Bug 1467263 - rhel7 image has systemd-random-seed.service which is bound to fail due to SELinux
rhel7 image has systemd-random-seed.service which is bound to fail due to SEL...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: rhel7-init-container (Show other bugs)
7.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Frantisek Kluknavsky
Martin Jenner
: Extras
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-03 05:29 EDT by Jan Pazdziora
Modified: 2017-08-01 09:21 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 09:21:16 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:2377 normal SHIPPED_LIVE Red Hat Enterprise Linux 7.4 Init Container Image Update 2017-08-01 16:15:11 EDT

  None (edit)
Description Jan Pazdziora 2017-07-03 05:29:48 EDT
Description of problem:

Running systemd in rhel7 container mostly works except for

systemd-random-seed.service: main process exited, code=exited, status=1/FAILURE
[FAILED] Failed to start Load/Save Random Seed.
See 'systemctl status systemd-random-seed.service' for details.
Unit systemd-random-seed.service entered failed state.
systemd-random-seed.service failed.

which fail due to AVC denials.

Version-Release number of selected component (if applicable):

registry.access.redhat.com/rhel7 latest 93bb76ddeb7a 11 days ago 192.7 MB
under
docker-1.12.6-39.1.git6ffd653.el7.x86_64
oci-systemd-hook-0.1.8-4.1.gite533efa.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. docker run --rm -ti rhel7 /usr/sbin/init

Actual results:

# docker run --rm -ti rhel7 /usr/sbin/init
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization other.
Detected architecture x86-64.

Welcome to Red Hat Enterprise Linux Server 7.3 (Maipo)!

Set hostname to <d571aa2ad1a3>.
Failed to read AF_UNIX datagram queue length, ignoring: No such file or directory
Cannot add dependency job for unit sys-fs-fuse-connections.mount, ignoring: Unit is masked.
Cannot add dependency job for unit systemd-logind.service, ignoring: Unit is masked.
Cannot add dependency job for unit getty.target, ignoring: Unit is masked.
[  OK  ] Created slice Root Slice.
[  OK  ] Listening on Journal Socket.
[  OK  ] Listening on Delayed Shutdown Socket.
[  OK  ] Created slice System Slice.
[  OK  ] Reached target Slices.
         Starting Journal Service...
[  OK  ] Reached target Swap.
[  OK  ] Reached target Remote File Systems.
         Starting Load/Save Random Seed...
[  OK  ] Reached target Encrypted Volumes.
         Starting Rebuild Hardware Database...
[  OK  ] Listening on /dev/initctl Compatibility Named Pipe.
[  OK  ] Reached target Paths.
[  OK  ] Reached target Local File Systems (Pre).
[  OK  ] Reached target Local File Systems.
         Starting Rebuild Journal Catalog...
systemd-random-seed.service: main process exited, code=exited, status=1/FAILURE
[FAILED] Failed to start Load/Save Random Seed.
See 'systemctl status systemd-random-seed.service' for details.
Unit systemd-random-seed.service entered failed state.
systemd-random-seed.service failed.
[  OK  ] Started Rebuild Hardware Database.
[  OK  ] Started Journal Service.
         Starting Flush Journal to Persistent Storage...
[  OK  ] Started Rebuild Journal Catalog.
         Starting Update is Completed...
[  OK  ] Started Update is Completed.
[  OK  ] Started Flush Journal to Persistent Storage.
         Starting Create Volatile Files and Directories...
[  OK  ] Started Create Volatile Files and Directories.
         Starting Update UTMP about System Boot/Shutdown...
[  OK  ] Started Update UTMP about System Boot/Shutdown.
[  OK  ] Reached target System Initialization.
[  OK  ] Reached target Timers.
[  OK  ] Listening on D-Bus System Message Bus Socket.
[  OK  ] Reached target Sockets.
[  OK  ] Reached target Basic System.
         Starting Permit User Sessions...
[  OK  ] Started D-Bus System Message Bus.
         Starting D-Bus System Message Bus...
[  OK  ] Started Permit User Sessions.
         Starting Cleanup of Temporary Directories...
[  OK  ] Reached target Multi-User System.
         Starting Update UTMP about System Runlevel Changes...
[  OK  ] Started Cleanup of Temporary Directories.
[  OK  ] Started Update UTMP about System Runlevel Changes.

and in audit.log

type=AVC msg=audit(1499073426.205:191): avc:  denied  { write } for  pid=25033 comm="systemd-random-" name="urandom" dev="devtmpfs" ino=4861 scontext=system_u:system_r:svirt_lxc_net_t:s0:c145,c1020 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1499073426.205:192): avc:  denied  { write } for  pid=25033 comm="systemd-random-" name="urandom" dev="devtmpfs" ino=4861 scontext=system_u:system_r:svirt_lxc_net_t:s0:c145,c1020 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1499073454.237:218): avc:  denied  { getattr } for  pid=25098 comm="tty" path="/dev/fuse" dev="devtmpfs" ino=12364 scontext=system_u:system_r:svirt_lxc_net_t:s0:c145,c1020 tcontext=system_u:object_r:fuse_device_t:s0 tclass=chr_file

Expected results:

No failed service, no AVC denial, systemd-random-seed.service not enabled by default.

Additional info:

While fedora:24 image has the same problem, fedora:25 does not as it does not enable systemd-random-seed.service. That's why I believe disabling / removing that service from default rhel7 configuration is the step in correct direction.
Comment 5 Frantisek Kluknavsky 2017-07-03 11:04:38 EDT
Thank you for the report. Please try rhel7-init instead. It is rhel-server with cmd, stopsignal and a few masked services to run systemd out of box.
Comment 7 errata-xmlrpc 2017-08-01 09:21:16 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2377

Note You need to log in before you can comment on or make changes to this bug.