Bug 2219398

Summary: selinux denies machinectl import-fs executing systemd-importd
Product: [Fedora] Fedora Reporter: wuxxin
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 38CC: dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description wuxxin 2023-07-03 13:24:09 UTC 
on fedora coreos stable (fedora 38), x86_84 (38.20230609.3.0):

after making a file tree of an os filesystem with mkosi,
i try to use `machinectl import-fs` to copy the directory tree to /var/lib/machines
for usage with systemd-nspawn, but because coreos uses selinux in enforcing mode,
it breaks import-fs in a non obvious way.

The command stalls at the copy operation, without any explanation or obvious error.
(machinectl calls systemd-import-fs with then spawns systemd-importd which gets denied by selinux)

as workaround, simply copying the files with `cp -a` to /var/lib/machines succeeds.


Reproducible: Always

Steps to Reproduce:
# on coreos you have to layer in mkosi and apt
rpm-ostree install --assumeyes --idempotent --allow-inactive mkosi apt

# make dirs for mkosi
mkdir -p /etc/mkosi/debian-bookworm /var/lib/mkosi /var/cache/mkosi

# write a simple config for debian bookworm creation
printf "[Distribution]\nDistribution=debian\nRelease=bookworm\n[Output]Format=directory
[Packages]\n[Host]\n[Validation]" > /etc/mkosi/debian-bookworm/mkosi.conf

# call mkosi to make the file tree
mkosi -C /etc/mkosi/debian-bookworm -O /var/lib/mkosi --cache=/var/cache/mkosi build
mv /var/lib/mkosi/debian~bookworm /var/lib/mkosi/debian-bookworm

# works up to here

# fails: import filetree to nspawn /var/lib/machines
machinectl import-fs /var/lib/mkosi/debian-bookworm hello-nspawn
Actual Results:  
command does not finish, and hangs.

selinux audit log entries:
```
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 
    subj=system_u:system_r:init_t:s0 msg='unit=systemd-importd comm="systemd" 
    exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: type=1130 audit(1687265080.304:465): pid=1 uid=0 auid=4294967295 ses=4294967295
    subj=system_u:system_r:init_t:s0 msg='unit=systemd-importd comm="systemd" 
    exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit[5023]: AVC avc:  denied  { execute } for  pid=5023 comm="(sd-transfer)" 
    name="systemd-import-fs" dev="dm-0" ino=14841116 
    scontext=system_u:system_r:systemd_importd_t:s0 
    tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
audit[5023]: SYSCALL arch=c000003e syscall=59 success=no exit=-13 a0=5639dc5a36e8
    a1=7ffd102d2350 a2=5639dd7a91f0 a3=7ff68bdf8810 items=0 ppid=5022 pid=5023
    auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
    tty=(none) ses=4294967295 comm="(sd-transfer)" exe="/usr/lib/systemd/systemd-importd"
    subj=system_u:system_r:systemd_importd_t:s0 key=(null)
audit: PROCTITLE proctitle="(sd-transfer)"
    (sd-transfer)[5023]: Failed to execute /usr/lib/systemd/systemd-import-fs 
    tool: Permission denied
```


Expected Results:  
command finished, and has copied files from /var/lib/mkosi/debian-bookworm to /var/lib/machines/hello-nspawn

related binaries selinux information:
```
-rwxr-xr-x. 4 root root system_u:object_r:systemd_importd_exec_t:s0 49824
     Jan  1  1970 /usr/lib/systemd/systemd-importd
-rwxr-xr-x. 4 root root system_u:object_r:init_exec_t:s0 33128 Jan  1  1970
    /usr/lib/systemd/systemd-import-fs
```