Bug 2219398

Summary: selinux denies machinectl import-fs executing systemd-importd
Product: [Fedora] Fedora Reporter: wuxxin
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 38CC: dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-05-28 13:19:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description wuxxin 2023-07-03 13:24:09 UTC 
on fedora coreos stable (fedora 38), x86_84 (38.20230609.3.0):

after making a file tree of an os filesystem with mkosi,
i try to use `machinectl import-fs` to copy the directory tree to /var/lib/machines
for usage with systemd-nspawn, but because coreos uses selinux in enforcing mode,
it breaks import-fs in a non obvious way.

The command stalls at the copy operation, without any explanation or obvious error.
(machinectl calls systemd-import-fs with then spawns systemd-importd which gets denied by selinux)

as workaround, simply copying the files with `cp -a` to /var/lib/machines succeeds.


Reproducible: Always

Steps to Reproduce:
# on coreos you have to layer in mkosi and apt
rpm-ostree install --assumeyes --idempotent --allow-inactive mkosi apt

# make dirs for mkosi
mkdir -p /etc/mkosi/debian-bookworm /var/lib/mkosi /var/cache/mkosi

# write a simple config for debian bookworm creation
printf "[Distribution]\nDistribution=debian\nRelease=bookworm\n[Output]Format=directory
[Packages]\n[Host]\n[Validation]" > /etc/mkosi/debian-bookworm/mkosi.conf

# call mkosi to make the file tree
mkosi -C /etc/mkosi/debian-bookworm -O /var/lib/mkosi --cache=/var/cache/mkosi build
mv /var/lib/mkosi/debian~bookworm /var/lib/mkosi/debian-bookworm

# works up to here

# fails: import filetree to nspawn /var/lib/machines
machinectl import-fs /var/lib/mkosi/debian-bookworm hello-nspawn
Actual Results:  
command does not finish, and hangs.

selinux audit log entries:
```
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 
    subj=system_u:system_r:init_t:s0 msg='unit=systemd-importd comm="systemd" 
    exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: type=1130 audit(1687265080.304:465): pid=1 uid=0 auid=4294967295 ses=4294967295
    subj=system_u:system_r:init_t:s0 msg='unit=systemd-importd comm="systemd" 
    exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit[5023]: AVC avc:  denied  { execute } for  pid=5023 comm="(sd-transfer)" 
    name="systemd-import-fs" dev="dm-0" ino=14841116 
    scontext=system_u:system_r:systemd_importd_t:s0 
    tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
audit[5023]: SYSCALL arch=c000003e syscall=59 success=no exit=-13 a0=5639dc5a36e8
    a1=7ffd102d2350 a2=5639dd7a91f0 a3=7ff68bdf8810 items=0 ppid=5022 pid=5023
    auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
    tty=(none) ses=4294967295 comm="(sd-transfer)" exe="/usr/lib/systemd/systemd-importd"
    subj=system_u:system_r:systemd_importd_t:s0 key=(null)
audit: PROCTITLE proctitle="(sd-transfer)"
    (sd-transfer)[5023]: Failed to execute /usr/lib/systemd/systemd-import-fs 
    tool: Permission denied
```


Expected Results:  
command finished, and has copied files from /var/lib/mkosi/debian-bookworm to /var/lib/machines/hello-nspawn

related binaries selinux information:
```
-rwxr-xr-x. 4 root root system_u:object_r:systemd_importd_exec_t:s0 49824
     Jan  1  1970 /usr/lib/systemd/systemd-importd
-rwxr-xr-x. 4 root root system_u:object_r:init_exec_t:s0 33128 Jan  1  1970
    /usr/lib/systemd/systemd-import-fs
```
Comment 3 Aoife Moloney 2024-05-28 13:19:15 UTC 
Fedora Linux 38 entered end-of-life (EOL) status on 2024-05-21.

Fedora Linux 38 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora Linux
please feel free to reopen this bug against that version. Note that the version
field may be hidden. Click the "Show advanced fields" button if you do not see
the version field.

If you are unable to reopen this bug, please file a new report against an
active release.

Thank you for reporting this bug and we are sorry it could not be fixed.