Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-49567

SELinux prevents systemd-machined from creating /run/systemd/machine/io.systemd.Machine directory and socket

XMLWordPrintable

    • selinux-policy-40.13.7-1.el10
    • Yes
    • Critical
    • Regression
    • rhel-sst-security-selinux
    • ssg_security
    • 25
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      The reproducer does not trigger any SELinux denials in default configuration. The reproducer works as expected in enforcing mode.

      Show
      The reproducer does not trigger any SELinux denials in default configuration. The reproducer works as expected in enforcing mode.
    • Pass
    • Automated
    • Unspecified Release Note Type - Unknown
    • None

      What were you trying to do that didn't work?

      Latest CentOS 10 stream breaks systemd nspawn, as e.g. in this cockpit-podman run

      Please provide the package NVR for which bug is seen:

      selinux-policy-40.13.5-1.el10.noarch
      systemd-container-256-4.el10.x86_64

      How reproducible:

      Always

      Steps to reproduce

      machinectl

      My real failure was an nspawn command, but it fails due to

      # SYSTEMD_SECCOMP=0 systemd-nspawn     -D /var/tmp/tasks/     --ephemeral     --user user     /bin/bash 
 Spawning container tasks-4ba7915fdb9aa622 on /var/tmp/.#machine.tasks68bc8a0b1119a34a.
 Press Ctrl-] three times within 1s to kill container.
Failed to register machine: Remote peer disconnected

      and that's just due to machined failing.

      Expected results

      systemd-machined.service starts and lists machines.

      Actual results

      × systemd-machined.service - Virtual Machine and Container Registration Service
     Loaded: loaded (/usr/lib/systemd/system/systemd-machined.service; static)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: failed (Result: exit-code) since Thu 2024-07-18 00:38:57 EDT; 3min 56s ago
   Duration: 2ms
 Invocation: cad07013f1b64c2684f6fe60bac0a59b
       Docs: man:systemd-machined.service(8)
             man:org.freedesktop.machine1(5)
    Process: 4031 ExecStart=/usr/lib/systemd/systemd-machined (code=exited, status=1/FAILURE)
   Main PID: 4031 (code=exited, status=1/FAILURE)

Jul 18 00:38:57 centos-10-127-0-0-2-2201 systemd[1]: Starting systemd-machined.service - Virtual Machine and Container Registration Service...
Jul 18 00:38:57 centos-10-127-0-0-2-2201 systemd-machined[4031]: Failed to bind to varlink socket: No such file or directory
Jul 18 00:38:57 centos-10-127-0-0-2-2201 systemd-machined[4031]: Failed to fully start up daemon: No such file or directory
Jul 18 00:38:57 centos-10-127-0-0-2-2201 systemd[1]: Started systemd-machined.service - Virtual Machine and Container Registration Service.
Jul 18 00:38:57 centos-10-127-0-0-2-2201 systemd[1]: systemd-machined.service: Main process exited, code=exited, status=1/FAILURE
Jul 18 00:38:57 centos-10-127-0-0-2-2201 systemd[1]: systemd-machined.service: Failed with result 'exit-code'.

      which is due to

      AVC avc:  denied  { create } for  pid=4031 comm="systemd-machine" name="machine" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0

              rhn-support-zpytela Zdenek Pytela
              rhn-engineering-mpitt Martin Pitt
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              1 Vote for this issue
              Watchers:
              25 Start watching this issue

                Created:
                Updated: