search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
168 stars 172 forks source link

systemd-homed not working on f41 #2452

Open tulilirockz opened 1 day ago

tulilirockz commented 1 day ago

Havent tested it on any other version, but homectl create doesn't seem to work on my current image. I am using Bluefin-dx:latest which is based on Fedora 41.

system logs:

Nov 28 20:55:11 studio audit[1449]: AVC avc:  denied  { read } for  pid=1449 comm="systemd-homed" name="home" dev="dm-0" ino=508067 scontext=syste
m_u:system_r:systemd_homed_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0                                                       
Nov 28 20:55:11 studio audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed
 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'                                                          
Nov 28 20:55:11 studio audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed
-activate comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'                                                 
Nov 28 20:55:46 studio audit[1449]: AVC avc:  denied  { write } for  pid=1449 comm="systemd-homed" name="home" dev="dm-0" ino=508067 scontext=syst
em_u:system_r:systemd_homed_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0                                                      
Nov 28 20:57:03 studio audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed 
comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'                                                           
Nov 28 20:57:04 studio audit[4462]: AVC avc:  denied  { read } for  pid=4462 comm="systemd-homed" name="home" dev="dm-0" ino=508067 scontext=syste
m_u:system_r:systemd_homed_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0                                                       
Nov 28 20:57:04 studio audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
# then this x1000 times or so
Nov 28 21:09:27 studio audit[4462]: AVC avc:  denied  { fowner } for  pid=4462 comm="systemd-homed" capability=3  scontext=system_u:system_r:systemd_homed_t:s0 tcontext=system_u:system_r:systemd_homed_t:s0 tclass=capability permissive=0

rpm -qa | grep selinux:

libselinux-3.7-5.fc41.x86_64
libselinux-utils-3.7-5.fc41.x86_64
selinux-policy-41.26-1.fc41.noarch
selinux-policy-targeted-41.26-1.fc41.noarch
container-selinux-2.234.2-1.fc41.noarch
passt-selinux-0^20241121.g238c69f-1.fc41.noarch
python3-libselinux-3.7-5.fc41.x86_64
flatpak-selinux-1.15.10-1.fc41.noarch
rpm-plugin-selinux-4.20.0-1.fc41.x86_64
smartmontools-selinux-7.4-6.fc41.noarch
freeipa-selinux-4.12.2-4.fc41.noarch
swtpm-selinux-0.9.0-4.fc41.noarch
osbuild-selinux-132-1.fc41.noarch
nbdkit-selinux-1.40.4-1.fc41.noarch
incus-selinux-6.7-0.1.fc41.noarch
cockpit-selinux-329.1-1.fc41.noarch

authselect current:

Profile ID: local                                                                                                                                 
Enabled features:
- with-silent-lastlog
- with-mdns4                                                                                                                                
- with-fingerprint                                                                                                                              
- with-systemd-homed

bootc status: (if that is even useful)

apiVersion: org.containers.bootc/v1
kind: BootcHost
metadata:
  name: host
spec:
  image:
    image: ghcr.io/ublue-os/bluefin-dx:latest
    transport: registry
    signature: containerPolicy
  bootOrder: default
status:
  staged: null
  booted:
    image:
      image:
        image: ghcr.io/ublue-os/bluefin-dx:latest
        transport: registry
        signature: containerPolicy
      version: latest-41.20241128
      timestamp: 2024-11-28T04:59:59Z
      imageDigest: sha256:d0b155e298b6dc1b40eac09208bea4fdbfbd125a080fd85573afd8a63a181867
    cachedUpdate: null
    incompatible: false
    pinned: false
    store: ostreeContainer
    ostree:
      checksum: 3c432c099cf531d99ec3cd740ce708f321a816ee7f56c288059e7f1d04d4ba7f
      deploySerial: 0
  rollback:
    image:
      image:
        image: ghcr.io/ublue-os/bluefin-dx:latest
        transport: registry
        signature: containerPolicy
      version: latest-41.20241127.1
      timestamp: 2024-11-27T10:45:44Z
      imageDigest: sha256:e23e65b5eafaa256c095081b4eb110b81ee486e07f1fef1a9dbe9bb4775bcf8c
    cachedUpdate:
      image:
        image: ghcr.io/ublue-os/bluefin-dx:latest
        transport: registry
        signature: containerPolicy
      version: latest-41.20241128
      timestamp: 2024-11-28T04:59:59Z
      imageDigest: sha256:d0b155e298b6dc1b40eac09208bea4fdbfbd125a080fd85573afd8a63a181867
    incompatible: false
    pinned: false
    store: ostreeContainer
    ostree:
      checksum: 9ec430dad8244ef31dab4b4ed79ea916c78adae61b168f7a2f7845b2cb68e6e7
      deploySerial: 0
  rollbackQueued: false
  type: bootcHost

journalctl -b | audit2allow -m myerrors:

# this also has a setroubleshootd definition there but still

module myerrors 1.0;

require {
    type install_exec_t;
    type systemd_homed_t;
    type var_t;
    type systemd_homework_t;
    type setroubleshootd_t;
    class dir { read write };
    class capability fowner;
    class file execute;
}

#============= setroubleshootd_t ==============
allow setroubleshootd_t install_exec_t:file execute;

#============= systemd_homed_t ==============
allow systemd_homed_t self:capability fowner;
allow systemd_homed_t var_t:dir { read write };

#============= systemd_homework_t ==============
allow systemd_homework_t var_t:dir read;
tulilirockz commented 1 day ago

Applying the audit2allow rule fixes it completely (although I suppose it isnt the best idea to use that one?)

tulilirockz commented 1 day ago

Also got this:

Nov 28 23:15:11 studio audit[1392]: AVC avc:  denied  { add_name } for  pid=1392 comm="systemd-homed" name="tulili" scontext=system_u:system_r:sys
temd_homed_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0