Bug 1865748
| Summary: | SELinux prevents systemd-nspawn from launching a machine | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 33 | CC: | dwalsh, grepl.miroslav, lvrabec, mikhail.v.gavrilov, mmalik, plautrba, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.6-25.fc33 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-09-02 15:42:05 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1812955 | ||
| Bug Blocks: | |||
hmm, the last connectto denials may be from other tasks. This bug appears to have been reported against 'rawhide' during the Fedora 33 development cycle. Changing version to 33. The first set is already handled in bz#1862686, so addressing the second one. https://github.com/fedora-selinux/selinux-policy/pull/407 *** Bug 1862681 has been marked as a duplicate of this bug. *** *** Bug 1862682 has been marked as a duplicate of this bug. *** *** Bug 1862684 has been marked as a duplicate of this bug. *** *** Bug 1862685 has been marked as a duplicate of this bug. *** *** Bug 1862690 has been marked as a duplicate of this bug. *** The bugzillas were created for these domains: sshd_t policykit_t policykit_auth_t systemd_logind_t xdm_t NetworkManager_t auditd_t commit 6fe205674f9cd1face5e2cf1aeb90d265ef89ba8 (HEAD -> rawhide, upstream/rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date: Wed Aug 12 12:09:21 2020 +0200
Allow nsswitch_domain to connect to systemd-machined using a unix socket
Create the systemd_machined_stream_connect() interface.
Resolves: rhbz#1865748
*** Bug 1871022 has been marked as a duplicate of this bug. *** FEDORA-2020-8f3381648b has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-8f3381648b FEDORA-2020-8f3381648b has been pushed to the Fedora 33 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-8f3381648b` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-8f3381648b See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-8f3381648b has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: mock with systemd-nspawn fails to launch a container with: Start: dnf install ERROR: Command failed: # /usr/bin/systemd-nspawn -q -M 9ab7132cf8544ca890ca73ef8b87d2e1 -D /var/lib/mock/fedora-rawhide-x86_64-bootstrap/root -a --capability=cap_ipc_lock --bind=/tmp/mock-resolv.wt8f3hy0:/etc/resolv.conf --console=pipe --setenv=TERM=vt100 --setenv=SHELL=/bin/bash --setenv=HOME=/var/lib/mock/fedora-rawhide-x86_64/root/installation-homedir --setenv=HOSTNAME=mock --setenv=PATH=/usr/bin:/bin:/usr/sbin:/sbin --setenv=PROMPT_COMMAND=printf "\033]0;<mock-chroot>\007" --setenv=PS1=<mock-chroot> \s-\v\$ --setenv=LANG=C.UTF-8 --setenv=CCACHE_DIR=/var/tmp/ccache --setenv=CCACHE_UMASK=002 --setenv=LC_MESSAGES=C.UTF-8 /usr/bin/dnf --installroot /var/lib/mock/fedora-rawhide-x86_64/root/ --releasever 33 --setopt=deltarpm=False --allowerasing --disableplugin=local --disableplugin=spacewalk install @buildsys-build --setopt=tsflags=nocontexts Failed to register machine: Remote peer disconnected audit.log shows: type=AVC msg=audit(1596512865.138:910): avc: denied { write } for pid=197668 comm="systemd-machine" name="userdb" dev="tmpfs" ino=16428 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0 running in permissive mode adds the following as well: type=AVC msg=audit(1596513507.964:962): avc: denied { add_name } for pid=197878 comm="systemd-machine" name="io.systemd.Machine" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1596513507.964:963): avc: denied { create } for pid=197878 comm="systemd-machine" name="io.systemd.Machine" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1596513705.972:1095): avc: denied { connectto } for pid=203100 comm="sshd" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1596513706.023:1103): avc: denied { connectto } for pid=802 comm="systemd-logind" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=1 Version-Release number of selected component (if applicable): selinux-policy-3.14.6-23.fc33.noarch