Bug 2290887

Summary: systemd-machined fails because SELinux blocks it binding to a socket
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: rawhideCC: agurenko, dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zbyszek, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: openqa
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-06-20 18:36:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Williamson 2024-06-07 15:24:59 UTC 
With systemd-256~rc4-1.fc41 , systemd-machined.service fails due to an SELinux denial:

Jun 07 05:00:06 fedora audit[725]: AVC avc:  denied  { create } for  pid=725 comm="systemd-machine" name="io.systemd.Machine" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_machined_var_run_t:s0 tclass=sock_file permissive=0
Jun 07 05:00:06 fedora audit[725]: SYSCALL arch=c000003e syscall=49 success=no exit=-13 a0=b a1=7ffe9a1de5c0 a2=2a a3=0 items=0 ppid=1 pid=725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-machine" exe="/usr/lib/systemd/systemd-machined" subj=system_u:system_r:systemd_machined_t:s0 key=(null)
Jun 07 05:00:06 fedora audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-machined"
Jun 07 05:00:06 fedora systemd-machined[725]: Failed to bind to varlink socket: Permission denied
Jun 07 05:00:06 fedora systemd-machined[725]: Failed to fully start up daemon: Permission denied
Jun 07 05:00:06 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-machined comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Jun 07 05:00:06 fedora systemd[1]: systemd-machined.service: Main process exited, code=exited, status=1/FAILURE
Jun 07 05:00:06 fedora systemd[1]: systemd-machined.service: Failed with result 'exit-code'.
Jun 07 05:00:06 fedora systemd[1]: Failed to start systemd-machined.service - Virtual Machine and Container Registration Service.

This caused the update to fail tests, so it's currently gated. https://bodhi.fedoraproject.org/updates/FEDORA-2024-b745d81444
Comment 1 Zbigniew Jędrzejewski-Szmek 2024-06-07 15:27:11 UTC 
It's probably the same as https://bugzilla.redhat.com/show_bug.cgi?id=2279923. It seems that the policy update was not successful.

I started a build with systemd with the previous work-around patch restored.
Comment 2 Zdenek Pytela 2024-06-10 07:14:25 UTC 
Well, it is a dup, but the fix was not accurate.
Unfortunately, we do not actually test machined features much.
Comment 3 Adam Williamson 2024-06-10 14:56:56 UTC 
I can easily run the openQA tests on a scratch build any time if you ask me, Zdenek.
Comment 4 Zdenek Pytela 2024-06-11 15:43:16 UTC 
(In reply to Adam Williamson from comment #3)
> I can easily run the openQA tests on a scratch build any time if you ask me,
> Zdenek.

Thanks for the offer, I think I already asked once when there was a complex change to make. There are a lot of changes happening right now and more planned, especially in packaging, so I'll do that again.

The problem is that when I know the change is intrusive or with big impact, I can do extended tests on my own, too, but this case was rather a mistake. Not testing some systemd services enough is just a different problem, we have tests at 2 places in the pipeline already.