Fedora 35: out-of-the-box denials with systemd-nspawn and machinectl

space88man commented 3 years ago

Versions:

systemd-249.4-2.fc35.x86_64
selinux-policy-targeted-35.3-1.20211019git94970fc.fc35.noarch

Scenario:

Set SELinux to permissive mode and run a AlmaLinux 8 systemd-nspawn container (from the Cloud image) and scrape for denials
Enter the container using machinectl shell .... and machinectl login ...
Stop/start the container with machinectl stop.../start...

Findings:

# ausearch -m avc --start recent --raw | audit2allow -M my-nspawn
module my-nspawn 1.0;

require {
        type user_devpts_t;
        type devpts_t;
        type systemd_machined_t;
        type tmpfs_t;
        type unconfined_service_t;
        type system_dbusd_t;
        type user_tmp_t;
        type unconfined_t;
        class lnk_file read;
        class sock_file write;
        class chr_file { open read write };
        class unix_stream_socket connectto;
        class dir search;
        class file { getattr ioctl open read };
        class cap_userns { setgid setuid sys_admin sys_ptrace };
}

#============= system_dbusd_t ==============
allow system_dbusd_t devpts_t:chr_file { read write };

#============= systemd_machined_t ==============

#!!!! This avc can be allowed using the boolean 'daemons_use_tty'
allow systemd_machined_t devpts_t:chr_file open;
allow systemd_machined_t self:cap_userns { setgid setuid sys_admin sys_ptrace };
allow systemd_machined_t tmpfs_t:lnk_file read;
allow systemd_machined_t tmpfs_t:sock_file write;
allow systemd_machined_t unconfined_service_t:dir search;
allow systemd_machined_t unconfined_service_t:file { getattr ioctl open read };
allow systemd_machined_t unconfined_service_t:lnk_file read;
allow systemd_machined_t unconfined_service_t:unix_stream_socket connectto;
allow systemd_machined_t unconfined_t:unix_stream_socket connectto;

#!!!! This avc can be allowed using the boolean 'daemons_use_tty'
allow systemd_machined_t user_devpts_t:chr_file open;
allow systemd_machined_t user_tmp_t:lnk_file read;
allow systemd_machined_t user_tmp_t:sock_file write;

This issue has been around for many years and the systemd team considers this as NOTOURBUG. It would be nice to finally put it to bed.

What about pivoting to the the podman/LXC pattern of container_runtime_t and dynamic labelling? Admittedly systemd-nspawn seems to do quite a lot outside the containers filesystem to trigger these AVC.

Pinging @rhatdan . Out-of-the-box both podman and LXC are able to run multi-process systemd containers.

space88man commented 3 years ago

If daemons_use_tty is set true: then


require {
        type unconfined_service_t;
        type systemd_machined_t;
        type devpts_t;
        type system_dbusd_t;
        type tmpfs_t;
        class dir search;
        class file { getattr ioctl open read };
        class lnk_file read;
        class unix_stream_socket connectto;
        class cap_userns { kill setgid setuid sys_admin sys_ptrace };
        class sock_file write;
        class chr_file { read write };
}

#============= system_dbusd_t ==============
allow system_dbusd_t devpts_t:chr_file { read write };

#============= systemd_machined_t ==============
allow systemd_machined_t self:cap_userns { kill setgid setuid sys_admin sys_ptrace };
allow systemd_machined_t tmpfs_t:lnk_file read;
allow systemd_machined_t tmpfs_t:sock_file write;
allow systemd_machined_t unconfined_service_t:dir search;
allow systemd_machined_t unconfined_service_t:file { getattr ioctl open read };
allow systemd_machined_t unconfined_service_t:lnk_file read;
allow systemd_machined_t unconfined_service_t:unix_stream_socket connectto;

space88man commented 3 years ago

----
time->Mon Nov  1 09:46:24 2021
type=AVC msg=audit(1635731184.910:2040): avc:  denied  { search } for  pid=1054 comm="systemd-machine" name="481182" dev="proc" ino=2116018 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=1
----
time->Mon Nov  1 09:46:24 2021
type=AVC msg=audit(1635731184.910:2041): avc:  denied  { read } for  pid=1054 comm="systemd-machine" name="cgroup" dev="proc" ino=2115228 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1
----
time->Mon Nov  1 09:46:24 2021
type=AVC msg=audit(1635731184.910:2042): avc:  denied  { open } for  pid=1054 comm="systemd-machine" path="/proc/481182/cgroup" dev="proc" ino=2115228 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1
----
time->Mon Nov  1 09:46:24 2021
type=AVC msg=audit(1635731184.910:2043): avc:  denied  { getattr } for  pid=1054 comm="systemd-machine" path="/proc/481182/cgroup" dev="proc" ino=2115228 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1
----
time->Mon Nov  1 09:46:24 2021
type=AVC msg=audit(1635731184.910:2044): avc:  denied  { ioctl } for  pid=1054 comm="systemd-machine" path="/proc/481182/cgroup" dev="proc" ino=2115228 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1
----
time->Mon Nov  1 09:46:31 2021
type=AVC msg=audit(1635731191.345:2047): avc:  denied  { search } for  pid=1054 comm="systemd-machine" name="481182" dev="proc" ino=2116018 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=1
----
time->Mon Nov  1 09:46:31 2021
type=AVC msg=audit(1635731191.345:2048): avc:  denied  { read } for  pid=1054 comm="systemd-machine" name="mnt" dev="proc" ino=2113338 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lnk_file permissive=1
----
time->Mon Nov  1 09:46:31 2021
type=AVC msg=audit(1635731191.345:2049): avc:  denied  { sys_ptrace } for  pid=1054 comm="systemd-machine" capability=19  scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=cap_userns permissive=1
----
time->Mon Nov  1 09:46:31 2021
type=AVC msg=audit(1635731191.345:2050): avc:  denied  { read } for  pid=1054 comm="systemd-machine" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1
----
time->Mon Nov  1 09:46:31 2021
type=AVC msg=audit(1635731191.346:2051): avc:  denied  { sys_admin } for  pid=481449 comm="(sd-openptns)" capability=21  scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=cap_userns permissive=1
----
time->Mon Nov  1 09:46:31 2021
type=AVC msg=audit(1635731191.346:2052): avc:  denied  { setgid } for  pid=481449 comm="(sd-openptns)" capability=6  scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=cap_userns permissive=1
----
time->Mon Nov  1 09:46:31 2021
type=AVC msg=audit(1635731191.346:2053): avc:  denied  { setuid } for  pid=481449 comm="(sd-openptns)" capability=7  scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=cap_userns permissive=1
----
time->Mon Nov  1 09:46:31 2021
type=AVC msg=audit(1635731191.346:2054): avc:  denied  { read } for  pid=481450 comm="(sd-openpt)" name="ptmx" dev="tmpfs" ino=25 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=1
----
time->Mon Nov  1 09:46:31 2021
type=AVC msg=audit(1635731191.348:2055): avc:  denied  { write } for  pid=481454 comm="(sd-buscntr)" name="system_bus_socket" dev="tmpfs" ino=104 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=sock_file permissive=1
----
time->Mon Nov  1 09:46:31 2021
type=AVC msg=audit(1635731191.348:2056): avc:  denied  { connectto } for  pid=481454 comm="(sd-buscntr)" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
----
time->Mon Nov  1 09:46:31 2021
type=AVC msg=audit(1635731191.350:2057): avc:  denied  { read write } for  pid=1131 comm="dbus-broker" path="/dev/pts/ptmx" dev="devpts" ino=2 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=1
----
time->Mon Nov  1 09:46:42 2021
type=AVC msg=audit(1635731202.810:2061): avc:  denied  { kill } for  pid=1054 comm="systemd-machine" capability=5  scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=cap_userns permissive=1

rhatdan commented 3 years ago

Makes sense to me.

anonymouz commented 2 years ago

@space88man Did you solve the selinux / machinectl problem? What config file can I use /or/ what selinux policy must I set? (with semodule?) Please be specific, after 2 decades of linux use I'm still a total selinux noob. Trying to solve this on Rocky 8.7...

fedora-selinux / selinux-policy

Fedora 35: out-of-the-box denials with systemd-nspawn and machinectl #930