search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
168 stars 172 forks source link

unable to use machinectl with selinux in enforcing mode #298

Closed gui-bo closed 4 years ago

gui-bo commented 5 years ago

Hallo, I am using Fedora Silverblue 31 and i cannot use machinectl with selinux in enforcing mode. Does anyone know how i can change the SELinux policy to allow it? Thank you!

[gui@localhost ~]$ sudo machinectl shell gui@Fedora31
Failed to get shell PTY: Input/output error
[gui@localhost ~]$ sudo setenforce 0
[sudo] password for gui: 
[gui@localhost ~]$ sudo machinectl shell gui@Fedora31
Connected to machine Fedora31. Press ^] three times within 1s to exit session.
[gui@Fedora31 ~]$
wrabcak commented 5 years ago

@zpytela PTAL

zpytela commented 4 years ago

@gui-bo, please collect all denials from the command attempt made in the SELinux permissive mode. They need to be assessed and a proper action chosen to resolve the issue.

rpm -qa systemd\* selinux-policy\*
ausearch -i -m avc,user_avc -ts recent

Is this issue new in F31? Has it started with some particular update? Does it happen only when using Silverblue image?

gui-bo commented 4 years ago

Hallo, i have this issue since i installed Fedora Silverblue 31 last month. On Fedora Silverblue 31 (installed on actual physical hardware):

[gui@localhost ~]$ rpm -qa systemd\* selinux-policy\*
systemd-rpm-macros-243.4-1.fc31.noarch
systemd-udev-243.4-1.fc31.x86_64
selinux-policy-3.14.4-40.fc31.noarch
systemd-243.4-1.fc31.x86_64
systemd-libs-243.4-1.fc31.x86_64
selinux-policy-targeted-3.14.4-40.fc31.noarch
systemd-pam-243.4-1.fc31.x86_64
systemd-bootchart-233-5.fc31.x86_64
systemd-container-243.4-1.fc31.x86_64
[gui@localhost ~]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
[gui@localhost ~]$ sudo machinectl shell gui@Fedora31
[sudo] password for gui: 
Failed to get shell PTY: Input/output error
[gui@localhost ~]$ sudo setenforce 0
[gui@localhost ~]$ sudo machinectl shell gui@Fedora31
Connected to machine Fedora31. Press ^] three times within 1s to exit session.
[gui@Fedora31 ~]$ 
Connection to machine Fedora31 terminated.
[gui@localhost ~]$ sudo ausearch -i -m avc,user_avc -ts recent 
----
type=USER_AVC msg=audit(09.12.2019 21:12:29.439:391) : pid=1007 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?'

I just installed a VM with normal Fedora 31 and have the same problem:

[gui@localhost ~]$ sudo setenforce 0
[sudo] password for gui: 
[gui@localhost ~]$ sudo machinectl shell gui@Fedora-31
Connected to machine Fedora-31. Press ^] three times within 1s to exit session.
[gui@Fedora-31 ~]$ 
Connection to machine Fedora-31 terminated.
[gui@localhost ~]$ sudo ausearch -i -m avc,user_avc -ts recent
----
type=USER_AVC msg=audit(12/09/2019 21:10:15.665:225) : pid=811 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----
type=AVC msg=audit(12/09/2019 21:10:27.895:231) : avc:  denied  { read } for  pid=1867 comm=(sd-openpt) name=ptmx dev="tmpfs" ino=38703 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 
----
type=AVC msg=audit(12/09/2019 21:10:27.895:232) : avc:  denied  { open } for  pid=1867 comm=(sd-openpt) path=/dev/pts/ptmx dev="devpts" ino=2 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1 
----
type=AVC msg=audit(12/09/2019 21:10:27.898:233) : avc:  denied  { read } for  pid=1871 comm=(sd-buscntr) name=run dev="dm-0" ino=285246 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=lnk_file permissive=1 
----
type=AVC msg=audit(12/09/2019 21:10:27.898:234) : avc:  denied  { write } for  pid=1871 comm=(sd-buscntr) name=system_bus_socket dev="tmpfs" ino=37877 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1 
----
type=AVC msg=audit(12/09/2019 21:10:27.898:235) : avc:  denied  { connectto } for  pid=1871 comm=(sd-buscntr) path=/run/dbus/system_bus_socket scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 
[gui@localhost ~]$ rpm -qa systemd\* selinux-policy\*
selinux-policy-targeted-3.14.4-40.fc31.noarch
systemd-container-243.4-1.fc31.x86_64
systemd-pam-243.4-1.fc31.x86_64
selinux-policy-3.14.4-40.fc31.noarch
systemd-udev-243.4-1.fc31.x86_64
systemd-rpm-macros-243.4-1.fc31.noarch
systemd-243.4-1.fc31.x86_64
systemd-bootchart-233-5.fc31.x86_64
systemd-libs-243.4-1.fc31.x86_64
[gui@localhost ~]$ sudo setenforce 1
[sudo] password for gui: 
[gui@localhost ~]$ sudo machinectl shell gui@Fedora-31
Failed to get shell PTY: Input/output error
zpytela commented 4 years ago

@gui-bo, at least some of these denials can be addressed in Fedora policy, I am afraid it requires a lot of changes to be made. Are you aware of any customizations made on your system related to these issues? There seem to be paths or symlinks which are not present by default.

Unfortunately, as path is not logged in these denials, the following commands need to be run to grab more information:

auditctl -d never,task
auditctl -w /etc/shadow -p w -k shadow-write

Then rerun the scenario in permissive mode and execute the ausearch command to collect the denials again.

gui-bo commented 4 years ago

I started using fedora-toolbox and podman now. It is the supported and easier way to work with containers in silverblue and it is working really great, even better then a systemd container. So i dont use systemd containers any more.

Thank you some much!

gnoutchd commented 4 months ago

This is still an issue with Fedora 40 Workstation, and it also breaks systemd-run --machine=[...] --pty [...]. If systemd-nspawn / machinectl aren't going to be supported then they should be removed from the distribution.

gnoutchd commented 4 months ago

Minimal testcase, verbatim from systemd-nspawn(1):

dnf -y --releasever=40 --installroot=/var/lib/machines/f40 \
  --repo=fedora --repo=updates --setopt=install_weak_deps=False install \
  passwd dnf fedora-release vim-minimal util-linux systemd systemd-networkd
systemd-nspawn -bD /var/lib/machines/f40

Then, in a new shell:

machinectl shell f40
# or:
systemd-run --machine=f40 --pty /bin/bash

Both crash with Failed to get shell PTY: Input/output error unless I do setenforce 0 first.

gnoutchd commented 4 months ago

After doing:

setenforce 0
auditctl -d never,task
auditctl -w /etc/shadow -p w -k shadow-write
systemd-run --machine=f40 --pty /bin/bash

ausearch -i -m avc,user_avc -ts recent gives:

type=PROCTITLE msg=audit(07/24/2024 17:28:17.411:567) : proctitle=(sd-openpt) 
type=PATH msg=audit(07/24/2024 17:28:17.411:567) : item=2 name=(null) inode=4 dev=00:64 mode=character,620 ouid=root ogid=tty rdev=88:01 obj=system_u:object_r:systemd_machined_devpts_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(07/24/2024 17:28:17.411:567) : item=1 name=(null) inode=1 dev=00:64 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:devpts_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(07/24/2024 17:28:17.411:567) : item=0 name=/dev/ptmx inode=2 dev=00:64 mode=character,666 ouid=root ogid=root rdev=05:02 obj=unconfined_u:object_r:user_devpts_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/24/2024 17:28:17.411:567) : cwd=/ 
type=SYSCALL msg=audit(07/24/2024 17:28:17.411:567) : arch=x86_64 syscall=openat success=yes exit=16 a0=AT_FDCWD a1=0x7f960c5c3027 a2=O_RDWR|O_NOCTTY|O_CLOEXEC a3=0x0 items=3 ppid=9501 pid=9502 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(sd-openpt) exe=/usr/lib/systemd/systemd-machined subj=system_u:system_r:systemd_machined_t:s0 key=(null) 
type=AVC msg=audit(07/24/2024 17:28:17.411:567) : avc:  denied  { open } for  pid=9502 comm=(sd-openpt) path=/dev/pts/ptmx dev="devpts" ino=2 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1 
type=AVC msg=audit(07/24/2024 17:28:17.411:567) : avc:  denied  { read } for  pid=9502 comm=(sd-openpt) name=ptmx dev="tmpfs" ino=25 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1