Bug 1827467 - systemd-nspawn -U changes owner of host's /sys/fs/selinux
Summary: systemd-nspawn -U changes owner of host's /sys/fs/selinux
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: 31
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-24 02:27 UTC by Anthony Messina
Modified: 2020-06-05 02:29 UTC (History)
6 users (show)

Fixed In Version: systemd-245.6-2.fc32
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-05 02:29:29 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github systemd systemd issues 15475 0 None closed systemd-nspawn -U changes owner of host's /sys/fs/selinux 2020-08-11 17:34:54 UTC

Description Anthony Messina 2020-04-24 02:27:42 UTC 
Reported upstream: https://github.com/systemd/systemd/issues/15475

Please backport to F31 & F32: https://github.com/systemd/systemd/pull/15533


systemd version the issue has been seen with

systemd 243 (v243.8-1.fc31)
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified

Used distribution

Fedora 31 x86_64

Expected behaviour you didn't see

systemd-npawn container mounts /sys/fs/selinux and doesn't change the owner on the host and looks like the following:

# ll -Z /sys/fs
total 0
drwx-----T. 2 root root system_u:object_r:bpf_t:s0      0 Apr 18 13:46 bpf
dr-xr-xr-x. 6 root root system_u:object_r:cgroup_t:s0   0 Apr 18 14:03 cgroup
drwxr-xr-x. 7 root root system_u:object_r:sysfs_t:s0    0 Apr 18 15:30 ext4
drwxr-xr-x. 3 root root system_u:object_r:sysfs_t:s0    0 Apr 18 13:46 fuse
drwxr-xr-x. 3 root root system_u:object_r:sysfs_t:s0    0 Apr 18 13:46 nfs
drwxr-x---. 2 root root system_u:object_r:pstore_t:s0   0 Apr 18 13:46 pstore
drwxr-xr-x. 7 root root system_u:object_r:security_t:s0 0 Apr 18 13:46 selinux
Unexpected behaviour you saw

systemd-nspawn changes the owner of the host's /sys/fs/selinux directory and looks like the following:

# ll -Z /sys/fs
total 0
drwx-----T. 2 root      root      system_u:object_r:bpf_t:s0      0 Apr 18 13:46 bpf
dr-xr-xr-x. 6 root      root      system_u:object_r:cgroup_t:s0   0 Apr 18 14:03 cgroup
drwxr-xr-x. 7 root      root      system_u:object_r:sysfs_t:s0    0 Apr 18 15:30 ext4
drwxr-xr-x. 3 root      root      system_u:object_r:sysfs_t:s0    0 Apr 18 13:46 fuse
drwxr-xr-x. 3 root      root      system_u:object_r:sysfs_t:s0    0 Apr 18 13:46 nfs
drwxr-x---. 2 root      root      system_u:object_r:pstore_t:s0   0 Apr 18 13:46 pstore
drwxr-xr-x. 7 277413888 277413888 system_u:object_r:security_t:s0 0 Apr 18 13:46 selinux
Steps to reproduce the problem

strace -f --output strace.txt -DDD  systemd-nspawn --link-journal=try-guest --settings=override --machine=fedora -L system_u:object_r:systemd_nspawn_file_t:s0:c77.c78 -Z system_u:system_r:systemd_nspawn_t:s0:c77.c78 -U
strace output

15074 statfs("/sys/fs/selinux", {f_type=SELINUX_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RELATIME}) = 0
15074 statfs("/sys/fs/selinux", {f_type=SELINUX_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RELATIME}) = 0
15079 mkdir("/var/lib/machines/fedora/sys/fs/selinux", 0755) = 0
15079 lchown("/var/lib/machines/fedora/sys/fs/selinux", 277413888, 277413888) = 0
15079 mount("/sys/fs/selinux", "/var/lib/machines/fedora/sys/fs/selinux", NULL, MS_BIND, NULL) = 0
15079 mkdir("/var/lib/machines/fedora/sys/fs/selinux", 0755) = -1 EEXIST (File exists)
15079 lchown("/var/lib/machines/fedora/sys/fs/selinux", 277413888, 277413888) = 0
15079 mount(NULL, "/var/lib/machines/fedora/sys/fs/selinux", NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0
15090 statfs("/sys/fs/selinux", {f_type=SELINUX_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RDONLY|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0
15090 statfs("/sys/fs/selinux", {f_type=SELINUX_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0
Comment 1 Anthony Messina 2020-04-28 23:07:33 UTC 
Fix committed to master upstream: https://github.com/systemd/systemd/commit/dcff2fa5d16f01edd774cd9dbc21fa4385af65bb
Comment 2 Fedora Update System 2020-05-31 10:54:11 UTC 
FEDORA-2020-dd43dd05b1 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-dd43dd05b1
Comment 3 Fedora Update System 2020-06-01 03:12:32 UTC 
FEDORA-2020-dd43dd05b1 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-dd43dd05b1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-dd43dd05b1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Anthony Messina 2020-06-01 15:46:59 UTC 
See https://github.com/systemd/systemd/issues/16032

systemd-nspawn[312147]: Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora/sys/fs/selinux (MS_BIND "")...
systemd-nspawn[312147]: Failed to mount /sys/fs/selinux (type n/a) on /var/lib/machines/fedora/sys/fs/selinux (MS_BIND ""): No such file or directory
systemd-nspawn[312147]: Remounting /var/lib/machines/fedora/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND "")...
systemd-nspawn[312147]: Failed to mount n/a (type n/a) on /var/lib/machines/fedora/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND ""): No such file or directory
Comment 5 Fedora Update System 2020-06-02 10:10:32 UTC 
FEDORA-2020-dd43dd05b1 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-dd43dd05b1
Comment 6 Fedora Update System 2020-06-03 03:11:30 UTC 
FEDORA-2020-dd43dd05b1 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-dd43dd05b1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-dd43dd05b1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2020-06-05 02:29:29 UTC 
FEDORA-2020-dd43dd05b1 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.