1416540 – machinectl user experience is completely broken

Bug 1416540 - machinectl user experience is completely broken

Summary: machinectl user experience is completely broken

Keywords:
Status:	CLOSED DUPLICATE of bug 1257990
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	29
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-01-25 18:36 UTC by Germano Massullo
Modified:	2019-04-02 16:42 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-04-02 16:42:08 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
audit.log (24.23 KB, text/plain) 2017-01-25 23:59 UTC, Germano Massullo	no flags	Details
View All

Description Germano Massullo 2017-01-25 18:36:41 UTC

Version-Release number of selected component (if applicable):
selinux-policy.noarch                  3.13.1-225.3.fc25               @updates 
selinux-policy-targeted.noarch         3.13.1-225.3.fc25               @updates 


Description of problem:
# machinectl login foo
# machinectl start foo
# machinectl stop foo
user experience is completely broken due SELinux denials.


# ausearch -c 'machine'
----
time->Wed Jan 25 19:14:08 2017
type=AVC msg=audit(1485368048.890:12384): avc:  denied  { search } for  pid=27120 comm="systemd-machine" name="2465" dev="proc" ino=5639308 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0
----
time->Wed Jan 25 19:20:04 2017
type=AVC msg=audit(1485368404.674:12546): avc:  denied  { search } for  pid=27120 comm="systemd-machine" name="3230" dev="proc" ino=5647183 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0
----
time->Wed Jan 25 19:23:39 2017
type=AVC msg=audit(1485368619.692:12551): avc:  denied  { search } for  pid=27120 comm="systemd-machine" name="3244" dev="proc" ino=5649597 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=1
----
time->Wed Jan 25 19:23:39 2017
type=AVC msg=audit(1485368619.692:12552): avc:  denied  { read } for  pid=27120 comm="systemd-machine" name="cgroup" dev="proc" ino=5647880 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1
----
time->Wed Jan 25 19:23:39 2017
type=AVC msg=audit(1485368619.692:12553): avc:  denied  { open } for  pid=27120 comm="systemd-machine" path="/proc/3244/cgroup" dev="proc" ino=5647880 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1
----
time->Wed Jan 25 19:23:39 2017
type=AVC msg=audit(1485368619.692:12554): avc:  denied  { getattr } for  pid=27120 comm="systemd-machine" path="/proc/3244/cgroup" dev="proc" ino=5647880 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1
----
time->Wed Jan 25 19:24:16 2017
type=AVC msg=audit(1485368656.903:12602): avc:  denied  { sys_ptrace } for  pid=27120 comm="systemd-machine" capability=19  scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=cap_userns permissive=1
----
time->Wed Jan 25 19:24:16 2017
type=AVC msg=audit(1485368656.904:12603): avc:  denied  { read } for  pid=27120 comm="systemd-machine" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1
----
time->Wed Jan 25 19:24:16 2017
type=AVC msg=audit(1485368656.905:12604): avc:  denied  { sys_admin } for  pid=3424 comm="systemd-machine" capability=21  scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=cap_userns permissive=1
----
time->Wed Jan 25 19:24:16 2017
type=AVC msg=audit(1485368656.905:12605): avc:  denied  { sys_chroot } for  pid=3424 comm="systemd-machine" capability=18  scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=cap_userns permissive=1
----
time->Wed Jan 25 19:24:16 2017
type=AVC msg=audit(1485368656.905:12606): avc:  denied  { setgid } for  pid=3424 comm="systemd-machine" capability=6  scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=cap_userns permissive=1
----
time->Wed Jan 25 19:24:16 2017
type=AVC msg=audit(1485368656.905:12607): avc:  denied  { setuid } for  pid=3424 comm="systemd-machine" capability=7  scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=cap_userns permissive=1
----
time->Wed Jan 25 19:24:16 2017
type=AVC msg=audit(1485368656.906:12608): avc:  denied  { read } for  pid=3424 comm="systemd-machine" name="ptmx" dev="tmpfs" ino=5647227 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=1
----
time->Wed Jan 25 19:24:16 2017
type=AVC msg=audit(1485368656.906:12609): avc:  denied  { open } for  pid=3424 comm="systemd-machine" path="/dev/pts/ptmx" dev="devpts" ino=2 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=1
----
time->Wed Jan 25 19:24:16 2017
type=AVC msg=audit(1485368656.911:12610): avc:  denied  { write } for  pid=3428 comm="systemd-machine" name="system_bus_socket" dev="tmpfs" ino=5649679 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=sock_file permissive=1
----
time->Wed Jan 25 19:24:16 2017
type=AVC msg=audit(1485368656.903:12601): avc:  denied  { read } for  pid=27120 comm="systemd-machine" name="mnt" dev="proc" ino=5648333 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lnk_file permissive=1
----
time->Wed Jan 25 19:25:30 2017
type=AVC msg=audit(1485368730.181:12645): avc:  denied  { signal } for  pid=27120 comm="systemd-machine" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
----
time->Wed Jan 25 19:25:30 2017
type=AVC msg=audit(1485368730.181:12644): avc:  denied  { kill } for  pid=27120 comm="systemd-machine" capability=5  scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=cap_userns permissive=1
----
time->Wed Jan 25 19:25:42 2017
type=AVC msg=audit(1485368742.376:12655): avc:  denied  { open } for  pid=27120 comm="systemd-machine" path="/proc/3553/cgroup" dev="proc" ino=5654799 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1
----
time->Wed Jan 25 19:25:42 2017
type=AVC msg=audit(1485368742.376:12656): avc:  denied  { getattr } for  pid=27120 comm="systemd-machine" path="/proc/3553/cgroup" dev="proc" ino=5654799 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1

Comment 1 Germano Massullo 2017-01-25 23:59:20 UTC

Created attachment 1244512 [details]
audit.log

sfix user helped me doing some tries. At the end of them we managed to use

# machinectl start foo
# machinectl stop foo

but

# machinectl login foo

still does not work.

We inserted

(type nspawn_unit_file_t)
(roletype object_r nspawn_unit_file_t)
(typeattributeset systemd_unit_file_type nspawn_unit_file_t)
(typeattributeset file_type nspawn_unit_file_t)
(context nspawn_unit_file_context (system_u object_r nspawn_unit_file_t ((s0) (s0))))
(filecon "/usr/lib/systemd/system/systemd\-nspawn@\.service" file nspawn_unit_file_context)
(allow systemd_machined_t spc_t (process (signal)))
(allow systemd_machined_t self (cap_userns (all)))
(allow systemd_machined_t nspawn_unit_file_t (service (all))

into machined_patch.cil
then
# semodule -i machined_patch.cil
# restorecon -vF /usr/lib/systemd/system/systemd-nspawn@.service

and tried playing with
# machinectl start foo
# machinectl login foo
# machinectl stop foo

I attach /var/log/audit/audit.log

Comment 2 Gary Tierney 2017-01-26 00:14:04 UTC

Based on the above policy that we created after stepping through the previous AVCs in the initial report, it seems to me when machined wants these access vectors:

type=AVC msg=audit(1485387994.833:13154): avc:  denied  { read } for  pid=7456 comm="systemd-machine" name="ptmx" dev="tmpfs" ino=5689160 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:container_runtime_tmpfs_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1485387994.833:13155): avc:  denied  { open } for  pid=7456 comm="systemd-machine" path="/dev/pts/ptmx" dev="devpts" ino=2 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:container_devpts_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1485387994.838:13156): avc:  denied  { write } for  pid=7460 comm="systemd-machine" name="system_bus_socket" dev="tmpfs" ino=5694845 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:container_runtime_tmpfs_t:s0 tclass=sock_file permissive=1

That it should be running in the container_runtime_t domain (Or equivalent for nspawn.  Currently systemd-nspawn has no private type in Fedora's policy).

container_runtime_t has permissions on these access vectors:
> $ sesearch -ACS -d -s container_runtime_t -t container_runtime_tmpfs_t
Found 6 semantic av rules:
   allow container_runtime_t container_runtime_tmpfs_t : dir { ioctl read write create getattr setattr lock relabelfrom unlink link rename add_name remove_name reparent search rmdir open } ; 
   allow container_runtime_t container_runtime_tmpfs_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; 
   allow container_runtime_t container_runtime_tmpfs_t : file { ioctl read write create getattr setattr lock append unlink link rename execute execute_no_trans open } ; 
   allow container_runtime_t container_runtime_tmpfs_t : chr_file { ioctl read write create getattr setattr lock append unlink link rename mounton open } ; 
   allow container_runtime_t container_runtime_tmpfs_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow container_runtime_t container_runtime_tmpfs_t : blk_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 

I have limited experience with machined and user namespaces, so the above is based on an observation of the current container-selinux policy.

Comment 3 verdre 2017-07-17 09:59:35 UTC

Still not fixed in Fedora 26, please change the version to 26.
This makes systemd-nspawn completely unusable without disabling selinux.

Comment 4 gujemutu 2017-08-09 14:21:42 UTC

I would too like to voice my support for this bug. It is understandable that something like machinectl trips SELinux, but that makes it all the more important that a fine grained SELinux policy is supplied on installation.

In the current situation users must disable SELinux or at best (I don't know) apply some overly broad SELinux policy, potentially leaving them open for rogue containers.

Comment 5 Fedora End Of Life 2018-05-03 08:15:25 UTC

This message is a reminder that Fedora 26 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 26. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '26'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 26 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 6 Jan Kurik 2018-08-14 10:31:26 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.

Comment 7 Lukas Vrabec 2019-04-02 16:42:08 UTC


*** This bug has been marked as a duplicate of bug 1257990 ***

Note You need to log in before you can comment on or make changes to this bug.