Description of problem: mock with systemd-nspawn fails to launch a container with: Start: dnf install ERROR: Command failed: # /usr/bin/systemd-nspawn -q -M 9ab7132cf8544ca890ca73ef8b87d2e1 -D /var/lib/mock/fedora-rawhide-x86_64-bootstrap/root -a --capability=cap_ipc_lock --bind=/tmp/mock-resolv.wt8f3hy0:/etc/resolv.conf --console=pipe --setenv=TERM=vt100 --setenv=SHELL=/bin/bash --setenv=HOME=/var/lib/mock/fedora-rawhide-x86_64/root/installation-homedir --setenv=HOSTNAME=mock --setenv=PATH=/usr/bin:/bin:/usr/sbin:/sbin --setenv=PROMPT_COMMAND=printf "\033]0;<mock-chroot>\007" --setenv=PS1=<mock-chroot> \s-\v\$ --setenv=LANG=C.UTF-8 --setenv=CCACHE_DIR=/var/tmp/ccache --setenv=CCACHE_UMASK=002 --setenv=LC_MESSAGES=C.UTF-8 /usr/bin/dnf --installroot /var/lib/mock/fedora-rawhide-x86_64/root/ --releasever 33 --setopt=deltarpm=False --allowerasing --disableplugin=local --disableplugin=spacewalk install @buildsys-build --setopt=tsflags=nocontexts Failed to register machine: Remote peer disconnected audit.log shows: type=AVC msg=audit(1596512865.138:910): avc: denied { write } for pid=197668 comm="systemd-machine" name="userdb" dev="tmpfs" ino=16428 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0 running in permissive mode adds the following as well: type=AVC msg=audit(1596513507.964:962): avc: denied { add_name } for pid=197878 comm="systemd-machine" name="io.systemd.Machine" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1596513507.964:963): avc: denied { create } for pid=197878 comm="systemd-machine" name="io.systemd.Machine" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1596513705.972:1095): avc: denied { connectto } for pid=203100 comm="sshd" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1596513706.023:1103): avc: denied { connectto } for pid=802 comm="systemd-logind" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=1 Version-Release number of selected component (if applicable): selinux-policy-3.14.6-23.fc33.noarch
hmm, the last connectto denials may be from other tasks.
This bug appears to have been reported against 'rawhide' during the Fedora 33 development cycle. Changing version to 33.
The first set is already handled in bz#1862686, so addressing the second one. https://github.com/fedora-selinux/selinux-policy/pull/407
*** Bug 1862681 has been marked as a duplicate of this bug. ***
*** Bug 1862682 has been marked as a duplicate of this bug. ***
*** Bug 1862684 has been marked as a duplicate of this bug. ***
*** Bug 1862685 has been marked as a duplicate of this bug. ***
*** Bug 1862690 has been marked as a duplicate of this bug. ***
The bugzillas were created for these domains: sshd_t policykit_t policykit_auth_t systemd_logind_t xdm_t NetworkManager_t auditd_t
commit 6fe205674f9cd1face5e2cf1aeb90d265ef89ba8 (HEAD -> rawhide, upstream/rawhide, origin/rawhide, origin/HEAD) Author: Zdenek Pytela <zpytela> Date: Wed Aug 12 12:09:21 2020 +0200 Allow nsswitch_domain to connect to systemd-machined using a unix socket Create the systemd_machined_stream_connect() interface. Resolves: rhbz#1865748
*** Bug 1871022 has been marked as a duplicate of this bug. ***
FEDORA-2020-8f3381648b has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-8f3381648b
FEDORA-2020-8f3381648b has been pushed to the Fedora 33 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-8f3381648b` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-8f3381648b See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-8f3381648b has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.