Bug 1462382 - SELinux denies systemd-importd access to /var/lib/machines
SELinux denies systemd-importd access to /var/lib/machines
Status: NEW
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2017-06-16 19:40 EDT by Aditya Shah
Modified: 2017-12-08 16:46 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Aditya Shah 2017-06-16 19:40:33 EDT
I am not very informed about SELinux, so I am giving everything I can in this report. I was trying to import an image of CentOS using machinectl as,

$ sudo machinectl pull-raw http://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.raw.tar.gz

But it failed saying "Failed to transfer image: Access denied," with a SELinux alert.

The alert reports, that systemd-importd was denied read access to /var/lib/machines. I know that this directory is where machinectl pulls and stores images.

If I browse through nautilus and look at the properties of /var/lib/machines, its SELinux Context is system_u:object_r:systemd_machined_var_lib_t:s0.

Expected behaviour:

Image is pulled, extracted and stored under a new directory of the image name.
Comment 1 Mrunal Patel 2017-12-08 16:46:32 EST
Dan, this is the AVC generated when trying to pull:

time->Fri Dec  8 15:45:23 2017
type=AVC msg=audit(1512769523.719:9390): avc:  denied  { read } for  pid=21095 comm="systemd-importd" name="machines" dev="dm-0" ino=6161837 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_machined_var_lib_t:s0 tclass=dir permissive=0

Note You need to log in before you can comment on or make changes to this bug.