Bug 1865748

Summary: SELinux prevents systemd-nspawn from launching a machine
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: 33CC: dwalsh, grepl.miroslav, lvrabec, mikhail.v.gavrilov, mmalik, plautrba, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.6-25.fc33 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-02 15:42:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1812955    
Bug Blocks:    

Description Orion Poplawski 2020-08-04 04:03:52 UTC
Description of problem:

mock with systemd-nspawn fails to launch a container with:

Start: dnf install
ERROR: Command failed: 
 # /usr/bin/systemd-nspawn -q -M 9ab7132cf8544ca890ca73ef8b87d2e1 -D /var/lib/mock/fedora-rawhide-x86_64-bootstrap/root -a --capability=cap_ipc_lock --bind=/tmp/mock-resolv.wt8f3hy0:/etc/resolv.conf --console=pipe --setenv=TERM=vt100 --setenv=SHELL=/bin/bash --setenv=HOME=/var/lib/mock/fedora-rawhide-x86_64/root/installation-homedir --setenv=HOSTNAME=mock --setenv=PATH=/usr/bin:/bin:/usr/sbin:/sbin --setenv=PROMPT_COMMAND=printf "\033]0;<mock-chroot>\007" --setenv=PS1=<mock-chroot> \s-\v\$  --setenv=LANG=C.UTF-8 --setenv=CCACHE_DIR=/var/tmp/ccache --setenv=CCACHE_UMASK=002 --setenv=LC_MESSAGES=C.UTF-8 /usr/bin/dnf --installroot /var/lib/mock/fedora-rawhide-x86_64/root/ --releasever 33 --setopt=deltarpm=False --allowerasing --disableplugin=local --disableplugin=spacewalk install @buildsys-build --setopt=tsflags=nocontexts
Failed to register machine: Remote peer disconnected

audit.log shows:

type=AVC msg=audit(1596512865.138:910): avc:  denied  { write } for  pid=197668 comm="systemd-machine" name="userdb" dev="tmpfs" ino=16428 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0

running in permissive mode adds the following as well:

type=AVC msg=audit(1596513507.964:962): avc:  denied  { add_name } for  pid=197878 comm="systemd-machine" name="io.systemd.Machine" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1596513507.964:963): avc:  denied  { create } for  pid=197878 comm="systemd-machine" name="io.systemd.Machine" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1596513705.972:1095): avc:  denied  { connectto } for  pid=203100 comm="sshd" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1596513706.023:1103): avc:  denied  { connectto } for  pid=802 comm="systemd-logind" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=1


Version-Release number of selected component (if applicable):
selinux-policy-3.14.6-23.fc33.noarch

Comment 1 Orion Poplawski 2020-08-04 04:05:54 UTC
hmm, the last connectto denials may be from other tasks.

Comment 2 Ben Cotton 2020-08-11 15:34:18 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 33 development cycle.
Changing version to 33.

Comment 3 Zdenek Pytela 2020-08-12 11:52:29 UTC
The first set is already handled in bz#1862686, so addressing the second one.
https://github.com/fedora-selinux/selinux-policy/pull/407

Comment 4 Zdenek Pytela 2020-08-12 11:53:58 UTC
*** Bug 1862681 has been marked as a duplicate of this bug. ***

Comment 5 Zdenek Pytela 2020-08-12 11:54:07 UTC
*** Bug 1862682 has been marked as a duplicate of this bug. ***

Comment 6 Zdenek Pytela 2020-08-12 11:54:14 UTC
*** Bug 1862684 has been marked as a duplicate of this bug. ***

Comment 7 Zdenek Pytela 2020-08-12 11:54:22 UTC
*** Bug 1862685 has been marked as a duplicate of this bug. ***

Comment 8 Zdenek Pytela 2020-08-12 11:54:33 UTC
*** Bug 1862690 has been marked as a duplicate of this bug. ***

Comment 9 Zdenek Pytela 2020-08-12 16:11:04 UTC
The bugzillas were created for these domains:

sshd_t
policykit_t
policykit_auth_t
systemd_logind_t
xdm_t
NetworkManager_t
auditd_t

Comment 10 Zdenek Pytela 2020-08-13 12:40:23 UTC
commit 6fe205674f9cd1face5e2cf1aeb90d265ef89ba8 (HEAD -> rawhide, upstream/rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Wed Aug 12 12:09:21 2020 +0200

    Allow nsswitch_domain to connect to systemd-machined using a unix socket
    
    Create the systemd_machined_stream_connect() interface.
    
    Resolves: rhbz#1865748

Comment 11 Zdenek Pytela 2020-08-21 07:48:18 UTC
*** Bug 1871022 has been marked as a duplicate of this bug. ***

Comment 12 Fedora Update System 2020-08-27 11:30:53 UTC
FEDORA-2020-8f3381648b has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-8f3381648b

Comment 13 Fedora Update System 2020-08-27 19:05:12 UTC
FEDORA-2020-8f3381648b has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-8f3381648b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-8f3381648b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 14 Fedora Update System 2020-09-02 15:42:05 UTC
FEDORA-2020-8f3381648b has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.