Description of problem: I have installed Fedora-31-20190826.n.0 on a s390x machine. During boot the dbus-broker service fails to start with Aug 28 08:08:43 devel7.s390.bos.redhat.com systemd[1]: Starting D-Bus System Message Bus... Aug 28 08:08:43 devel7.s390.bos.redhat.com systemd[1099]: dbus-broker.service: Failed to set up mount namespacing: /run/systemd/unit-root/dev: Permission denied Aug 28 08:08:43 devel7.s390.bos.redhat.com systemd[1099]: dbus-broker.service: Failed at step NAMESPACE spawning /usr/bin/dbus-broker-launch: Permission denied Aug 28 08:08:43 devel7.s390.bos.redhat.com systemd[1]: dbus-broker.service: Main process exited, code=exited, status=226/NAMESPACE Aug 28 08:08:43 devel7.s390.bos.redhat.com systemd[1]: dbus-broker.service: Failed with result 'exit-code'. Aug 28 08:08:43 devel7.s390.bos.redhat.com systemd[1]: Failed to start D-Bus System Message Bus. Switching SELinux into permissive mode makes the problem go away. Version-Release number of selected component (if applicable): selinux-policy-3.14.4-31.fc31.noarch How reproducible: 100% Steps to Reproduce: 1. install Fedora-31-20190826.n.0 2. reboot into new system Actual results: dbus-broker not started, breaking other services Expected results: dbus-broker starter Additional info: Relabeling didn't help. There is already bug #1706451 with the same/similar symptoms. Automated testing is passing on eg. ppc64le, so it might be an arch specific issue.
Seems I experience the same issue also in a rawhide system that I've updated recently. Might be a change in the last 3 weeks ...
Hi Dan, I tried to reproduce it with following versions: selinux-policy-3.14.4-31.fc31.noarch dbus-broker-21-6.fc31.x86_64 and dbus-broker is working for me. # systemctl status dbus-broker ● dbus-broker.service - D-Bus System Message Bus Loaded: loaded (/usr/lib/systemd/system/dbus-broker.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2019-08-28 10:07:04 EDT; 1min 51s ago Docs: man:dbus-broker-launch(1) Main PID: 482 (dbus-broker-lau) Tasks: 2 Memory: 3.1M CPU: 54ms CGroup: /system.slice/dbus-broker.service ├─482 /usr/bin/dbus-broker-launch --scope system --audit └─499 dbus-broker --log 4 --controller 9 --machine-id e4659f437b124fb38a91d9c5a156b0b7 --max-… Aug 28 10:07:03 localhost.localdomain systemd[1]: Starting D-Bus System Message Bus... Aug 28 10:07:04 localhost.localdomain systemd[1]: Started D-Bus System Message Bus. Aug 28 10:07:04 localhost.localdomain dbus-broker-lau[482]: Ready Aug 28 10:07:12 host-10-0-136-62 dbus-broker-launch[482]: Activation request for 'org.freedesktop.r…ound. Hint: Some lines were ellipsized, use -l to show in full. Did I miss anything from reproducer? Thanks, Lukas.
Yes, seems it's a s390x specific issue, I haven't seen reports like that from any other arch.
So booting with previous kernel + initrd has no such issue. I'll give you access to the machines in question.
So I have tracked that to a change in systemd between 242 and 243rc. With latest kernel and selinux-policy things work when I downgrade to systemd 242. Both rawhide and F-31 are affected.
> Relabeling didn't help. Please see #1467103. Relabelling is not effective. > There is already bug #1706451 with the same/similar symptoms. Please note that #1706451 seems to be just another case of /dev mountpoint on the root partition being mislabelled. This might be the same thing, but I don't see why it'd trigger only with newer systemd. To check this, please disable dontaudit rules, reproduce the problem, and report the AVCs. > So I have tracked that to a change in systemd between 242 and 243rc. I don't see anything obviously related (though there are ~2k commits between 242 and 243rc1, so it's easy to miss something). Maybe it'll be easier to figure out with the AVCs.
I have retried with the Fedora-31-20190828.n.0 compose and the "dontaudit" rules disabled. - state after installation and reboot - dbus-broker still not started as expected - then logged in on the console and run "semodule -DB" and "systemctl start dbus-broker", which failed, this should be the 1st batch of AVCs - then "setenforce 0" and another "systemctl start dbus-broker", which has been successful, this is the 2nd batch - then fixing the ifcfg file (bug 1727904) with "echo FOO >> ifcfg", followed by "systemctl start NetworkManager", 3rd batch - then log in over network with ssh type=AVC msg=audit(1567151662.153:74): avc: denied { create } for pid=1145 comm="(r-launch)" name="ptmx" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=file permissive=0 type=AVC msg=audit(1567151662.153:76): avc: denied { create } for pid=1148 comm="(r-launch)" name="ptmx" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=file permissive=0 type=AVC msg=audit(1567151662.163:78): avc: denied { create } for pid=1151 comm="(r-launch)" name="ptmx" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=file permissive=0 type=AVC msg=audit(1567151662.163:80): avc: denied { create } for pid=1154 comm="(r-launch)" name="ptmx" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=file permissive=0 type=AVC msg=audit(1567151662.173:82): avc: denied { create } for pid=1157 comm="(r-launch)" name="ptmx" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=file permissive=0 type=AVC msg=audit(1567151841.603:138): avc: denied { create } for pid=1237 comm="(r-launch)" name="ptmx" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=file permissive=0 type=AVC msg=audit(1567152101.123:141): avc: denied { create } for pid=1291 comm="(r-launch)" name="ptmx" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=file permissive=1 type=AVC msg=audit(1567152101.123:142): avc: denied { mounton } for pid=1291 comm="(r-launch)" path="/tmp/namespace-dev-lWM0jQ/dev/ptmx" dev="tmpfs" ino=24182 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=file permissive=1 type=AVC msg=audit(1567152101.123:143): avc: denied { create } for pid=1291 comm="(r-launch)" name="null" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:null_device_t:s0 tclass=file permissive=1 type=AVC msg=audit(1567152101.123:144): avc: denied { mounton } for pid=1291 comm="(r-launch)" path="/tmp/namespace-dev-lWM0jQ/dev/null" dev="tmpfs" ino=24189 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:null_device_t:s0 tclass=file permissive=1 type=AVC msg=audit(1567152101.123:145): avc: denied { create } for pid=1291 comm="(r-launch)" name="zero" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:zero_device_t:s0 tclass=file permissive=1 type=AVC msg=audit(1567152101.123:146): avc: denied { mounton } for pid=1291 comm="(r-launch)" path="/tmp/namespace-dev-lWM0jQ/dev/zero" dev="tmpfs" ino=24191 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:zero_device_t:s0 tclass=file permissive=1 type=AVC msg=audit(1567152101.123:147): avc: denied { create } for pid=1291 comm="(r-launch)" name="random" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=file permissive=1 type=AVC msg=audit(1567152101.123:148): avc: denied { mounton } for pid=1291 comm="(r-launch)" path="/tmp/namespace-dev-lWM0jQ/dev/random" dev="tmpfs" ino=24195 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=file permissive=1 type=AVC msg=audit(1567152101.123:149): avc: denied { create } for pid=1291 comm="(r-launch)" name="urandom" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=file permissive=1 type=AVC msg=audit(1567152101.123:150): avc: denied { mounton } for pid=1291 comm="(r-launch)" path="/tmp/namespace-dev-lWM0jQ/dev/urandom" dev="tmpfs" ino=24197 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=file permissive=1 type=AVC msg=audit(1567152101.123:151): avc: denied { create } for pid=1291 comm="(r-launch)" name="tty" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:devtty_t:s0 tclass=file permissive=1 type=AVC msg=audit(1567152101.123:152): avc: denied { mounton } for pid=1291 comm="(r-launch)" path="/tmp/namespace-dev-lWM0jQ/dev/tty" dev="tmpfs" ino=24199 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:devtty_t:s0 tclass=file permissive=1 type=AVC msg=audit(1567152110.523:157): avc: denied { noatsecure } for pid=1304 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1 type=AVC msg=audit(1567152110.523:158): avc: denied { rlimitinh } for pid=1304 comm="11-dhclient" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1 type=AVC msg=audit(1567152110.523:159): avc: denied { siginh } for pid=1304 comm="11-dhclient" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1 type=AVC msg=audit(1567152118.913:167): avc: denied { noatsecure } for pid=1319 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1 type=AVC msg=audit(1567152118.913:168): avc: denied { rlimitinh } for pid=1319 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1 type=AVC msg=audit(1567152118.913:169): avc: denied { siginh } for pid=1319 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1 type=AVC msg=audit(1567152228.343:179): avc: denied { siginh } for pid=1327 comm="kill" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1 type=AVC msg=audit(1567152237.313:187): avc: denied { noatsecure } for pid=1330 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1 type=AVC msg=audit(1567152237.313:188): avc: denied { rlimitinh } for pid=1330 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1 type=AVC msg=audit(1567152237.313:189): avc: denied { siginh } for pid=1330 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1 type=AVC msg=audit(1567152237.813:198): avc: denied { siginh } for pid=1337 comm="unix_chkpwd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=process permissive=1 type=AVC msg=audit(1567152237.873:203): avc: denied { siginh } for pid=1336 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1
This is the code in https://github.com/systemd/systemd/blob/master/src/core/namespace.c#L628, called from https://github.com/systemd/systemd/blob/master/src/core/namespace.c#L711. There are two mknod's in that function. After the first one succeeds, the function returns. So it can't be that one. After the second one succeeds, it goes on to do a bind mount, which is consistent with getting that second error about 'mounton'. There are pais of 'create' and 'mounton'. I don't understand why there's just one failed 'create' at the beginning. I'd expect to see an error from https://github.com/systemd/systemd/blob/master/src/core/namespace.c#L614 too. Can you run this under strace (strace -e process,file -f -p1)? I get the following (on amd64): [pid 68267] unshare(CLONE_NEWNS) = 0 [pid 68267] mount(NULL, "/", NULL, MS_REC|MS_SLAVE, NULL) = 0 [pid 68267] mount("/", "/run/systemd/unit-root", NULL, MS_BIND|MS_REC, NULL) = 0 [pid 68267] openat(AT_FDCWD, "/proc/self/mountinfo", O_RDONLY|O_CLOEXEC) = 3 [pid 68267] openat(AT_FDCWD, "/", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4 [pid 68267] openat(4, "run", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 5 [pid 68267] openat(5, "systemd", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4 [pid 68267] openat(4, "unit-root", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 5 [pid 68267] openat(5, "boot", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4 [pid 68267] openat(AT_FDCWD, "/run/systemd/unit-root", O_RDONLY|O_CLOEXEC|O_PATH|O_DIRECTORY) = 4 [pid 68267] name_to_handle_at(4, "boot", {handle_bytes=128 => 12, handle_type=129, f_handle=0x800000000000000000000000}, [344], 0) = 0 [pid 68267] name_to_handle_at(4, "", {handle_bytes=128 => 20, handle_type=77, f_handle=0x0001000000000000000100000000000006000000}, [312], AT_EMPTY_PATH) = 0 [pid 68267] openat(AT_FDCWD, "/", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4 [pid 68267] openat(4, "run", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 5 [pid 68267] openat(5, "systemd", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4 [pid 68267] openat(4, "unit-root", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 5 [pid 68267] openat(5, "dev", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4 [pid 68267] mkdir("/tmp/namespace-dev-anBWke", 0700) = 0 [pid 68267] mkdir("/tmp/namespace-dev-anBWke/dev", 0755) = 0 [pid 68267] mount("tmpfs", "/tmp/namespace-dev-anBWke/dev", "tmpfs", MS_NOSUID|MS_NOEXEC|MS_STRICTATIME, "mode=755") = 0 [pid 68267] mkdir("/tmp/namespace-dev-anBWke/dev/pts", 0755) = 0 [pid 68267] mount("/dev/pts", "/tmp/namespace-dev-anBWke/dev/pts", NULL, MS_BIND, NULL) = 0 [pid 68267] lstat("/dev/ptmx", {st_mode=S_IFCHR|0666, st_rdev=makedev(0x5, 0x2), ...}) = 0 [pid 68267] stat("/dev/ptmx", {st_mode=S_IFCHR|0666, st_rdev=makedev(0x5, 0x2), ...}) = 0 [pid 68267] openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 4 [pid 68267] mknod("/tmp/namespace-dev-anBWke/dev/ptmx", S_IFCHR|0666, makedev(0x5, 0x2)) = 0 [pid 68267] openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 4 [pid 68267] stat("/tmp/namespace-dev-anBWke/dev/char", 0x7ffe9f5b5f70) = -1 ENOENT (No such file or directory) [pid 68267] mkdir("/tmp", 0755) = -1 EEXIST (File exists) [pid 68267] mkdir("/tmp/namespace-dev-anBWke", 0755) = -1 EEXIST (File exists) [pid 68267] mkdir("/tmp/namespace-dev-anBWke/dev", 0755) = -1 EEXIST (File exists) [pid 68267] mkdir("/tmp/namespace-dev-anBWke/dev/char", 0755) = 0 [pid 68267] symlink("../ptmx", "/tmp/namespace-dev-anBWke/dev/char/5:2") = 0 [pid 68267] mkdir("/tmp/namespace-dev-anBWke/dev/shm", 0755) = 0 [pid 68267] mount("/dev/shm", "/tmp/namespace-dev-anBWke/dev/shm", NULL, MS_BIND, NULL) = 0 [pid 68267] mkdir("/tmp/namespace-dev-anBWke/dev/mqueue", 0755) = 0 [pid 68267] mount("/dev/mqueue", "/tmp/namespace-dev-anBWke/dev/mqueue", NULL, MS_BIND, NULL) = 0 [pid 68267] mkdir("/tmp/namespace-dev-anBWke/dev/hugepages", 0755) = 0 [pid 68267] mount("/dev/hugepages", "/tmp/namespace-dev-anBWke/dev/hugepages", NULL, MS_BIND, NULL) = 0 [pid 68267] symlink("/run/systemd/journal/dev-log", "/tmp/namespace-dev-anBWke/dev/log") = 0 [pid 68267] stat("/dev/null", {st_mode=S_IFCHR|0666, st_rdev=makedev(0x1, 0x3), ...}) = 0 [pid 68267] openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 4 [pid 68267] mknod("/tmp/namespace-dev-anBWke/dev/null", S_IFCHR|0666, makedev(0x1, 0x3)) = 0 ...
this is the output for "systemctl restart dbus-broker" after "setenforce 1". I wonder if it could be related to kernel bug 1658675, probbaly not as all arches were affected. ... [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service", O_RDONLY|O_CLOEXEC|O_DIRECTORY) = 57 [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/pids.max", O_WRONLY|O_NOCTTY|O_CLOEXEC) = 57 [pid 1] setxattr("/sys/fs/cgroup/system.slice/dbus-broker.service", "trusted.invocation_id", "9917b98b8f3e4857bc18f2fc17ca2193", 32, 0) = 0 [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cpu.stat", O_RDONLY|O_CLOEXEC) = 57 [pid 1] symlink("9917b98b8f3e4857bc18f2fc17ca2193", "/run/systemd/units/.#invocation:dbus-broker.service050698ec9db6445f") = 0 [pid 1] rename("/run/systemd/units/.#invocation:dbus-broker.service050698ec9db6445f", "/run/systemd/units/invocation:dbus-broker.service") = 0 [pid 1] mkdir("/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-PMYn2f", 0700) = 0 [pid 1] mkdir("/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-PMYn2f/tmp", 01777) = 0 [pid 1] mkdir("/var/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-W1jzTi", 0700) = 0 [pid 1] mkdir("/var/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-W1jzTi/tmp", 01777) = 0 [pid 1] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x3ffaed69a20) = 13277 strace: Process 13277 attached [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.procs", O_WRONLY|O_NOCTTY|O_CLOEXEC) = 57 [pid 1] openat(AT_FDCWD, "/proc/13277/stat", O_RDONLY|O_CLOEXEC) = 57 [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.events", O_RDONLY|O_CLOEXEC) = 57 [pid 13277] openat(AT_FDCWD, "/proc/self/fd", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 57 [pid 13277] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.procs", O_WRONLY|O_NOCTTY|O_CLOEXEC) = 3 [pid 13277] openat(AT_FDCWD, "/dev/null", O_RDONLY|O_NOCTTY) = 3 [pid 1] openat(AT_FDCWD, "/proc/909/cgroup", O_RDONLY|O_CLOEXEC) = 58 [pid 13277] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_NOCTTY|O_CLOEXEC) = 3 [pid 13277] openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 3 [pid 13277] mkdir("/run/systemd/unit-root", 0700) = -1 EEXIST (File exists) [pid 13277] openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 3 [pid 13277] unshare(CLONE_NEWNS) = 0 [pid 13277] mount(NULL, "/", NULL, MS_REC|MS_SLAVE, NULL) = 0 [pid 13277] mount("/", "/run/systemd/unit-root", NULL, MS_BIND|MS_REC, NULL) = 0 [pid 13277] openat(AT_FDCWD, "/proc/self/mountinfo", O_RDONLY|O_CLOEXEC) = 3 [pid 13277] openat(AT_FDCWD, "/", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4 [pid 13277] openat(4, "run", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 5 [pid 13277] openat(5, "systemd", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4 [pid 13277] openat(4, "unit-root", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 5 [pid 13277] openat(5, "boot", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4 [pid 13277] openat(AT_FDCWD, "/run/systemd/unit-root", O_RDONLY|O_CLOEXEC|O_PATH|O_DIRECTORY) = 4 [pid 13277] name_to_handle_at(4, "boot", {handle_bytes=128 => 8, handle_type=1, f_handle=0x0000000200000000}, [209], 0) = 0 [pid 13277] name_to_handle_at(4, "", {handle_bytes=128 => 8, handle_type=1, f_handle=0x0000000200000000}, [188], AT_EMPTY_PATH) = 0 [pid 13277] openat(AT_FDCWD, "/", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4 [pid 13277] openat(4, "run", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 5 [pid 13277] openat(5, "systemd", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4 [pid 13277] openat(4, "unit-root", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 5 [pid 13277] openat(5, "dev", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4 [pid 13277] mkdir("/tmp/namespace-dev-Wc1698", 0700) = 0 [pid 13277] mkdir("/tmp/namespace-dev-Wc1698/dev", 0755) = 0 [pid 13277] mount("tmpfs", "/tmp/namespace-dev-Wc1698/dev", "tmpfs", MS_NOSUID|MS_NOEXEC|MS_STRICTATIME, "mode=755") = 0 [pid 13277] mkdir("/tmp/namespace-dev-Wc1698/dev/pts", 0755) = 0 [pid 13277] mount("/dev/pts", "/tmp/namespace-dev-Wc1698/dev/pts", NULL, MS_BIND, NULL) = 0 [pid 13277] lstat("/dev/ptmx", {st_mode=S_IFCHR|0666, st_rdev=makedev(0x5, 0x2), ...}) = 0 [pid 13277] stat("/dev/ptmx", {st_mode=S_IFCHR|0666, st_rdev=makedev(0x5, 0x2), ...}) = 0 [pid 13277] openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 4 [pid 13277] mknod("/tmp/namespace-dev-Wc1698/dev/ptmx", S_IFCHR|0666, makedev(0x5, 0x2)) = -1 EPERM (Operation not permitted) [pid 13277] openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 4 [pid 13277] openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 4 [pid 13277] mknod("/tmp/namespace-dev-Wc1698/dev/ptmx", S_IFREG|000) = -1 EACCES (Permission denied) [pid 13277] openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 4 [pid 13277] umount2("/tmp/namespace-dev-Wc1698/dev/pts", 0) = 0 [pid 13277] umount2("/tmp/namespace-dev-Wc1698/dev", 0) = 0 [pid 13277] rmdir("/tmp/namespace-dev-Wc1698/dev") = 0 [pid 13277] rmdir("/tmp/namespace-dev-Wc1698") = 0 [pid 13277] exit_group(226) = ? [pid 13277] +++ exited with 226 +++ [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.events", O_RDONLY|O_CLOEXEC) = 58 [pid 1] openat(AT_FDCWD, "/proc/13277/comm", O_RDONLY|O_CLOEXEC) = 58 [pid 1] waitid(P_ALL, 0, {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=13277, si_uid=0, si_status=226, si_utime=0, si_stime=0}, WNOHANG|WEXITED|WNOWAIT, NULL) = 0 [pid 1] openat(AT_FDCWD, "/proc/13277/comm", O_RDONLY|O_CLOEXEC) = 58 [pid 1] openat(AT_FDCWD, "/proc/13277/cgroup", O_RDONLY|O_CLOEXEC) = 58 [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/memory.events", O_RDONLY|O_CLOEXEC) = 58 [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.procs", O_RDONLY|O_CLOEXEC) = 58 [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 58 [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.procs", O_RDONLY|O_CLOEXEC) = 58 [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.threads", O_RDONLY|O_CLOEXEC) = 58 [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 58 [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.procs", O_RDONLY|O_CLOEXEC) = 58 [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 58 [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.procs", O_RDONLY|O_CLOEXEC) = 58 [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.threads", O_RDONLY|O_CLOEXEC) = 58 [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 58 [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cpu.stat", O_RDONLY|O_CLOEXEC) = 58 [pid 1] lstat("/sys/fs/cgroup/system.slice/dbus-broker.service", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0 [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 58 [pid 1] newfstatat(58, "cgroup.events", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "memory.events", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "io.pressure", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "cgroup.procs", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "memory.events.local", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "memory.swap.current", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "memory.swap.max", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "memory.swap.events", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "cgroup.max.descendants", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "cpu.stat", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "memory.pressure", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "memory.current", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "pids.current", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "memory.stat", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "pids.events", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "memory.low", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "cpu.pressure", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "cgroup.type", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "cgroup.stat", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "cgroup.threads", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "cgroup.freeze", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "memory.min", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "cgroup.controllers", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "memory.oom.group", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "memory.max", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "memory.high", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "pids.max", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "cgroup.subtree_control", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] newfstatat(58, "cgroup.max.depth", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 1] rmdir("/sys/fs/cgroup/system.slice/dbus-broker.service") = 0 [pid 1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service", O_RDONLY|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory) [pid 1] unlink("/run/systemd/units/invocation:dbus-broker.service") = 0 [pid 1] clone(child_stack=0x3ffad07efc0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[13278], tls=0x3ffad07f910, child_tidptr=0x3ffad07f9e0) = 13278 [pid 1] clone(child_stack=0x3ffac87dfc0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[13279], tls=0x3ffac87e910, child_tidptr=0x3ffac87e9e0) = 13279 [pid 1] waitid(P_PID, 13277, {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=13277, si_uid=0, si_status=226, si_utime=0, si_stime=0}, WEXITED, NULL) = 0 [pid 1] waitid(P_ALL, 0, {}, WNOHANG|WEXITED|WNOWAIT, NULL) = 0 strace: Process 13278 attached [pid 13278] newfstatat(AT_FDCWD, "/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-PMYn2f", strace: Process 13279 attached {st_mode=S_IFDIR|0700, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 13278] newfstatat(AT_FDCWD, "/", {st_mode=S_IFDIR|0555, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 13278] openat(AT_FDCWD, "/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-PMYn2f", O_RDONLY|O_NONBLOCK|O_NOFOLLOW|O_NOATIME|O_CLOEXEC|O_DIRECTORY) = 21 [pid 13278] openat(21, "tmp", O_RDONLY|O_NONBLOCK|O_NOFOLLOW|O_NOATIME|O_CLOEXEC|O_DIRECTORY) = 22 [pid 13278] name_to_handle_at(21, "tmp", {handle_bytes=128 => 12, handle_type=1, f_handle=0x80cfabd60000cfc100000000}, [36], 0) = 0 [pid 13278] name_to_handle_at(21, "", {handle_bytes=128 => 12, handle_type=1, f_handle=0xf9e680ab0000cfc000000000}, [36], AT_EMPTY_PATH) = 0 [pid 13278] unlinkat(21, "tmp", AT_REMOVEDIR) = 0 [pid 13278] rmdir("/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-PMYn2f") = 0 [pid 13278] exit(0) = ? [pid 13278] +++ exited with 0 +++ [pid 1] getxattr("/usr/lib/systemd/system/dbus-broker.service", "security.selinux", "system_u:object_r:systemd_unit_f"..., 255) = 41 [pid 13279] newfstatat(AT_FDCWD, "/var/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-W1jzTi", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 13279] newfstatat(AT_FDCWD, "/", {st_mode=S_IFDIR|0555, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 13279] openat(AT_FDCWD, "/var/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-W1jzTi", O_RDONLY|O_NONBLOCK|O_NOFOLLOW|O_NOATIME|O_CLOEXEC|O_DIRECTORY) = 21 [pid 13279] openat(21, "tmp", O_RDONLY|O_NONBLOCK|O_NOFOLLOW|O_NOATIME|O_CLOEXEC|O_DIRECTORY) = 22 [pid 13279] name_to_handle_at(21, "tmp", {handle_bytes=128 => 8, handle_type=1, f_handle=0x000409a5d1b10451}, [58], 0) = 0 [pid 13279] name_to_handle_at(21, "", {handle_bytes=128 => 8, handle_type=1, f_handle=0x000409a09fee6aa7}, [58], AT_EMPTY_PATH) = 0 [pid 13279] unlinkat(21, "tmp", AT_REMOVEDIR) = 0 [pid 13279] rmdir("/var/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-W1jzTi") = 0 [pid 13279] exit(0) = ? [pid 13279] +++ exited with 0 +++ [pid 1] openat(AT_FDCWD, "/proc/960/cgroup", O_RDONLY|O_CLOEXEC) = 20 [pid 1] openat(AT_FDCWD, "/proc/909/cgroup", O_RDONLY|O_CLOEXEC) = 20 [pid 1] openat(AT_FDCWD, "/proc/13270/cgroup", O_RDONLY|O_CLOEXEC) = 20
I wonder if we could replicate the mkdir/mount/mknod sequence in shell and reproduce the behaviour ...
Created attachment 1616747 [details] test script This script should reproduce the steps (based on the strace output) leading to the failed mknod() call, I hope I cloned all syscalls to tool calls correctly. But it doesn't as it is now.
I have no idea why the denial occurs: the policy should be the same on all architectures. Anyway, let's reassign, since this is clearly caused by selinux denial.
One question can also be - what's so special with the dbus-broker service, that it fails to start? For example sshd has been started with an issue.
And the specialty is PrivateDevices=yes in the unit file, there are just few services with this setting.
Hi All, Sorry for late reply. I prepared local policy for testing purposes, could somebody please test it ? 1. Load following policy to the kernel: $ cat local_bz1746613.cil (allow init_t device_node (file (getattr create open mounton))) # semodule -i local_bz1746613.cil 2. reproduce the scenario THanks, Lukas.
I run some test with it and it fixes the problem. The local policy survives reboot, this is expected, right? The policy snippet looks logical to me, gives systemd some permission for managing device nodes. But do you an idea, why it worked until now and why only s390x was broken in F-31?
THanks for testing. Well what is interesting is the class. Device nodes are files not block or char devices. Any idea why? Thanks, Lukas.
I wonder if it has something to do with the namespaces ...
Proposed as a Freeze Exception for 31-final by Fedora user sharkcz using the blocker tracking app because: Without the SELinux policy change the system can't boot correctly after the installation, dbus-broker doesn't start and as a consequence other services fail to start as well. FE because s390x is an alt-arch.
Obvious +1 FE.
+1 FE.
commit 0729590a5777eaa449e70f0da8a74368d47651ec (HEAD -> rawhide, origin/rawhide) Author: Lukas Vrabec <lvrabec> Date: Fri Oct 4 12:33:09 2019 +0200 Make dbus-broker service working on s390x arch When dbus-broker service is started on Fedora 31+ on s390x arch it end up in failed stated because systemd failed to set up mount namespacing. Systemd needs to be able to create and bindmount devices to the namespace. This patch fixes the issue Resolves: rhbz#1746413 commit f5d5e8f24f1a0be465707cd5052db88ed6534d17 Author: Lukas Vrabec <lvrabec> Date: Fri Oct 4 12:30:24 2019 +0200 Add new interface dev_mounton_all_device_nodes() commit eaaa0d710c003f0389f46d3d41fe4c071ba36fc1 Author: Lukas Vrabec <lvrabec> Date: Fri Oct 4 12:27:40 2019 +0200 Add new interface dev_create_all_files()
I suspect that the "mac_selinux_create_file*" calls in the "fallback" code is causing these and that these calls should not be there. The "dummy bind mount target" is not an actual device node and it probably should not be labeled as such (its just a fi;e that is used to mount the actual device node on i suspect). System would probably allowed to create that with the generic context, and then it would probably have been allowed to moun the actual node on that "dummy bind mount target" just fine without any extra policy. The alternative to not fixing this properly in the code, are the rules that you see above. The rules do not make sense (to me).
Discussed during the 2019-10-07 blocker review meeting: [0] The decision to classify this bug as an "AcceptedFreezeException" was made as this is a showstopping issue on a non-blocking arch that cannot be fixed with an update alone. [0] https://meetbot.fedoraproject.org/fedora-blocker-review/2019-10-07/f31-blocker-review.2019-10-07-16.02.txt
Lukas, what's your take on the objection in comment #23? And if you're satisfied you have the right fix, can we get it submitted as an update so we can get it into F31 ASAP? Thanks.
If I see right, then the policy update is included in the last selinux-policy-3.14.4-37.fc31 build that's already in https://bodhi.fedoraproject.org/updates/FEDORA-2019-5adca37a25 Then we only need to attach this bug to the bodhi update. Lukas, is it correct?
FEDORA-2019-5adca37a25 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-5adca37a25
Hi All, Dan is right it's should be included in selinux-policy-3.14.4-37.fc31, I also updated bodhi update. To answer question from comment#23, it's very hard to change something in systemd because it's not working with SELinux, there is no time for it and also, not all distros using SELinux.
I acknowledge that the timing is unfortunate. The change would have to be tested and since the scenario is rather exotic, it is not trivial to simulate it. However the second argument I do not understand. The problem is the SELinux specific code in the fallback scenario. Removing that code should not affect any distributions that do not use SELinux. Also let me give a reason why one *would* want to address this issue in a sustainable way. The policy needed to work around this flaw is unlikely to be accepted into to upstream. Distributions relying on upstream will thus be left out.
> The "dummy bind mount target" is not an actual device node and it probably should not be labeled as such (its just a fi;e that is used to mount the actual device node on i suspect). System would probably allowed to create that with the generic context, and then it would probably have been allowed to moun the actual node on that "dummy bind mount target" just fine without any extra policy. systemd seems to be calling mac_selinux_create_file_prepare() with the appropriate mode. First, with the mode stat()ed from the actual device node (before the call to mknod()), and then with mode==0, before creating a dummy mount target. So the "dummy bind mount target" should not be labelled as a device node, but as a normal file. Or at least systemd passes this metadata to selabel_lookup_raw(). So I'm not sure if I understood your comment correctly. If you think systemd should do something different here, please submit a patch upstream, and then it can be discussed and reviewed appropriately.
*** Bug 1756912 has been marked as a duplicate of this bug. ***
(In reply to Zbigniew Jędrzejewski-Szmek from comment #30) > > The "dummy bind mount target" is not an actual device node and it probably should not be labeled as such (its just a fi;e that is used to mount the actual device node on i suspect). System would probably allowed to create that with the generic context, and then it would probably have been allowed to moun the actual node on that "dummy bind mount target" just fine without any extra policy. > > systemd seems to be calling mac_selinux_create_file_prepare() with the > appropriate mode. > First, with the mode stat()ed from the actual device node (before the call > to mknod()), > and then with mode==0, before creating a dummy mount target. So the "dummy > bind mount target" > should not be labelled as a device node, but as a normal file. Or at least > systemd passes > this metadata to selabel_lookup_raw(). > > So I'm not sure if I understood your comment correctly. If you think systemd > should do > something different here, please submit a patch upstream, and then it can be > discussed > and reviewed appropriately. ok let's take it here: https://github.com/systemd/systemd/issues/13762
selinux-policy-3.14.4-37.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
Reopening, because we can drop the workarounds from the policy. Bug 1769148 led to fixing the root cause in systemd (https://github.com/systemd/systemd/pull/13994) and now things work fine with selinux-policy-3.14.4-35.fc31.noarch - pre-workaround policy systemd-243.4-1.fc31.s390x - contains fix for 1769148
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle. Changing version to 32.
This message is a reminder that Fedora 32 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 32 on 2021-05-25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '32'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 32 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 32 changed to end-of-life (EOL) status on 2021-05-25. Fedora 32 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
Lukas, did we ever remove the policy workaround here? See #c34.
Adam, Good catch! Zdenek, Please look on comment#34, we need to drop commits from comment#22. Personally, I would keep interfaces in the policy just revert 0729590a5777eaa449e70f0da8a74368d47651ec. Also, it would be great to discuss it again with systemd folks. Thanks, Lukas.
OK, so re-opening, setting to Rawhide, and updating summary.
I reverted the old commit for rawhide, but it seems it needs to be committed again to support PrivateDevices. see https://bugzilla.redhat.com/show_bug.cgi?id=1840265