Hide Forgot
Description of problem: Since the last update on 2016/08/22, SELinux is blocking startup of systemd-nspawn containers. No SELinux boolean looks appropriate or has any effect on this. Only way to start a systemd-nspawn container is by using "setenforce 0". Version-Release number of selected component (if applicable): systemd-229-13.fc24.x86_64 systemd-compat-libs-229-13.fc24.x86_64 systemd-container-229-13.fc24.x86_64 systemd-devel-229-13.fc24.x86_64 systemd-libs-229-13.fc24.i686 systemd-libs-229-13.fc24.x86_64 systemd-udev-229-13.fc24.x86_64 libselinux-2.5-9.fc24.i686 libselinux-2.5-9.fc24.x86_64 libselinux-devel-2.5-9.fc24.x86_64 libselinux-python-2.5-9.fc24.x86_64 libselinux-python3-2.5-9.fc24.x86_64 libselinux-utils-2.5-9.fc24.x86_64 rpm-plugin-selinux-4.13.0-0.rc1.27.fc24.x86_64 selinux-policy-3.13.1-191.12.fc24.noarch selinux-policy-devel-3.13.1-191.12.fc24.noarch selinux-policy-doc-3.13.1-191.12.fc24.noarch selinux-policy-targeted-3.13.1-191.12.fc24.noarch How reproducible: Always. Steps to Reproduce: 1. sudo systemd-nspawn -D /home/alex/containers/centos5/ 2. 3. Actual results: [sudo] password for alex: Spawning container centos5 on /home/alex/containers/centos5. Press ^] three times within 1s to kill container. Failed to register machine: Access denied Expected results: Container should be started. Additional info: The following lines are found in the journalctl output after a failed attempt: ago 23 12:04:57 avillacis.palosanto.com dbus-daemon[650]: [system] Activating via systemd: service name='net.reactivated.Fprint' unit='fprintd.service' ago 23 12:04:57 avillacis.palosanto.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' ago 23 12:04:57 avillacis.palosanto.com systemd[1]: Starting Fingerprint Authentication Daemon... ago 23 12:04:57 avillacis.palosanto.com dbus-daemon[650]: [system] Successfully activated service 'net.reactivated.Fprint' ago 23 12:04:57 avillacis.palosanto.com systemd[1]: Started Fingerprint Authentication Daemon. ago 23 12:05:00 avillacis.palosanto.com audit[9554]: USER_AUTH pid=9554 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="alex" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' ago 23 12:05:00 avillacis.palosanto.com audit[9554]: USER_ACCT pid=9554 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="alex" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' ago 23 12:05:00 avillacis.palosanto.com sudo[9554]: alex : TTY=pts/2 ; PWD=/home/alex ; USER=root ; COMMAND=/bin/systemd-nspawn -D containers/centos5/ ago 23 12:05:00 avillacis.palosanto.com audit[9554]: USER_CMD pid=9554 uid=1000 auid=4294967295 ses=4294967295 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/alex" cmd=73797374656D642D6E737061776E202D4420636F6E7461696E6572732F63656E746F73352F terminal=pts/2 res=success' ago 23 12:05:00 avillacis.palosanto.com audit[9554]: CRED_REFR pid=9554 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' ago 23 12:05:00 avillacis.palosanto.com sudo[9554]: pam_systemd(sudo:session): Cannot create session: Already occupied by a session ago 23 12:05:00 avillacis.palosanto.com audit[9554]: USER_START pid=9554 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' ago 23 12:05:00 avillacis.palosanto.com sudo[9554]: pam_unix(sudo:session): session opened for user root by (uid=0) ago 23 12:05:00 avillacis.palosanto.com audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ago 23 12:05:00 avillacis.palosanto.com systemd-machined[1248]: Failed to start machine scope: Access denied ago 23 12:05:00 avillacis.palosanto.com sudo[9554]: pam_unix(sudo:session): session closed for user root ago 23 12:05:00 avillacis.palosanto.com audit[9554]: USER_END pid=9554 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' ago 23 12:05:00 avillacis.palosanto.com audit[9554]: CRED_DISP pid=9554 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
$ sesearch -A -s systemd_machined_t -t init_t -c system Found 1 semantic av rules: allow systemd_machined_t init_t : system { status start stop } ; $ rpm -q selinux-policy selinux-policy-3.13.1-191.13.fc24noarch This is fixed in latest selinux-policy, currently in updates-testing repo. Closing.