Bug 2161885

Summary: SELinux preventing systemd-network-generator from creating files in /run/systemd/network/
Product: Red Hat Enterprise Linux 9 Reporter: Nikita Dubrovskii (IBM) <ndubrovs>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED CURRENTRELEASE QA Contact: Amith <apeetham>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: bugzilla, dustymabe, dwalsh, extras-qa, fzatlouk, gmarr, grepl.miroslav, jlebon, kevin, lravicha, lvrabec, mmalik, ndubrovs, omosnace, pkoncity, vmojzis, zbyszek, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 2037047 Environment:
Last Closed: 2023-04-26 19:06:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nikita Dubrovskii (IBM) 2023-01-18 07:34:51 UTC 
+++ This bug was initially created as a clone of Bug #2037047 +++

Description of problem:

If kernel has arguments that are interpreted by systemd-network-generator then the systemd-network-generator.service will fail:


```
[core@localhost ~]$ cat /etc/os-release 
NAME="Red Hat Enterprise Linux CoreOS"
VERSION_ID="4.12"
RHEL_VERSION="9.0"

[core@localhost ~]$ sudo rpm-ostree kargs --append="ip=10.0.2.15::10.0.2.2:255.255.255.0:rhcos:enc2:none" && sudo reboot

---- reboot ----

[core@localhost ~]$ systemctl status systemd-network-generator.service
Jan 17 09:58:34 localhost systemd-network-generator[805]: Failed to create unit file /run/systemd/network/90-enc2.network: Permission denied

[core@localhost ~]$ rpm -q selinux-policy
selinux-policy-34.1.29-1.el9_0.2.noarch

[core@localhost ~]$ rpm -q systemd
systemd-250-6.el9_0.1.s390x

[core@localhost ~]$ ls -Z /usr/lib/systemd/systemd-network-generator
system_u:object_r:init_exec_t:s0 /usr/lib/systemd/systemd-network-generator

[core@localhost ~]$ ls -dZ /run/systemd/network/
system_u:object_r:net_conf_t:s0 /run/systemd/network/

```

How reproducible:

Always

Steps to Reproduce:
1. Start RHCOS 4.12
2. Add `ip=` to kernel command line arguments
3. See systemd-network-generator fail. 

Actual results:

systemd-network-generator fails because it can't write to /run/systemd/network/


Expected results:

No failure

Additional info:
Comment 1 lravicha 2023-02-09 13:19:26 UTC 
Hi, when do we expect a fix for this issue?
I am observing it on bringing up a RHCOS node as bootstrap for installing a Openshift cluster.

On a side note, I am observing this on rhcos 412.90.202301101512-0 and not on rhcos 413.92.202302071516-0 .
what was the fix if so?

related links:
https://releases-rhcos-art.apps.ocp-virt.prod.psi.redhat.com/storage/browser?stream=4.13-9.2&arch=s390x
https://releases-rhcos-art.apps.ocp-virt.prod.psi.redhat.com/storage/browser?stream=4.12-9.0&arch=s390x
Comment 2 Zdenek Pytela 2023-02-15 10:48:20 UTC 
(In reply to lravicha from comment #1)
> Hi, when do we expect a fix for this issue?
> I am observing it on bringing up a RHCOS node as bootstrap for installing a
> Openshift cluster.
> 
> On a side note, I am observing this on rhcos 412.90.202301101512-0 and not
> on rhcos 413.92.202302071516-0 .
> what was the fix if so?
> 
> related links:
> https://releases-rhcos-art.apps.ocp-virt.prod.psi.redhat.com/storage/
> browser?stream=4.13-9.2&arch=s390x
> https://releases-rhcos-art.apps.ocp-virt.prod.psi.redhat.com/storage/
> browser?stream=4.12-9.0&arch=s390x

This issue has been addressed with selinux-policy-38.1.1-1 in RHEL 9.2.
If you need to backport it to an earlier release, please follow your organization workflow to request it and add justification.
Comment 3 lravicha 2023-02-16 15:24:16 UTC 
thanks, the fix with selinux-policy-38.1.1-1 in RHEL 9.2 sounds good atm.