Description of problem: We are seeing issues where init_t (systemd) is not able to watch directories. This makes path units pretty useless. According to Dan Walsh: "If init_t can read all file_type directories, it should be able to watch them as well." https://github.com/containers/container-selinux/issues/135#issuecomment-867961079 Can we get selinux updated to allow systemd to watch directories so our path units will work again. More context in: https://github.com/coreos/fedora-coreos-tracker/issues/861 https://github.com/containers/container-selinux/issues/135 Version-Release number of selected component (if applicable): ``` [core@localhost ~]$ rpm -q selinux-policy container-selinux selinux-policy-34.11-1.fc34.noarch container-selinux-2.163.0-1.fc34.noarch ``` How reproducible: Always Steps to Reproduce: spin up an FCOS machine with this butane config: ``` variant: fcos version: 1.3.0 systemd: units: - name: tester.path enabled: true contents: | [Unit] Description=Watch for kube config [Path] PathExists=/etc/kubernetes/kubeconfig [Install] WantedBy=multi-user.target - name: tester.service enabled: false contents: | [Unit] Description=Watch for test config [Service] Type=oneshot RemainAfterExit=yes ExecStart=bash -c "echo tester: $(date)" storage: directories: - path: /etc/kubernetes passwd: users: - name: core ssh_authorized_keys: - "MY-PUBKEY" ``` Notice that after you log in you can't activate the path unit by creating /etc/kubernetes/kubeconfig and you'll see the following in the journal: ``` $ journalctl | grep -i avc | grep denied Jul 08 20:50:34 localhost audit[1]: AVC avc: denied { watch } for pid=1 comm="systemd" path="/etc/kubernetes" dev="sda4" ino=18874496 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kubernetes_file_t:s0 tclass=dir permissive=0 ``` We don't have the same problem if we use some randomly directory (i.e. `/etc/foobar/kubeconfig`). Actual results: Denied Expected results: Not denied Additional info:
I've opened a PR: https://github.com/fedora-selinux/selinux-policy/pull/799 If there is no negative feedback, I'll merge it soon. I expect one objection it is not complete enough.
Thanks @zpytela. If there is a scratch build available somewhere I can try to test with it.
PR Show all checks -> build-rpm -> Details -> Artifacts -> rpms
Thanks.. Looks like it works great! ``` [core@localhost ~]$ journalctl | grep -i avc [core@localhost ~]$ [core@localhost ~]$ systemctl status tester.service ○ tester.service - Watch for test config Loaded: loaded (/etc/systemd/system/tester.service; static) Active: inactive (dead) TriggeredBy: ● tester.path [core@localhost ~]$ [core@localhost ~]$ sudo journalctl -u tester.service -u tester.path -f & [1] 1200 [core@localhost ~]$ -- Journal begins at Fri 2021-07-09 14:28:17 UTC. -- Jul 09 14:28:26 localhost systemd[1]: Started Watch for kube config. [core@localhost ~]$ [core@localhost ~]$ [core@localhost ~]$ sudo touch /etc/kubernetes/kubeconfig [core@localhost ~]$ Jul 09 14:29:35 localhost.localdomain systemd[1]: Starting Watch for test config... Jul 09 14:29:35 localhost.localdomain bash[1211]: tester: Fri Jul 9 14:29:35 UTC 2021 Jul 09 14:29:35 localhost.localdomain systemd[1]: Finished Watch for test config. [core@localhost ~]$ journalctl | grep -i avc [core@localhost ~]$ [core@localhost ~]$ rpm -q selinux-policy selinux-policy-targeted selinux-policy-34.13-1.20210707_172609.3600bd4.fc35.noarch selinux-policy-targeted-34.13-1.20210707_172609.3600bd4.fc35.noarch ```
Merged.
FEDORA-2021-119c2c9b63 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-119c2c9b63
FEDORA-2021-119c2c9b63 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-119c2c9b63` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-119c2c9b63 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Looks good in my local tests. 👍
FEDORA-2021-119c2c9b63 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.