Bug 2290887 - systemd-machined fails because SELinux blocks it binding to a socket
Summary: systemd-machined fails because SELinux blocks it binding to a socket
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: openqa
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-06-07 15:24 UTC by Adam Williamson
Modified: 2024-06-20 18:36 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2024-06-20 18:36:23 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 2161 0 None open Allow systemd-machined manage runtime sockets 2024-06-10 07:14:24 UTC
Red Hat Bugzilla 2279923 0 medium CLOSED selinux denials for systemd 256: denied { create } for pid=773 comm="systemd-machine" name="machine" scontext=system_u... 2024-06-07 15:27:11 UTC

Description Adam Williamson 2024-06-07 15:24:59 UTC 
With systemd-256~rc4-1.fc41 , systemd-machined.service fails due to an SELinux denial:

Jun 07 05:00:06 fedora audit[725]: AVC avc:  denied  { create } for  pid=725 comm="systemd-machine" name="io.systemd.Machine" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:systemd_machined_var_run_t:s0 tclass=sock_file permissive=0
Jun 07 05:00:06 fedora audit[725]: SYSCALL arch=c000003e syscall=49 success=no exit=-13 a0=b a1=7ffe9a1de5c0 a2=2a a3=0 items=0 ppid=1 pid=725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-machine" exe="/usr/lib/systemd/systemd-machined" subj=system_u:system_r:systemd_machined_t:s0 key=(null)
Jun 07 05:00:06 fedora audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-machined"
Jun 07 05:00:06 fedora systemd-machined[725]: Failed to bind to varlink socket: Permission denied
Jun 07 05:00:06 fedora systemd-machined[725]: Failed to fully start up daemon: Permission denied
Jun 07 05:00:06 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-machined comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Jun 07 05:00:06 fedora systemd[1]: systemd-machined.service: Main process exited, code=exited, status=1/FAILURE
Jun 07 05:00:06 fedora systemd[1]: systemd-machined.service: Failed with result 'exit-code'.
Jun 07 05:00:06 fedora systemd[1]: Failed to start systemd-machined.service - Virtual Machine and Container Registration Service.

This caused the update to fail tests, so it's currently gated. https://bodhi.fedoraproject.org/updates/FEDORA-2024-b745d81444
Comment 1 Zbigniew Jędrzejewski-Szmek 2024-06-07 15:27:11 UTC 
It's probably the same as https://bugzilla.redhat.com/show_bug.cgi?id=2279923. It seems that the policy update was not successful.

I started a build with systemd with the previous work-around patch restored.
Comment 2 Zdenek Pytela 2024-06-10 07:14:25 UTC 
Well, it is a dup, but the fix was not accurate.
Unfortunately, we do not actually test machined features much.
Comment 3 Adam Williamson 2024-06-10 14:56:56 UTC 
I can easily run the openQA tests on a scratch build any time if you ask me, Zdenek.
Comment 4 Zdenek Pytela 2024-06-11 15:43:16 UTC 
(In reply to Adam Williamson from comment #3)
> I can easily run the openQA tests on a scratch build any time if you ask me,
> Zdenek.

Thanks for the offer, I think I already asked once when there was a complex change to make. There are a lot of changes happening right now and more planned, especially in packaging, so I'll do that again.

The problem is that when I know the change is intrusive or with big impact, I can do extended tests on my own, too, but this case was rather a mistake. Not testing some systemd services enough is just a different problem, we have tests at 2 places in the pipeline already.
Note You need to log in before you can comment on or make changes to this bug.