Bug 2308177

Summary: read denial for /proc/sysinfo cause systemd-ssh-generator to fail
Product: [Fedora] Fedora Reporter: JB Trystram <jtrystra>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 41CC: awilliam, dustymabe, dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: s390x   
OS: Linux   
URL: https://github.com/coreos/fedora-coreos-tracker/issues/1786
Whiteboard: AcceptedFreezeException
Fixed In Version: selinux-policy-41.15-1.fc41 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-09-09 21:12:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2247866    

Description JB Trystram 2024-08-27 14:58:33 UTC 
systemd 256 ssh-generator looks vor virtualisation info in /proc/sysinfo on s390x hosts. 
The read operation is rejected and causes the service to fail. 

Here is the audit entry : 
```
[    8.111974] audit: type=1400 audit(1724677759.011:4): avc:  denied  { read } for  pid=1358 comm="systemd-ssh-gen" name="sysinfo" dev="proc" ino=4026531945 scontext=system_u:system_r:systemd_ssh_generator_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file permissive=0
```



Reproducible: Always

Steps to Reproduce:
try to boot a s390x coreOS VM with systemd256
Actual Results:  
/usr/lib/systemd/system-generators/systemd-ssh-generator failed with exit status 1.


Expected Results:  
everything start properly

/proc/sysinfo seem to only exist on s390x architecture : https://github.com/coreos/fedora-coreos-tracker/issues/1786#issuecomment-2312756441 

Relevant code in systemd : 

https://github.com/systemd/systemd/blob/9c0aee7cbbc82aa030ba9c78af1e7fd0ff520d27/src/ssh-generator/ssh-generator.c#L197 --> ... --> https://github.com/systemd/systemd/blob/9c0aee7cbbc82aa030ba9c78af1e7fd0ff520d27/src/basic/virt.c#L424-L445 where we clearly see the s390x-specific bits.
Comment 1 packager-dashboard-bot 2024-09-03 20:51:43 UTC 
Proposed as a Freeze Exception for 41-beta by Fedora user jbtrystram using the blocker tracking app because:

 This cause systemd-ssh-generator to fail on s390x hosts.

It's already fixed in https://bodhi.fedoraproject.org/updates/FEDORA-2024-1597066f01 
I tested the fixed selinux-rpm and can confirm it solves the issue
Comment 2 Fedora Update System 2024-09-05 11:59:25 UTC 
FEDORA-2024-1597066f01 (selinux-policy-41.15-1.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-1597066f01
Comment 3 Adam Williamson 2024-09-09 15:19:54 UTC 
+4 in https://pagure.io/fedora-qa/blocker-review/issue/1639 , marking accepted.
Comment 4 Fedora Update System 2024-09-09 21:12:12 UTC 
FEDORA-2024-1597066f01 (selinux-policy-41.15-1.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.