Bug 2219398 - selinux denies machinectl import-fs executing systemd-importd
Summary: selinux denies machinectl import-fs executing systemd-importd
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 38
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-07-03 13:24 UTC by wuxxin
Modified: 2024-05-28 13:19 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2024-05-28 13:19:15 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description wuxxin 2023-07-03 13:24:09 UTC
on fedora coreos stable (fedora 38), x86_84 (38.20230609.3.0):

after making a file tree of an os filesystem with mkosi,
i try to use `machinectl import-fs` to copy the directory tree to /var/lib/machines
for usage with systemd-nspawn, but because coreos uses selinux in enforcing mode,
it breaks import-fs in a non obvious way.

The command stalls at the copy operation, without any explanation or obvious error.
(machinectl calls systemd-import-fs with then spawns systemd-importd which gets denied by selinux)

as workaround, simply copying the files with `cp -a` to /var/lib/machines succeeds.


Reproducible: Always

Steps to Reproduce:
# on coreos you have to layer in mkosi and apt
rpm-ostree install --assumeyes --idempotent --allow-inactive mkosi apt

# make dirs for mkosi
mkdir -p /etc/mkosi/debian-bookworm /var/lib/mkosi /var/cache/mkosi

# write a simple config for debian bookworm creation
printf "[Distribution]\nDistribution=debian\nRelease=bookworm\n[Output]Format=directory
[Packages]\n[Host]\n[Validation]" > /etc/mkosi/debian-bookworm/mkosi.conf

# call mkosi to make the file tree
mkosi -C /etc/mkosi/debian-bookworm -O /var/lib/mkosi --cache=/var/cache/mkosi build
mv /var/lib/mkosi/debian~bookworm /var/lib/mkosi/debian-bookworm

# works up to here

# fails: import filetree to nspawn /var/lib/machines
machinectl import-fs /var/lib/mkosi/debian-bookworm hello-nspawn
Actual Results:  
command does not finish, and hangs.

selinux audit log entries:
```
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 
    subj=system_u:system_r:init_t:s0 msg='unit=systemd-importd comm="systemd" 
    exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: type=1130 audit(1687265080.304:465): pid=1 uid=0 auid=4294967295 ses=4294967295
    subj=system_u:system_r:init_t:s0 msg='unit=systemd-importd comm="systemd" 
    exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit[5023]: AVC avc:  denied  { execute } for  pid=5023 comm="(sd-transfer)" 
    name="systemd-import-fs" dev="dm-0" ino=14841116 
    scontext=system_u:system_r:systemd_importd_t:s0 
    tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
audit[5023]: SYSCALL arch=c000003e syscall=59 success=no exit=-13 a0=5639dc5a36e8
    a1=7ffd102d2350 a2=5639dd7a91f0 a3=7ff68bdf8810 items=0 ppid=5022 pid=5023
    auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
    tty=(none) ses=4294967295 comm="(sd-transfer)" exe="/usr/lib/systemd/systemd-importd"
    subj=system_u:system_r:systemd_importd_t:s0 key=(null)
audit: PROCTITLE proctitle="(sd-transfer)"
    (sd-transfer)[5023]: Failed to execute /usr/lib/systemd/systemd-import-fs 
    tool: Permission denied
```


Expected Results:  
command finished, and has copied files from /var/lib/mkosi/debian-bookworm to /var/lib/machines/hello-nspawn

related binaries selinux information:
```
-rwxr-xr-x. 4 root root system_u:object_r:systemd_importd_exec_t:s0 49824
     Jan  1  1970 /usr/lib/systemd/systemd-importd
-rwxr-xr-x. 4 root root system_u:object_r:init_exec_t:s0 33128 Jan  1  1970
    /usr/lib/systemd/systemd-import-fs
```

Comment 3 Aoife Moloney 2024-05-28 13:19:15 UTC
Fedora Linux 38 entered end-of-life (EOL) status on 2024-05-21.

Fedora Linux 38 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora Linux
please feel free to reopen this bug against that version. Note that the version
field may be hidden. Click the "Show advanced fields" button if you do not see
the version field.

If you are unable to reopen this bug, please file a new report against an
active release.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.