on fedora coreos stable (fedora 38), x86_84 (38.20230609.3.0): after making a file tree of an os filesystem with mkosi, i try to use `machinectl import-fs` to copy the directory tree to /var/lib/machines for usage with systemd-nspawn, but because coreos uses selinux in enforcing mode, it breaks import-fs in a non obvious way. The command stalls at the copy operation, without any explanation or obvious error. (machinectl calls systemd-import-fs with then spawns systemd-importd which gets denied by selinux) as workaround, simply copying the files with `cp -a` to /var/lib/machines succeeds. Reproducible: Always Steps to Reproduce: # on coreos you have to layer in mkosi and apt rpm-ostree install --assumeyes --idempotent --allow-inactive mkosi apt # make dirs for mkosi mkdir -p /etc/mkosi/debian-bookworm /var/lib/mkosi /var/cache/mkosi # write a simple config for debian bookworm creation printf "[Distribution]\nDistribution=debian\nRelease=bookworm\n[Output]Format=directory [Packages]\n[Host]\n[Validation]" > /etc/mkosi/debian-bookworm/mkosi.conf # call mkosi to make the file tree mkosi -C /etc/mkosi/debian-bookworm -O /var/lib/mkosi --cache=/var/cache/mkosi build mv /var/lib/mkosi/debian~bookworm /var/lib/mkosi/debian-bookworm # works up to here # fails: import filetree to nspawn /var/lib/machines machinectl import-fs /var/lib/mkosi/debian-bookworm hello-nspawn Actual Results: command does not finish, and hangs. selinux audit log entries: ``` audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-importd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' audit: type=1130 audit(1687265080.304:465): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-importd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' audit[5023]: AVC avc: denied { execute } for pid=5023 comm="(sd-transfer)" name="systemd-import-fs" dev="dm-0" ino=14841116 scontext=system_u:system_r:systemd_importd_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0 audit[5023]: SYSCALL arch=c000003e syscall=59 success=no exit=-13 a0=5639dc5a36e8 a1=7ffd102d2350 a2=5639dd7a91f0 a3=7ff68bdf8810 items=0 ppid=5022 pid=5023 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sd-transfer)" exe="/usr/lib/systemd/systemd-importd" subj=system_u:system_r:systemd_importd_t:s0 key=(null) audit: PROCTITLE proctitle="(sd-transfer)" (sd-transfer)[5023]: Failed to execute /usr/lib/systemd/systemd-import-fs tool: Permission denied ``` Expected Results: command finished, and has copied files from /var/lib/mkosi/debian-bookworm to /var/lib/machines/hello-nspawn related binaries selinux information: ``` -rwxr-xr-x. 4 root root system_u:object_r:systemd_importd_exec_t:s0 49824 Jan 1 1970 /usr/lib/systemd/systemd-importd -rwxr-xr-x. 4 root root system_u:object_r:init_exec_t:s0 33128 Jan 1 1970 /usr/lib/systemd/systemd-import-fs ```
Fedora Linux 38 entered end-of-life (EOL) status on 2024-05-21. Fedora Linux 38 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed.