Bug 2219398 - selinux denies machinectl import-fs executing systemd-importd
Summary: selinux denies machinectl import-fs executing systemd-importd
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 38
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-07-03 13:24 UTC by wuxxin
Modified: 2023-07-07 16:23 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:

Attachments (Terms of Use)

Description wuxxin 2023-07-03 13:24:09 UTC 
on fedora coreos stable (fedora 38), x86_84 (38.20230609.3.0):

after making a file tree of an os filesystem with mkosi,
i try to use `machinectl import-fs` to copy the directory tree to /var/lib/machines
for usage with systemd-nspawn, but because coreos uses selinux in enforcing mode,
it breaks import-fs in a non obvious way.

The command stalls at the copy operation, without any explanation or obvious error.
(machinectl calls systemd-import-fs with then spawns systemd-importd which gets denied by selinux)

as workaround, simply copying the files with `cp -a` to /var/lib/machines succeeds.


Reproducible: Always

Steps to Reproduce:
# on coreos you have to layer in mkosi and apt
rpm-ostree install --assumeyes --idempotent --allow-inactive mkosi apt

# make dirs for mkosi
mkdir -p /etc/mkosi/debian-bookworm /var/lib/mkosi /var/cache/mkosi

# write a simple config for debian bookworm creation
printf "[Distribution]\nDistribution=debian\nRelease=bookworm\n[Output]Format=directory
[Packages]\n[Host]\n[Validation]" > /etc/mkosi/debian-bookworm/mkosi.conf

# call mkosi to make the file tree
mkosi -C /etc/mkosi/debian-bookworm -O /var/lib/mkosi --cache=/var/cache/mkosi build
mv /var/lib/mkosi/debian~bookworm /var/lib/mkosi/debian-bookworm

# works up to here

# fails: import filetree to nspawn /var/lib/machines
machinectl import-fs /var/lib/mkosi/debian-bookworm hello-nspawn
Actual Results:  
command does not finish, and hangs.

selinux audit log entries:
```
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 
    subj=system_u:system_r:init_t:s0 msg='unit=systemd-importd comm="systemd" 
    exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: type=1130 audit(1687265080.304:465): pid=1 uid=0 auid=4294967295 ses=4294967295
    subj=system_u:system_r:init_t:s0 msg='unit=systemd-importd comm="systemd" 
    exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit[5023]: AVC avc:  denied  { execute } for  pid=5023 comm="(sd-transfer)" 
    name="systemd-import-fs" dev="dm-0" ino=14841116 
    scontext=system_u:system_r:systemd_importd_t:s0 
    tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
audit[5023]: SYSCALL arch=c000003e syscall=59 success=no exit=-13 a0=5639dc5a36e8
    a1=7ffd102d2350 a2=5639dd7a91f0 a3=7ff68bdf8810 items=0 ppid=5022 pid=5023
    auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
    tty=(none) ses=4294967295 comm="(sd-transfer)" exe="/usr/lib/systemd/systemd-importd"
    subj=system_u:system_r:systemd_importd_t:s0 key=(null)
audit: PROCTITLE proctitle="(sd-transfer)"
    (sd-transfer)[5023]: Failed to execute /usr/lib/systemd/systemd-import-fs 
    tool: Permission denied
```


Expected Results:  
command finished, and has copied files from /var/lib/mkosi/debian-bookworm to /var/lib/machines/hello-nspawn

related binaries selinux information:
```
-rwxr-xr-x. 4 root root system_u:object_r:systemd_importd_exec_t:s0 49824
     Jan  1  1970 /usr/lib/systemd/systemd-importd
-rwxr-xr-x. 4 root root system_u:object_r:init_exec_t:s0 33128 Jan  1  1970
    /usr/lib/systemd/systemd-import-fs
```
Note You need to log in before you can comment on or make changes to this bug.