Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-76352

Cannot start systemd-nspawn container because of AVCs

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • selinux-policy-38.1.53-2.el9
    • No
    • Important
    • 1
    • rhel-security-selinux
    • ssg_security
    • 25
    • 1
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • SELINUX 250219: 2
    • Release Note Not Required
    • None

      What were you trying to do that didn't work?

      Starting systemd-nspawn containers is not possible on RHEL9 because of AVCs popping up:

      type=PROCTITLE msg=audit(01/27/2025 11:35:15.557:498) : proctitle=/usr/lib/systemd/systemd-machined 
type=SYSCALL msg=audit(01/27/2025 11:35:15.557:498) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffd63ea31a0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=67174 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-machine exe=/usr/lib/systemd/systemd-machined subj=system_u:system_r:systemd_machined_t:s0 key=(null) 
type=AVC msg=audit(01/27/2025 11:35:15.557:498) : avc:  denied  { search } for  pid=67174 comm=systemd-machine name=67317 dev="proc" ino=84028 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0

      The reason for that is RHEL9 policy is lacking a lot of rules. This was fixed on Rawhide by following commit:

      commit edd00f2271daef923d15eb6b8dc27ebf251bdc9a
Author: Zdenek Pytela <zpytela@redhat.com>
Date:   Fri Oct 13 20:06:58 2023 +0200

    Support using systemd containers
    
    Resolves: rhbz#1900869

      I could confirm that a custom backport of the commit fixes the issue:

      # cat rhcase04036690.if 
interface(`unconfined_server_read_state',`
	gen_require(`
		type unconfined_service_t;
	')

	ps_process_pattern($1, unconfined_service_t)
')

interface(`fs_write_tmpfs_socket_files',`
	gen_require(`
		type tmpfs_t;
	')

	write_sock_files_pattern($1, tmpfs_t, tmpfs_t)
	fs_search_tmpfs($1)
')


# cat rhcase04036690.te
policy_module(rhcase04036690, 1.0)

gen_require(`
	type systemd_machined_t, system_dbusd_t;
')

optional_policy(`
	term_use_generic_ptys(systemd_machined_t)
')

optional_policy(`
	unconfined_server_read_state(systemd_machined_t)
	unconfined_server_stream_connectto(systemd_machined_t)
')

optional_policy(`
	term_use_generic_ptys(system_dbusd_t)
')

allow systemd_machined_t self:cap_userns { setgid setuid sys_admin sys_ptrace };

files_read_var_lib_symlinks(systemd_machined_t)
files_write_root_dirs(systemd_machined_t)

fs_read_nsfs_files(systemd_machined_t)
fs_read_tmpfs_symlinks(systemd_machined_t)
fs_write_cgroup_files(systemd_machined_t)
fs_write_tmpfs_socket_files(systemd_machined_t)

      What is the impact of this issue to you?

      Customer cannot run systemd-nspawn containers

      Please provide the package NVR for which the bug is seen:

      selinux-policy-38.1.45-3.el9_5.noarch
      RHEL9.6 policy (checking rhpkg workspace)

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Install a container tree 
        # dnf install --releasever=9 --installroot=/var/lib/machines/demo --setopt=install_weak_deps=False systemd
# dnf install systemd-container
      2. Start the container 
        # systemctl start systemd-nspawn@demo

      Expected results

      No failure, no AVC

      Actual results

      Failure and AVC

              rhn-support-zpytela Zdenek Pytela
              rhn-support-rmetrich Renaud Métrich
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              2 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: