Rosetta register failing in Fedora distro - Selinux denial

hasan4791 commented 1 month ago

Description

When Rosetta is being registered from init, there is an issue with selinux. We need to identify the correct target label for Rosetta or need to add custom selinux policy(only if required).

[chasan@lima-podman-rootful Work]$ sudo su -
[systemd]
Failed Units: 1
  systemd-binfmt.service
[root@lima-podman-rootful ~]# 
[root@lima-podman-rootful ~]# systemctl restart systemd-binfmt
type=AVC msg=audit(1726639503.952:487): avc:  denied  { execute } for  pid=2199 comm="systemd-binfmt" name="rosetta" dev="virtiofs" ino=2 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=0
type=SERVICE_START msg=audit(1726639503.953:488): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-binfmt comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset"
Job for systemd-binfmt.service failed because the control process exited with error code.
See "systemctl status systemd-binfmt.service" and "journalctl -xeu systemd-binfmt.service" for details.
 [root@lima-podman-rootful ~]# 
 [root@lima-podman-rootful ~]#  journalctl -xeu systemd-binfmt.service 
░░ 
░░ The process' exit code is 'exited' and its exit status is 1.
Sep 18 11:44:22 lima-test systemd[1]: systemd-binfmt.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ The unit systemd-binfmt.service has entered the 'failed' state with result 'exit-code'.
Sep 18 11:44:22 lima-test systemd[1]: Failed to start systemd-binfmt.service - Set Up Additional Binary Formats.
░░ Subject: A start job for unit systemd-binfmt.service has failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit systemd-binfmt.service has finished with a failure.
░░ 
░░ The job identifier is 1558 and the job result is failed.
Sep 18 11:44:28 lima-test systemd[1]: Starting systemd-binfmt.service - Set Up Additional Binary Formats...
░░ Subject: A start job for unit systemd-binfmt.service has begun execution
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit systemd-binfmt.service has begun execution.
░░ 
░░ The job identifier is 1564.
Sep 18 11:44:28 lima-test systemd-binfmt[1570]: /usr/lib/binfmt.d/rosetta.conf:1: Failed to add binary format 'rosetta': Permission denied

How to reproduce?

# limactl create template://podman-rootful --name test --rosetta --mount-type virtiofs --vm-type vz
# limactl start test
# limactl shell test
[chasan@lima-test Work]$ 
# limactl stop test; limactl start test
# limactl  shell test
[systemd]
Failed Units: 1
  systemd-binfmt.service
[chasan@lima-test Work]$

Changes introduced from and after this PR #2474 is causing this issue.

hasan4791 commented 1 month ago

/assign

@AkihiroSuda Could you assign this to me?

hasan4791 commented 1 month ago

Observation:

Even though the registration of Rosetta to binfmt is being integrated with systemd-binfmt service, there is an issue in the execution as the selinux label for Rosetta mount is labeled as "nfs_t" but it should be "bin_t".
The error doesn't appear during the first time run since the conf file is not created at that time
This implies that, systemd-binfmt services are being loaded before even the lima's boot script execution and so the error.

lima-vm / lima

Rosetta register failing in Fedora distro - Selinux denial #2627

Description