#23 systemd 247 fails to boot if selinux is enabled
Closed 2 years ago by dcavalca. Opened 3 years ago by dcavalca.

I didn't manage to capture logs yet, but if selinux is enabled (which is the defaults), all the systemd daemons (hostnamed, logind, etc) fail to start and the user can never log in. With selinux off everything works fine. I vaguely remember hitting something like this at FB a long time ago, I think the policy needs an update. Will see if I can dig out specifics.


Feb 23 09:26:02 centos-strea systemd[1]: Starting Hostname Service...
Feb 23 09:26:02 centos-strea systemd[4304]: Failed to mount /run/systemd/inaccessible/chr to /run/systemd/unit-root/dev/kmsg: Permission denied
Feb 23 09:26:02 centos-strea systemd[4304]: systemd-hostnamed.service: Failed to set up mount namespacing: /run/systemd/unit-root/dev/kmsg: Permission denied
Feb 23 09:26:02 centos-strea systemd[4304]: systemd-hostnamed.service: Failed at step NAMESPACE spawning /usr/lib/systemd/systemd-hostnamed: Permission denied
Feb 23 09:26:02 centos-strea systemd[1]: systemd-hostnamed.service: Main process exited, code=exited, status=226/NAMESPACE
Feb 23 09:26:02 centos-strea systemd[1]: systemd-hostnamed.service: Failed with result 'exit-code'.
Feb 23 09:26:02 centos-strea systemd[1]: Failed to start Hostname Service.

The policy comes from the selinux-policy package, the actual policy is at https://github.com/fedora-selinux/selinux-policy (plus patches provided by the package itself).

After putting the box in permissive mode, here's what comes out of audit2allow:

#============= avahi_t ==============
allow avahi_t init_var_run_t:dir read;

#============= init_t ==============
allow init_t kmsg_device_t:chr_file mounton;
allow init_t proc_kmsg_t:file { getattr mounton };
allow init_t systemd_machined_t:unix_stream_socket connectto;

#============= policykit_auth_t ==============
allow policykit_auth_t init_var_run_t:dir read;

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow policykit_auth_t systemd_machined_t:unix_stream_socket connectto;

#============= policykit_t ==============

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow policykit_t systemd_machined_t:unix_stream_socket connectto;

#============= syslogd_t ==============
allow syslogd_t user_tmp_t:lnk_file read;

#============= system_dbusd_t ==============
allow system_dbusd_t systemd_machined_t:unix_stream_socket connectto;

#============= systemd_hostnamed_t ==============

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow systemd_hostnamed_t security_t:file map;

#============= systemd_localed_t ==============

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow systemd_localed_t security_t:file map;

#============= systemd_logind_t ==============

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow systemd_logind_t security_t:file map;

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;

#============= systemd_machined_t ==============
allow systemd_machined_t init_var_run_t:sock_file create;

#============= xdm_t ==============
allow xdm_t systemd_machined_t:unix_stream_socket connectto;

Hacked together a minimal fix to the policy that at least lets the system boot to the desktop and makes it somewhat usable:
https://git.centos.org/rpms/selinux-policy/c/7cee3bf1e3294a5a5b9733d488e683d38c9792fb?branch=c8s-sig-hyperscale

I definitely wouldn't consider this "production quality" though: if one runs audit2allow in enforcing mode there's still a bunch of stuff to integrate, and some daemons (notably systemd-hostnamed and systemd-localed) are failing to start.

Built selinux-policy-3.14.3-66.hs.el8 and tagged it for -release

Metadata Update from @dcavalca:
- Issue tagged with: meeting

3 years ago

I've untagged selinux-policy-3.14.3-66.hs.el8 from -release as we have a better solution now

Metadata Update from @dcavalca:
- Issue untagged with: meeting
- Issue assigned to dcavalca

2 years ago

Ok thanks to @ngompa's help we've been able to get an override module that gets systemd booting reliably with selinux enabled. There is one outstanding issue causing hostnamed and localed to fail on start with:

systemd-hostnamed[2764]: SELinux enabled state cached to: enabled
systemd-hostnamed[2764]: Failed to open SELinux status page: Permission denied

which comes from https://github.com/systemd/systemd/commit/fd5e402fa9377f2860e02bdb5b84d5f5942e73f4 which implies a requirement on libselinux > 3.1, while c8s ships 2.9. This is likely an upstream bug, as the systemd CI is still against C7.

https://github.com/fedora-selinux/selinux-policy/pull/464 looks related too, we probably need one of the fixes that were done there in our module

Build systemd-247.3-5.hs.el8 in https://cbs.centos.org/koji/taskinfo?taskID=2325416 and tagged it for -testing. This build boots successfully with SELinux enabled, but the hostnamed/localed issue mentioned above is still outstanding.

Current state:

diff --git a/SOURCES/systemd_hs.if b/SOURCES/systemd_hs.if
new file mode 100644
index 0000000..6695e0e
--- /dev/null
+++ b/SOURCES/systemd_hs.if
@@ -0,0 +1,20 @@
+########################################
+## <summary>
+##     Allows the caller to use the SELinux status page.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_use_status_page',`
+       gen_require(`
+               type security_t;
+       ')
+
+       dev_search_sysfs($1)
+       allow $1 security_t:dir list_dir_perms;
+       allow $1 security_t:file mmap_read_file_perms;
+')
diff --git a/SOURCES/systemd_hs.te b/SOURCES/systemd_hs.te
index 5498233..04b565d 100644
--- a/SOURCES/systemd_hs.te
+++ b/SOURCES/systemd_hs.te
@@ -9,11 +9,19 @@ gen_require(`
        type policykit_auth_t;
        type policykit_t;
        type proc_kmsg_t;
+       type rpm_t;
        type system_dbusd_t;
        type systemd_hostnamed_t;
+       type systemd_hw_t;
        type systemd_localed_t;
        type systemd_logind_t;
        type systemd_machined_t;
+       type systemd_resolved_t;
+       type systemd_sessions_t;
+       type systemd_sysusers_t;
+       type systemd_tmpfiles_t;
+       type systemd_update_done_t;
+       type systemd_user_runtime_dir_t;
        type security_t;
        type syslogd_t;
        type user_tmp_t;
@@ -29,11 +37,21 @@ allow policykit_auth_t systemd_machined_t:unix_stream_socket connectto;
 allow policykit_t systemd_machined_t:unix_stream_socket connectto;
 allow syslogd_t user_tmp_t:lnk_file read;
 allow system_dbusd_t systemd_machined_t:unix_stream_socket connectto;
-allow systemd_hostnamed_t security_t:file map;
-allow systemd_localed_t security_t:file map;
 allow systemd_logind_t self:netlink_selinux_socket create;
 allow systemd_logind_t self:netlink_selinux_socket bind;
-allow systemd_logind_t security_t:file map;
 allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
 allow systemd_machined_t init_var_run_t:sock_file create;
 allow xdm_t systemd_machined_t:unix_stream_socket connectto;
+
+selinux_use_status_page(init_t)
+selinux_use_status_page(rpm_t)
+selinux_use_status_page(systemd_hostnamed_t)
+selinux_use_status_page(systemd_hw_t)
+selinux_use_status_page(systemd_localed_t)
+selinux_use_status_page(systemd_logind_t)
+selinux_use_status_page(systemd_resolved_t)
+selinux_use_status_page(systemd_sessions_t)
+selinux_use_status_page(systemd_sysusers_t)
+selinux_use_status_page(systemd_tmpfiles_t)
+selinux_use_status_page(systemd_update_done_t)
+selinux_use_status_page(systemd_user_runtime_dir_t)
diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec
index b45e60c..4876d1e 100644
--- a/SPECS/systemd.spec
+++ b/SPECS/systemd.spec
@@ -26,7 +26,7 @@
 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
 Version:        247.3
-Release:        5%{?dist}
+Release:        6%{?dist}
 # For a breakdown of the licensing, see README
 License:        LGPLv2+ and MIT and GPLv2+
 Summary:        System and Service Manager
@@ -65,6 +65,7 @@ Source24:       sysusers.generate-pre.sh
 # Needed for selinux subpackage
 Source100:      Makefile.selinux
 Source101:      systemd_hs.te
+Source102:      systemd_hs.if

 %if 0
 GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable
@@ -383,7 +384,7 @@ runs properly under an environment with SELinux enabled.

 %if %{with selinux}
 mkdir selinux
-cp %SOURCE100 %SOURCE101 selinux
+cp %SOURCE100 %SOURCE101 %SOURCE102 selinux
 %endif

 %build
@@ -949,6 +950,10 @@ fi
 %endif

 %changelog
+* Wed Mar 31 2021 Davide Cavalca <dcavalca@fb.com> - 247.3-6
+- Backport https://github.com/SELinuxProject/refpolicy/pull/308 to fix
+  systemd-hostnamed and systemd-localed when SELinux is enabled.
+
 * Wed Mar 31 2021 Davide Cavalca <dcavalca@fb.com> - 247.3-5
 - Add selinux subpackage

is an attempt at backporting that selinux PR. This doesn't actually work though:

Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Running scriptlet: systemd-libs-247.3-6.el8.x86_64                        1/1 
  Upgrading        : systemd-libs-247.3-6.el8.x86_64                       1/13 
  Running scriptlet: systemd-libs-247.3-6.el8.x86_64                       1/13 
  Running scriptlet: systemd-selinux-247.3-6.el8.noarch                    2/13 
  Installing       : systemd-selinux-247.3-6.el8.noarch                    2/13 
  Running scriptlet: systemd-selinux-247.3-6.el8.noarch                    2/13 
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/200/systemd_hs/cil:12
/usr/sbin/semodule:  Failed!

  Installing       : systemd-rpm-macros-247.3-6.el8.noarch                 3/13 
  Upgrading        : systemd-pam-247.3-6.el8.x86_64                        4/13 
  Running scriptlet: systemd-247.3-6.el8.x86_64                            5/13 
  Upgrading        : systemd-247.3-6.el8.x86_64                            5/13 
  Running scriptlet: systemd-247.3-6.el8.x86_64                            5/13 
  Upgrading        : systemd-container-247.3-6.el8.x86_64                  6/13 
  Running scriptlet: systemd-udev-247.3-6.el8.x86_64                       7/13 
  Upgrading        : systemd-udev-247.3-6.el8.x86_64                       7/13 
  Running scriptlet: systemd-udev-247.3-6.el8.x86_64                       7/13 
  Cleanup          : systemd-udev-239-44.el8.x86_64                        8/13 
  Running scriptlet: systemd-udev-239-44.el8.x86_64                        8/13 
  Cleanup          : systemd-container-239-44.el8.x86_64                   9/13 
  Running scriptlet: timedatex-0.5-3.el8.x86_64                           10/13 
  Obsoleting       : timedatex-0.5-3.el8.x86_64                           10/13 
  Running scriptlet: timedatex-0.5-3.el8.x86_64                           10/13 
  Running scriptlet: systemd-239-44.el8.x86_64                            11/13 
  Cleanup          : systemd-239-44.el8.x86_64                            11/13 
  Running scriptlet: systemd-239-44.el8.x86_64                            11/13 
  Cleanup          : systemd-libs-239-44.el8.x86_64                       12/13 
  Cleanup          : systemd-pam-239-44.el8.x86_64                        13/13 
  Running scriptlet: systemd-selinux-247.3-6.el8.noarch                   13/13 
  Running scriptlet: systemd-pam-239-44.el8.x86_64                        13/13 
  Running scriptlet: systemd-247.3-6.el8.x86_64                           13/13 
Not setting net/ipv4/conf/all/rp_filter (explicit setting exists).
Not setting net/ipv4/conf/default/rp_filter (explicit setting exists).
Not setting net/ipv4/conf/all/accept_source_route (explicit setting exists).
Not setting net/ipv4/conf/default/accept_source_route (explicit setting exists).
Not setting net/ipv4/conf/all/promote_secondaries (explicit setting exists).
Not setting net/ipv4/conf/default/promote_secondaries (explicit setting exists).

  Running scriptlet: systemd-udev-247.3-6.el8.x86_64                      13/13 
  Verifying        : systemd-rpm-macros-247.3-6.el8.noarch                 1/13 
  Verifying        : systemd-selinux-247.3-6.el8.noarch                    2/13 
  Verifying        : systemd-247.3-6.el8.x86_64                            3/13 
  Verifying        : systemd-239-44.el8.x86_64                             4/13 
  Verifying        : timedatex-0.5-3.el8.x86_64                            5/13 
  Verifying        : systemd-container-247.3-6.el8.x86_64                  6/13 
  Verifying        : systemd-container-239-44.el8.x86_64                   7/13 
  Verifying        : systemd-libs-247.3-6.el8.x86_64                       8/13 
  Verifying        : systemd-libs-239-44.el8.x86_64                        9/13 
  Verifying        : systemd-pam-247.3-6.el8.x86_64                       10/13 
  Verifying        : systemd-pam-239-44.el8.x86_64                        11/13 
  Verifying        : systemd-udev-247.3-6.el8.x86_64                      12/13 
  Verifying        : systemd-udev-239-44.el8.x86_64                       13/13 
Installed products updated.

Upgraded:
  systemd-247.3-6.el8.x86_64           systemd-container-247.3-6.el8.x86_64     
  systemd-libs-247.3-6.el8.x86_64      systemd-pam-247.3-6.el8.x86_64           
  systemd-udev-247.3-6.el8.x86_64     
Installed:
  systemd-rpm-macros-247.3-6.el8.noarch    systemd-selinux-247.3-6.el8.noarch   

Complete!

Note the

  Installing       : systemd-selinux-247.3-6.el8.noarch                    2/13 
  Running scriptlet: systemd-selinux-247.3-6.el8.noarch                    2/13 
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/200/systemd_hs/cil:12
/usr/sbin/semodule:  Failed!

Filed https://pagure.io/centos-infra/issue/274 in the meantime to get the SIG branch on selinux-policy cleaned up.

Ok everything seems to be working fine now, building systemd-247.3-8.hs.el8 in https://cbs.centos.org/koji/taskinfo?taskID=2337192

Tagged systemd-247.3-8.hs.el8 and validated that a straight upgrade works well. I think we can call this resolved.

Metadata Update from @dcavalca:
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata