search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
156 stars 157 forks source link

Allow systemd's machinectl to clone and/or remove systemd-nspawn/btrfs instances in /var/lib/machines #2143

Open amessina opened 1 month ago

amessina commented 1 month ago

With a BTRFS filesystem, machinectl can clone a systemd-nspawn container quickly and efficiently.

It also attempts to clone and/or remove any *.nspawn configuration files in /etc/systemd/nspawn or /run/systemd/nspawn, which fails with the current F40 selinux-policy.

The audit2allow rules suggest allowing the systemd_machined_t source context edit access to the etc_t target type. This is not really what we should do.

Requesting that a new type systemd_nspawn_conf_t be created for /etc/systemd/nspwan and /run/systemd/nspawn. Then systemd_machined_t can be allowed to manage those spaces with the appropriate interfaces.

type=AVC msg=audit(1714311930.472:966): avc:  denied  { write } for  pid=27303 comm="(sd-imgclone)" name="nspawn" dev="sda3" ino=64221 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1714311930.472:967): avc:  denied  { write } for  pid=27303 comm="(sd-imgclone)" path=2F6574632F73797374656D642F6E737061776E2F2332303830363539202864656C6574656429 dev="sda3" ino=2080659 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1714311930.473:968): avc:  denied  { setattr } for  pid=27303 comm="(sd-imgclone)" name="#2080659" dev="sda3" ino=2080659 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1714311930.473:969): avc:  denied  { add_name } for  pid=27303 comm="(sd-imgclone)" name="#2080659" dev="sda3" ino=2080659 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1714311930.473:970): avc:  denied  { link } for  pid=27303 comm="(sd-imgclone)" name="#2080659" dev="sda3" ino=2080659 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1714317361.800:1372): avc:  denied  { write } for  pid=31798 comm="(sd-imgrm)" name="nspawn" dev="sda3" ino=64221 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1714317361.800:1373): avc:  denied  { remove_name } for  pid=31798 comm="(sd-imgrm)" name="ehrq.orig.nspawn" dev="sda3" ino=2080659 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1714317361.800:1374): avc:  denied  { unlink } for  pid=31798 comm="(sd-imgrm)" name="ehrq.orig.nspawn" dev="sda3" ino=2080659 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
#============= systemd_machined_t ==============
allow systemd_machined_t etc_t:dir { add_name remove_name write };
allow systemd_machined_t etc_t:file { link setattr unlink write };
allow systemd_machined_t systemd_nspawn_var_run_t:dir { add_name remove_name write };
allow systemd_machined_t systemd_nspawn_var_run_t:file { create getattr lock open read unlink write };