Bug 1827467

Summary: systemd-nspawn -U changes owner of host's /sys/fs/selinux
Product: [Fedora] Fedora Reporter: Anthony Messina <amessina>
Component: systemdAssignee: systemd-maint
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 31CC: lnykryn, msekleta, ssahani, s, systemd-maint, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: systemd-245.6-2.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-05 02:29:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anthony Messina 2020-04-24 02:27:42 UTC 
Reported upstream: https://github.com/systemd/systemd/issues/15475

Please backport to F31 & F32: https://github.com/systemd/systemd/pull/15533


systemd version the issue has been seen with

systemd 243 (v243.8-1.fc31)
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified

Used distribution

Fedora 31 x86_64

Expected behaviour you didn't see

systemd-npawn container mounts /sys/fs/selinux and doesn't change the owner on the host and looks like the following:

# ll -Z /sys/fs
total 0
drwx-----T. 2 root root system_u:object_r:bpf_t:s0      0 Apr 18 13:46 bpf
dr-xr-xr-x. 6 root root system_u:object_r:cgroup_t:s0   0 Apr 18 14:03 cgroup
drwxr-xr-x. 7 root root system_u:object_r:sysfs_t:s0    0 Apr 18 15:30 ext4
drwxr-xr-x. 3 root root system_u:object_r:sysfs_t:s0    0 Apr 18 13:46 fuse
drwxr-xr-x. 3 root root system_u:object_r:sysfs_t:s0    0 Apr 18 13:46 nfs
drwxr-x---. 2 root root system_u:object_r:pstore_t:s0   0 Apr 18 13:46 pstore
drwxr-xr-x. 7 root root system_u:object_r:security_t:s0 0 Apr 18 13:46 selinux
Unexpected behaviour you saw

systemd-nspawn changes the owner of the host's /sys/fs/selinux directory and looks like the following:

# ll -Z /sys/fs
total 0
drwx-----T. 2 root      root      system_u:object_r:bpf_t:s0      0 Apr 18 13:46 bpf
dr-xr-xr-x. 6 root      root      system_u:object_r:cgroup_t:s0   0 Apr 18 14:03 cgroup
drwxr-xr-x. 7 root      root      system_u:object_r:sysfs_t:s0    0 Apr 18 15:30 ext4
drwxr-xr-x. 3 root      root      system_u:object_r:sysfs_t:s0    0 Apr 18 13:46 fuse
drwxr-xr-x. 3 root      root      system_u:object_r:sysfs_t:s0    0 Apr 18 13:46 nfs
drwxr-x---. 2 root      root      system_u:object_r:pstore_t:s0   0 Apr 18 13:46 pstore
drwxr-xr-x. 7 277413888 277413888 system_u:object_r:security_t:s0 0 Apr 18 13:46 selinux
Steps to reproduce the problem

strace -f --output strace.txt -DDD  systemd-nspawn --link-journal=try-guest --settings=override --machine=fedora -L system_u:object_r:systemd_nspawn_file_t:s0:c77.c78 -Z system_u:system_r:systemd_nspawn_t:s0:c77.c78 -U
strace output

15074 statfs("/sys/fs/selinux", {f_type=SELINUX_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RELATIME}) = 0
15074 statfs("/sys/fs/selinux", {f_type=SELINUX_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RELATIME}) = 0
15079 mkdir("/var/lib/machines/fedora/sys/fs/selinux", 0755) = 0
15079 lchown("/var/lib/machines/fedora/sys/fs/selinux", 277413888, 277413888) = 0
15079 mount("/sys/fs/selinux", "/var/lib/machines/fedora/sys/fs/selinux", NULL, MS_BIND, NULL) = 0
15079 mkdir("/var/lib/machines/fedora/sys/fs/selinux", 0755) = -1 EEXIST (File exists)
15079 lchown("/var/lib/machines/fedora/sys/fs/selinux", 277413888, 277413888) = 0
15079 mount(NULL, "/var/lib/machines/fedora/sys/fs/selinux", NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0
15090 statfs("/sys/fs/selinux", {f_type=SELINUX_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RDONLY|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0
15090 statfs("/sys/fs/selinux", {f_type=SELINUX_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0
Comment 1 Anthony Messina 2020-04-28 23:07:33 UTC 
Fix committed to master upstream: https://github.com/systemd/systemd/commit/dcff2fa5d16f01edd774cd9dbc21fa4385af65bb
Comment 2 Fedora Update System 2020-05-31 10:54:11 UTC 
FEDORA-2020-dd43dd05b1 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-dd43dd05b1
Comment 3 Fedora Update System 2020-06-01 03:12:32 UTC 
FEDORA-2020-dd43dd05b1 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-dd43dd05b1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-dd43dd05b1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Anthony Messina 2020-06-01 15:46:59 UTC 
See https://github.com/systemd/systemd/issues/16032

systemd-nspawn[312147]: Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora/sys/fs/selinux (MS_BIND "")...
systemd-nspawn[312147]: Failed to mount /sys/fs/selinux (type n/a) on /var/lib/machines/fedora/sys/fs/selinux (MS_BIND ""): No such file or directory
systemd-nspawn[312147]: Remounting /var/lib/machines/fedora/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND "")...
systemd-nspawn[312147]: Failed to mount n/a (type n/a) on /var/lib/machines/fedora/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND ""): No such file or directory
Comment 5 Fedora Update System 2020-06-02 10:10:32 UTC 
FEDORA-2020-dd43dd05b1 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-dd43dd05b1
Comment 6 Fedora Update System 2020-06-03 03:11:30 UTC 
FEDORA-2020-dd43dd05b1 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-dd43dd05b1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-dd43dd05b1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2020-06-05 02:29:29 UTC 
FEDORA-2020-dd43dd05b1 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.