With systemd-254-1.fc39.x86_64 and selinux-policy-38.24-1.fc39.noarch the systemd-network-generator.service fails to start because of a denial: ``` Aug 8 20:58:06.081554 systemd[1]: Starting systemd-network-generator.service - Generate network units from Kernel command line... Aug 8 20:58:06.081565 kernel: audit: type=1400 audit(1691528286.055:4): avc: denied { create } for pid=1261 comm="systemd-network" name=".#networkf2c8a3f9bd4c10fb" scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0 Aug 8 20:58:06.081575 systemd[1]: systemd-pcrmachine.service - TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f). Aug 8 20:58:06.081599 systemd-journald[1259]: Collecting audit messages is disabled. Aug 8 20:58:06.081619 systemd[1]: Starting systemd-remount-fs.service - Remount Root and Kernel File Systems... Aug 8 20:58:06.081629 systemd-journald[1259]: Journal started Aug 8 20:58:06.088731 systemd-journald[1259]: Runtime Journal (/run/log/journal/32079e7261794fdd93a0114d3d1a4a87) is 2.3M, max 18.9M, 16.5M free. Aug 8 20:58:06.088791 systemd[1]: Starting systemd-udev-trigger.service - Coldplug All udev Devices... Aug 8 20:58:05.843566 systemd[1]: Queued start job for default target multi-user.target. Aug 8 20:58:05.845859 systemd[1]: systemd-journald.service: Deactivated successfully. Aug 8 20:58:06.061723 systemd-network-generator[1261]: Failed to create temporary unit file in '/run/systemd/network': Permission denied Aug 8 20:58:06.065087 systemd-modules-load[1260]: Module 'msr' is built in Aug 8 20:58:06.091836 systemd[1]: Started systemd-journald.service - Journal Service. Aug 8 20:58:06.095439 systemd[1]: Mounted dev-hugepages.mount - Huge Pages File System. Aug 8 20:58:06.096936 systemd[1]: Mounted dev-mqueue.mount - POSIX Message Queue File System. Aug 8 20:58:06.097755 systemd[1]: Mounted sys-kernel-debug.mount - Kernel Debug File System. Aug 8 20:58:06.098707 systemd[1]: Mounted sys-kernel-tracing.mount - Kernel Trace File System. Aug 8 20:58:06.099412 systemd[1]: Mounted tmp.mount - Temporary Directory /tmp. Aug 8 20:58:06.101926 systemd[1]: Finished coreos-printk-quiet.service - CoreOS: Set printk To Level 4 (warn). Aug 8 20:58:06.104815 systemd[1]: Finished kmod-static-nodes.service - Create List of Static Device Nodes. Aug 8 20:58:06.108857 systemd[1]: Finished lvm2-monitor.service - Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling. Aug 8 20:58:06.110102 systemd[1]: modprobe: Deactivated successfully. Aug 8 20:58:06.111828 systemd[1]: Finished modprobe - Load Kernel Module configfs. Aug 8 20:58:06.112876 systemd[1]: modprobe: Deactivated successfully. Aug 8 20:58:06.113811 systemd[1]: Finished modprobe - Load Kernel Module drm. Aug 8 20:58:06.114672 systemd[1]: modprobe: Deactivated successfully. Aug 8 20:58:06.115801 systemd[1]: Finished modprobe - Load Kernel Module efi_pstore. Aug 8 20:58:06.116828 systemd[1]: modprobe: Deactivated successfully. Aug 8 20:58:06.117784 systemd[1]: Finished modprobe - Load Kernel Module fuse. Aug 8 20:58:06.119796 systemd[1]: Finished systemd-modules-load.service - Load Kernel Modules. Aug 8 20:58:06.121082 systemd[1]: systemd-network-generator.service: Main process exited, code=exited, status=1/FAILURE Aug 8 20:58:06.121187 systemd[1]: systemd-network-generator.service: Failed with result 'exit-code'. Aug 8 20:58:06.122841 systemd[1]: Failed to start systemd-network-generator.service - Generate network units from Kernel command line. ``` Reproducible: Always Steps to Reproduce: 1. Boot with nameserver=8.8.8.8 kernel argument, which activates systemd-network-generator.service Actual Results: SELinux denial and failed service.
Here are the logs when `enforcing=0` is set: ``` Aug 09 03:08:26 localhost systemd[1]: Starting systemd-network-generator.service - Generate network units from Kernel command line... Aug 09 03:08:26 localhost systemd[1]: systemd-pcrmachine.service - TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f). Aug 09 03:08:26 localhost systemd[1]: Starting systemd-remount-fs.service - Remount Root and Kernel File Systems... Aug 09 03:08:26 localhost kernel: audit: type=1400 audit(1691550506.685:3): avc: denied { create } for pid=1407 comm="systemd-network" name=".#networkd5359e0a3f14b5fc" scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 Aug 09 03:08:26 localhost kernel: audit: type=1400 audit(1691550506.685:4): avc: denied { read write open } for pid=1407 comm="systemd-network" path="/run/systemd/.#networkd5359e0a3f14b5fc" dev="tmpfs" ino=923 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 Aug 09 03:08:26 localhost kernel: audit: type=1400 audit(1691550506.685:5): avc: denied { setattr } for pid=1407 comm="systemd-network" name=".#networkd5359e0a3f14b5fc" dev="tmpfs" ino=923 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 Aug 09 03:08:26 localhost kernel: audit: type=1400 audit(1691550506.685:6): avc: denied { getattr } for pid=1407 comm="systemd-network" path="/run/systemd/.#networkd5359e0a3f14b5fc" dev="tmpfs" ino=923 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 Aug 09 03:08:26 localhost kernel: audit: type=1400 audit(1691550506.685:7): avc: denied { rename } for pid=1407 comm="systemd-network" name=".#networkd5359e0a3f14b5fc" dev="tmpfs" ino=923 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 Aug 09 03:08:26 localhost systemd-journald[1405]: Collecting audit messages is disabled. Aug 09 03:08:26 localhost systemd[1]: Starting systemd-udev-trigger.service - Coldplug All udev Devices... Aug 09 03:08:26 localhost systemd[1]: Mounted dev-hugepages.mount - Huge Pages File System. Aug 09 03:08:26 localhost systemd[1]: Mounted dev-mqueue.mount - POSIX Message Queue File System. Aug 09 03:08:26 localhost systemd[1]: Mounted sys-kernel-debug.mount - Kernel Debug File System. Aug 09 03:08:26 localhost systemd[1]: Mounted sys-kernel-tracing.mount - Kernel Trace File System. Aug 09 03:08:26 localhost systemd-journald[1405]: Journal started Aug 09 03:08:26 localhost systemd-journald[1405]: Runtime Journal (/run/log/journal/a624e2326a624b8096a49b1024083a65) is 2.3M, max 18.8M, 16.5M free. Aug 09 03:08:26 localhost systemd[1]: Queued start job for default target multi-user.target. Aug 09 03:08:26 localhost systemd[1]: Unnecessary job was removed for dev-virtio\\x2dports-mantlejournal.device. Aug 09 03:08:26 localhost systemd[1]: systemd-journald.service: Deactivated successfully. Aug 09 03:08:26 localhost systemd-modules-load[1406]: Module 'msr' is built in Aug 09 03:08:26 localhost systemd[1]: Started systemd-journald.service - Journal Service. Aug 09 03:08:26 localhost systemd[1]: Mounted tmp.mount - Temporary Directory /tmp. Aug 09 03:08:26 localhost systemd[1]: Finished coreos-printk-quiet.service - CoreOS: Set printk To Level 4 (warn). Aug 09 03:08:26 localhost systemd[1]: Finished kmod-static-nodes.service - Create List of Static Device Nodes. Aug 09 03:08:26 localhost systemd[1]: Finished lvm2-monitor.service - Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling. Aug 09 03:08:26 localhost systemd[1]: modprobe: Deactivated successfully. Aug 09 03:08:26 localhost systemd[1]: Finished modprobe - Load Kernel Module configfs. Aug 09 03:08:26 localhost systemd[1]: modprobe: Deactivated successfully. Aug 09 03:08:26 localhost systemd[1]: Finished modprobe - Load Kernel Module drm. Aug 09 03:08:26 localhost systemd[1]: modprobe: Deactivated successfully. Aug 09 03:08:26 localhost systemd[1]: Finished modprobe - Load Kernel Module efi_pstore. Aug 09 03:08:26 localhost systemd[1]: modprobe: Deactivated successfully. Aug 09 03:08:26 localhost systemd[1]: Finished modprobe - Load Kernel Module fuse. Aug 09 03:08:26 localhost systemd[1]: Finished systemd-modules-load.service - Load Kernel Modules. Aug 09 03:08:26 localhost systemd[1]: Finished systemd-network-generator.service - Generate network units from Kernel command line. ```
cc @zbyszek
SELinux denial caught in enforcing mode: ---- type=PROCTITLE msg=audit(08/09/2023 03:02:23.438:115) : proctitle=/usr/lib/systemd/systemd-network-generator type=PATH msg=audit(08/09/2023 03:02:23.438:115) : item=0 name=/run/systemd/ inode=2 dev=00:19 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(08/09/2023 03:02:23.438:115) : cwd=/ type=SYSCALL msg=audit(08/09/2023 03:02:23.438:115) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x56136b2b2ca0 a2=O_RDWR|O_CREAT|O_EXCL|O_NOCTTY|O_CLOEXEC a3=0x180 items=1 ppid=1 pid=860 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-network exe=/usr/lib/systemd/systemd-network-generator subj=system_u:system_r:systemd_network_generator_t:s0 key=(null) type=AVC msg=audit(08/09/2023 03:02:23.438:115) : avc: denied { create } for pid=860 comm=systemd-network name=.#network3c9a49d41d41a1c0 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0 ---- # rpm -qa selinux\* systemd\* | sort selinux-policy-38.22-1.fc39.noarch selinux-policy-targeted-38.22-1.fc39.noarch systemd-254-1.fc39.x86_64 systemd-libs-254-1.fc39.x86_64 systemd-networkd-254-1.fc39.x86_64 systemd-pam-254-1.fc39.x86_64 systemd-resolved-254-1.fc39.x86_64 systemd-udev-254-1.fc39.x86_64 #
SELinux denials caught in permissive mode: ---- type=PROCTITLE msg=audit(08/09/2023 03:04:03.671:119) : proctitle=/usr/lib/systemd/systemd-network-generator type=PATH msg=audit(08/09/2023 03:04:03.671:119) : item=1 name=/run/systemd/.#network9498d551e123e9f4 inode=1144 dev=00:19 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/09/2023 03:04:03.671:119) : item=0 name=/run/systemd/ inode=2 dev=00:19 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(08/09/2023 03:04:03.671:119) : cwd=/ type=SYSCALL msg=audit(08/09/2023 03:04:03.671:119) : arch=x86_64 syscall=openat success=yes exit=4 a0=AT_FDCWD a1=0x559b2aa89ca0 a2=O_RDWR|O_CREAT|O_EXCL|O_NOCTTY|O_CLOEXEC a3=0x180 items=2 ppid=1 pid=889 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-network exe=/usr/lib/systemd/systemd-network-generator subj=system_u:system_r:systemd_network_generator_t:s0 key=(null) type=AVC msg=audit(08/09/2023 03:04:03.671:119) : avc: denied { read write open } for pid=889 comm=systemd-network path=/run/systemd/.#network9498d551e123e9f4 dev="tmpfs" ino=1144 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(08/09/2023 03:04:03.671:119) : avc: denied { create } for pid=889 comm=systemd-network name=.#network9498d551e123e9f4 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(08/09/2023 03:04:03.672:120) : proctitle=/usr/lib/systemd/systemd-network-generator type=PATH msg=audit(08/09/2023 03:04:03.672:120) : item=0 name=(null) inode=1144 dev=00:19 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(08/09/2023 03:04:03.672:120) : cwd=/ type=SYSCALL msg=audit(08/09/2023 03:04:03.672:120) : arch=x86_64 syscall=fchmod success=yes exit=0 a0=0x4 a1=0644 a2=0xfbada484 a3=0x180 items=1 ppid=1 pid=889 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-network exe=/usr/lib/systemd/systemd-network-generator subj=system_u:system_r:systemd_network_generator_t:s0 key=(null) type=AVC msg=audit(08/09/2023 03:04:03.672:120) : avc: denied { setattr } for pid=889 comm=systemd-network name=.#network9498d551e123e9f4 dev="tmpfs" ino=1144 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(08/09/2023 03:04:03.672:121) : proctitle=/usr/lib/systemd/systemd-network-generator type=PATH msg=audit(08/09/2023 03:04:03.672:121) : item=0 name= inode=1144 dev=00:19 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(08/09/2023 03:04:03.672:121) : cwd=/ type=SYSCALL msg=audit(08/09/2023 03:04:03.672:121) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0x4 a1=0x7fc5757a0bce a2=0x7ffc33919c90 a3=0x1000 items=1 ppid=1 pid=889 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-network exe=/usr/lib/systemd/systemd-network-generator subj=system_u:system_r:systemd_network_generator_t:s0 key=(null) type=AVC msg=audit(08/09/2023 03:04:03.672:121) : avc: denied { getattr } for pid=889 comm=systemd-network path=/run/systemd/.#network9498d551e123e9f4 dev="tmpfs" ino=1144 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(08/09/2023 03:04:03.672:122) : proctitle=/usr/lib/systemd/systemd-network-generator type=PATH msg=audit(08/09/2023 03:04:03.672:122) : item=3 name=/run/systemd/network/91-default.network inode=1144 dev=00:19 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/09/2023 03:04:03.672:122) : item=2 name=/run/systemd/.#network9498d551e123e9f4 inode=1144 dev=00:19 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/09/2023 03:04:03.672:122) : item=1 name=/run/systemd/ inode=2 dev=00:19 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(08/09/2023 03:04:03.672:122) : item=0 name=/run/systemd/network/ inode=496 dev=00:19 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(08/09/2023 03:04:03.672:122) : cwd=/ type=SYSCALL msg=audit(08/09/2023 03:04:03.672:122) : arch=x86_64 syscall=renameat success=yes exit=0 a0=AT_FDCWD a1=0x559b2aa89ca0 a2=AT_FDCWD a3=0x559b2aa8b010 items=4 ppid=1 pid=889 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-network exe=/usr/lib/systemd/systemd-network-generator subj=system_u:system_r:systemd_network_generator_t:s0 key=(null) type=AVC msg=audit(08/09/2023 03:04:03.672:122) : avc: denied { rename } for pid=889 comm=systemd-network name=.#network9498d551e123e9f4 dev="tmpfs" ino=1144 scontext=system_u:system_r:systemd_network_generator_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 ---- # ls -RlZ /run/systemd/network/ /run/systemd/network/: total 4 -rw-r--r--. 1 root root system_u:object_r:init_var_run_t:s0 110 Aug 9 03:04 91-default.network #
One more thing: # restorecon -Rv /run/systemd/ Relabeled /run/systemd/network/91-default.network from system_u:object_r:init_var_run_t:s0 to system_u:object_r:net_conf_t:s0 #
The policy contains the following file transition: f38# sesearch -T -s systemd_network_generator_t -t init_var_run_t type_transition systemd_network_generator_t init_var_run_t:dir net_conf_t network; but it supposedly does not apply since a file with an unpredictable name is used before renaming: type=PATH msg=audit(08/09/2023 03:04:03.671:119) : item=1 name=/run/systemd/.#network9498d551e123e9f4 inode=1144 dev=00:19 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle. Changing version to 39.