- time->Wed Jan 25 19:23:39 2017 type=AVC msg=audit(1485368619.692:12551): avc: denied { search } for pid=27120 comm="systemd-machine" name="3244" dev="proc" ino=5649597 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=1 ---- time->Wed Jan 25 19:23:39 2017 type=AVC msg=audit(1485368619.692:12552): avc: denied { read } for pid=27120 comm="systemd-machine" name="cgroup" dev="proc" ino=5647880 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 ---- time->Wed Jan 25 19:23:39 2017 type=AVC msg=audit(1485368619.692:12553): avc: denied { open } for pid=27120 comm="systemd-machine" path="/proc/3244/cgroup" dev="proc" ino=5647880 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 ---- time->Wed Jan 25 19:23:39 2017 type=AVC msg=audit(1485368619.692:12554): avc: denied { getattr } for pid=27120 comm="systemd-machine" path="/proc/3244/cgroup" dev="proc" ino=5647880 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 ---- time->Wed Jan 25 19:24:16 2017 type=AVC msg=audit(1485368656.903:12602): avc: denied { sys_ptrace } for pid=27120 comm="systemd-machine" capability=19 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=cap_userns permissive=1 ---- time->Wed Jan 25 19:24:16 2017 type=AVC msg=audit(1485368656.904:12603): avc: denied { read } for pid=27120 comm="systemd-machine" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 ---- time->Wed Jan 25 19:24:16 2017 type=AVC msg=audit(1485368656.905:12604): avc: denied { sys_admin } for pid=3424 comm="systemd-machine" capability=21 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=cap_userns permissive=1 ---- time->Wed Jan 25 19:24:16 2017 type=AVC msg=audit(1485368656.905:12605): avc: denied { sys_chroot } for pid=3424 comm="systemd-machine" capability=18 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=cap_userns permissive=1 ---- time->Wed Jan 25 19:24:16 2017 type=AVC msg=audit(1485368656.905:12606): avc: denied { setgid } for pid=3424 comm="systemd-machine" capability=6 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=cap_userns permissive=1 ---- time->Wed Jan 25 19:24:16 2017 type=AVC msg=audit(1485368656.905:12607): avc: denied { setuid } for pid=3424 comm="systemd-machine" capability=7 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=cap_userns permissive=1 ---- time->Wed Jan 25 19:24:16 2017 type=AVC msg=audit(1485368656.906:12608): avc: denied { read } for pid=3424 comm="systemd-machine" name="ptmx" dev="tmpfs" ino=5647227 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=1 ---- time->Wed Jan 25 19:24:16 2017 type=AVC msg=audit(1485368656.906:12609): avc: denied { open } for pid=3424 comm="systemd-machine" path="/dev/pts/ptmx" dev="devpts" ino=2 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=1 ---- time->Wed Jan 25 19:24:16 2017 type=AVC msg=audit(1485368656.911:12610): avc: denied { write } for pid=3428 comm="systemd-machine" name="system_bus_socket" dev="tmpfs" ino=5649679 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=sock_file permissive=1 ---- time->Wed Jan 25 19:24:16 2017 type=AVC msg=audit(1485368656.903:12601): avc: denied { read } for pid=27120 comm="systemd-machine" name="mnt" dev="proc" ino=5648333 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lnk_file permissive=1 ---- time->Wed Jan 25 19:25:30 2017 type=AVC msg=audit(1485368730.181:12645): avc: denied { signal } for pid=27120 comm="systemd-machine" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1 ---- time->Wed Jan 25 19:25:30 2017 type=AVC msg=audit(1485368730.181:12644): avc: denied { kill } for pid=27120 comm="systemd-machine" capability=5 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=cap_userns permissive=1 ---- time->Wed Jan 25 19:25:42 2017 type=AVC msg=audit(1485368742.376:12655): avc: denied { open } for pid=27120 comm="systemd-machine" path="/proc/3553/cgroup" dev="proc" ino=5654799 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 ---- time->Wed Jan 25 19:25:42 2017 type=AVC msg=audit(1485368742.376:12656): avc: denied { getattr } for pid=27120 comm="systemd-machine" path="/proc/3553/cgroup" dev="proc" ino=5654799 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1