Bug 1865748 - SELinux prevents systemd-nspawn from launching a machine
Summary: SELinux prevents systemd-nspawn from launching a machine
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 33
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1862681 1862682 1862684 1862685 1862690 1871022 (view as bug list)
Depends On: 1812955
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-04 04:03 UTC by Orion Poplawski
Modified: 2020-09-02 15:42 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.14.6-25.fc33
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-02 15:42:05 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1862681 0 medium CLOSED SELinux is preventing pkla-check-auth from 'connectto' accesses on the unix_stream_socket /run/systemd/userdb/io.systemd... 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1862686 0 high CLOSED SELinux is preventing systemd-machine from 'create' accesses on the sock_file io.systemd.Machine. 2021-02-22 00:41:40 UTC

Description Orion Poplawski 2020-08-04 04:03:52 UTC
Description of problem:

mock with systemd-nspawn fails to launch a container with:

Start: dnf install
ERROR: Command failed: 
 # /usr/bin/systemd-nspawn -q -M 9ab7132cf8544ca890ca73ef8b87d2e1 -D /var/lib/mock/fedora-rawhide-x86_64-bootstrap/root -a --capability=cap_ipc_lock --bind=/tmp/mock-resolv.wt8f3hy0:/etc/resolv.conf --console=pipe --setenv=TERM=vt100 --setenv=SHELL=/bin/bash --setenv=HOME=/var/lib/mock/fedora-rawhide-x86_64/root/installation-homedir --setenv=HOSTNAME=mock --setenv=PATH=/usr/bin:/bin:/usr/sbin:/sbin --setenv=PROMPT_COMMAND=printf "\033]0;<mock-chroot>\007" --setenv=PS1=<mock-chroot> \s-\v\$  --setenv=LANG=C.UTF-8 --setenv=CCACHE_DIR=/var/tmp/ccache --setenv=CCACHE_UMASK=002 --setenv=LC_MESSAGES=C.UTF-8 /usr/bin/dnf --installroot /var/lib/mock/fedora-rawhide-x86_64/root/ --releasever 33 --setopt=deltarpm=False --allowerasing --disableplugin=local --disableplugin=spacewalk install @buildsys-build --setopt=tsflags=nocontexts
Failed to register machine: Remote peer disconnected

audit.log shows:

type=AVC msg=audit(1596512865.138:910): avc:  denied  { write } for  pid=197668 comm="systemd-machine" name="userdb" dev="tmpfs" ino=16428 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0

running in permissive mode adds the following as well:

type=AVC msg=audit(1596513507.964:962): avc:  denied  { add_name } for  pid=197878 comm="systemd-machine" name="io.systemd.Machine" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1596513507.964:963): avc:  denied  { create } for  pid=197878 comm="systemd-machine" name="io.systemd.Machine" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1596513705.972:1095): avc:  denied  { connectto } for  pid=203100 comm="sshd" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1596513706.023:1103): avc:  denied  { connectto } for  pid=802 comm="systemd-logind" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=1


Version-Release number of selected component (if applicable):
selinux-policy-3.14.6-23.fc33.noarch

Comment 1 Orion Poplawski 2020-08-04 04:05:54 UTC
hmm, the last connectto denials may be from other tasks.

Comment 2 Ben Cotton 2020-08-11 15:34:18 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 33 development cycle.
Changing version to 33.

Comment 3 Zdenek Pytela 2020-08-12 11:52:29 UTC
The first set is already handled in bz#1862686, so addressing the second one.
https://github.com/fedora-selinux/selinux-policy/pull/407

Comment 4 Zdenek Pytela 2020-08-12 11:53:58 UTC
*** Bug 1862681 has been marked as a duplicate of this bug. ***

Comment 5 Zdenek Pytela 2020-08-12 11:54:07 UTC
*** Bug 1862682 has been marked as a duplicate of this bug. ***

Comment 6 Zdenek Pytela 2020-08-12 11:54:14 UTC
*** Bug 1862684 has been marked as a duplicate of this bug. ***

Comment 7 Zdenek Pytela 2020-08-12 11:54:22 UTC
*** Bug 1862685 has been marked as a duplicate of this bug. ***

Comment 8 Zdenek Pytela 2020-08-12 11:54:33 UTC
*** Bug 1862690 has been marked as a duplicate of this bug. ***

Comment 9 Zdenek Pytela 2020-08-12 16:11:04 UTC
The bugzillas were created for these domains:

sshd_t
policykit_t
policykit_auth_t
systemd_logind_t
xdm_t
NetworkManager_t
auditd_t

Comment 10 Zdenek Pytela 2020-08-13 12:40:23 UTC
commit 6fe205674f9cd1face5e2cf1aeb90d265ef89ba8 (HEAD -> rawhide, upstream/rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Wed Aug 12 12:09:21 2020 +0200

    Allow nsswitch_domain to connect to systemd-machined using a unix socket
    
    Create the systemd_machined_stream_connect() interface.
    
    Resolves: rhbz#1865748

Comment 11 Zdenek Pytela 2020-08-21 07:48:18 UTC
*** Bug 1871022 has been marked as a duplicate of this bug. ***

Comment 12 Fedora Update System 2020-08-27 11:30:53 UTC
FEDORA-2020-8f3381648b has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-8f3381648b

Comment 13 Fedora Update System 2020-08-27 19:05:12 UTC
FEDORA-2020-8f3381648b has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-8f3381648b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-8f3381648b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 14 Fedora Update System 2020-09-02 15:42:05 UTC
FEDORA-2020-8f3381648b has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.