selinux denies `machinectl import-fs` executing systemd-importd

wuxxin commented 1 year ago

Platform

Fedora Coreos Stable (38)

Reproduction

(Works) make a os filesystem with mkosi

rpm-ostree install --assumeyes --idempotent --allow-inactive mkosi apt
mkdir -p /etc/mkosi/debian-bookworm /var/lib/mkosi /var/cache/mkosi
printf "[Distribution]\nDistribution=debian\nRelease=bookworm\n[Output]Format=directory
[Packages]\n[Host]\n[Validation]" > /etc/mkosi/debian-bookworm/mkosi.conf
printf "[Exec]\nBoot=on\nLinkJournal=try-guest\n[Files][Network]
Private=on\nVirtualEthernet=on\n" > /etc/mkosi/debian-bookworm/mkosi.nspawn
mkosi -C /etc/mkosi/debian-bookworm -O /var/lib/mkosi --cache=/var/cache/mkosi build
mv /var/lib/mkosi/debian~bookworm /var/lib/mkosi/debian-bookworm

(Does Not Work) import filesystem for nspawn with machinectl

machinectl import-fs /var/lib/mkosi/debian-bookworm hello-nspawn

If this is not the right repo for this issue, feel free to close/ignore this issue, and point me to a more fitting one.

Related binaries:

-rwxr-xr-x. 4 root root system_u:object_r:systemd_importd_exec_t:s0 49824
     Jan  1  1970 /usr/lib/systemd/systemd-importd
-rwxr-xr-x. 4 root root system_u:object_r:init_exec_t:s0 33128 Jan  1  1970
    /usr/lib/systemd/systemd-import-fs

Relevant Log Output (formatted for better readability)

audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 
    subj=system_u:system_r:init_t:s0 msg='unit=systemd-importd comm="systemd" 
    exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: type=1130 audit(1687265080.304:465): pid=1 uid=0 auid=4294967295 ses=4294967295
    subj=system_u:system_r:init_t:s0 msg='unit=systemd-importd comm="systemd" 
    exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit[5023]: AVC avc:  denied  { execute } for  pid=5023 comm="(sd-transfer)" 
    name="systemd-import-fs" dev="dm-0" ino=14841116 
    scontext=system_u:system_r:systemd_importd_t:s0 
    tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
audit[5023]: SYSCALL arch=c000003e syscall=59 success=no exit=-13 a0=5639dc5a36e8
    a1=7ffd102d2350 a2=5639dd7a91f0 a3=7ff68bdf8810 items=0 ppid=5022 pid=5023
    auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
    tty=(none) ses=4294967295 comm="(sd-transfer)" exe="/usr/lib/systemd/systemd-importd"
    subj=system_u:system_r:systemd_importd_t:s0 key=(null)
audit: PROCTITLE proctitle="(sd-transfer)"
    (sd-transfer)[5023]: Failed to execute /usr/lib/systemd/systemd-import-fs 
    tool: Permission denied

dustymabe commented 1 year ago

Hmm so you are trying to layer in mkosi on top of Fedora CoreOS (which version specifically are you using?) and then trying to machinectl import-fs the created image?

I'm guessing the right place to file an issue would be an SELinux Bugzilla.

wuxxin commented 1 year ago

which version specifically are you using ?

for development, i use x86_64 qemu qcow2.xz. with libvirt

why ?

after a learning project,using pulumi (a terraform clone), and Fedora-CoreOS (https://github.com/wuxxin/infra-shared) i thought it would be nice to support some legacy virtual machines so i thought nspawn would be a good fit for virtual machines on coreos because

its a very thin layer, does only a few things, and is architecture wise similar to lxc
since it inception it learned to automatically facilitate the USER Namespace, and has become a good enough isolation layer
its same kernel, which means, zero overhead, same caching layer, lots of mount options, file watch and everything else just works
its feature wise similar to libvirt+ libvirt-lxc but without a ton of arcane XML configs, without a huge daemon in the background, and is not retrofitted to lxc like libvirt
its ubiquitous and already installed on every linux os running under systemd, and its minimal scope looks like a match for coreos
it plays nicely with other systemd parts (networkd, resolved), auto configures the systemd inside the container,
i already use nspawn for development container-machines, where i find it very useful

the selinux error:

after making a file tree of an os filesystem (with mkosi), instead of import-fs, as a workaround, i simply copy the tree to /var/lib/machines and start the machine using systemd-nspawn, or machinectl start.

this works fine, but when i try to use machinectl import-fs instead for copying the directory tree, because coreos uses selinux in enforcing mode,

it breaks import-fs in a non obvious way (it stalls at the copy operation, without any explanation or obvious error), and is probably wrong, and probably overlooked by selinux policy writers, that machinectl calls systemd-import-fs which then spawns systemd-importd.

wuxxin commented 1 year ago

opened an issue upstream: https://bugzilla.redhat.com/show_bug.cgi?id=2219398 thanks for pointing out the fitting place,closing this.

coreos / fedora-coreos-tracker