Since making the kernel_t domain confined, files/directories can no longer be created in an overlay merged root that was mounted by the initramfs. Specifically, this commit introduced the behaviour: https://github.com/fedora-selinux/selinux-policy/commit/1e8688ea694393c9d918939322b72dfb44a01792 Attempting to do one of { create, relabelto, relabelfrom } on files/directories in a merged overlay results in denial messages like the following (eg. using /usr/bin/touch to create a file): avc: denied { create } for pid=.... comm="touch" name="testfile" scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file permissive=0 The output from audit2why for these denials is: Was caused by: #Constraint rule: # constrain dir {create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) # Possible cause is the source user (system_u) and target user (unconfined_u) are different When I add back the unconfined_domain_noaudit(kernel_t) optional policy the problem does not occur. Also, any overlay mounts created from the real root system do not exhibit this behaviour. For cases where the target file's user is also system_u, the issue does not occur. For context, in the system where I encountered this problem I have custom dracut scripts that create copy-on-write overlays for read-only directories in the real root (ie. the real root is a squashfs system). I can reproduce this on a regular Fedora 38 Workstation though. I suspect this issue stems from the switch-root happening between the initramfs and the real root, where systemd moves mounts over. Reproducible: Always Steps to Reproduce: 1. Include "overlay" module in initramfs 2. Boot with argument "rd.break=pre-pivot" to obtain shell in the initramfs before pivot-root occurs 3. Create overlay upper/work directories: mkdir /run/{fs,wk} 4. Mount an overlay over /sysroot/opt mount -t overlay -o lowerdir=/sysroot/opt,upperdir=/run/fs,workdir=/run/wk TEST /sysroot/opt 5. Exit the shell to continue booting 6. Once logged in, attempt to create a file in /opt touch /opt/testfile 7. Observe avc denial message in journal/audit.log Actual Results: SELinux denies creation of the file Expected Results: File is created
Ondrej, can you please look at it?
This should fix it: https://github.com/fedora-selinux/selinux-policy/pull/1773
I patched that change into a local policy, and it looks like it fixed the problem; thanks for that!
FEDORA-2023-2663818afd has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-2663818afd
FEDORA-2023-2663818afd has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-2663818afd` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-2663818afd See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-2663818afd has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.