Bugzilla – Bug 1223599
selinux: systemd-fstab-generator can't read credentials
Last modified: 2024-06-14 13:27:31 UTC
running qemu with something like -fsdev local,security_model=none,id=fsdev0,path=/home/ln/git -device virtio-9p-pci,id=fs0,fsdev=fsdev0,mount_tag=git -smbios type=11,value=io.systemd.credential.binary:fstab.extra=Z2l0IC9ydW4vcWVtdS9naXQgOXAgdHJhbnM9dmlydGlvLHZlcnNpb249OXAyMDAwLkwK In order to mount a directory from the host into the VM results in selinux violations from systemd-fstab-generator. Looks like the policy disallows it to read/run/credentials/@system/fstab.extra Apr 30 14:38:33 localhost kernel: audit: type=1400 audit(1714487912.626:6): avc: denied { map_read map_write } for pid=485 comm="systemd-fstab-g" scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 Apr 30 14:38:33 localhost kernel: audit: type=1400 audit(1714487912.659:8): avc: denied { read } for pid=485 comm="systemd-fstab-g" name="fstab.extra" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 Apr 30 14:38:33 localhost (sd-exec-[480]: /usr/lib/systemd/system-generators/systemd-fstab-generator failed with exit status 1. Apr 30 14:38:32 localhost systemd-fstab-generator[485]: Failed read unencrypted credential 'fstab.extra': Permission denied
This could be a duplicate of bug 1222736. Can you test with the policy in security:SELinux? https://build.opensuse.org/package/show/security:SELinux/selinux-policy We have a couple of changes in the devel project which have not made their way to Factory yet ATM, we are still testing some large changes and Cathy is away for a couple of weeks. We hope to submit soon.
not fixed container-selinux-2.230.0+git4.a8e389d-1.14.noarch Tue Apr 30 15:06:37 2024 selinux-policy-targeted-20240411-226.12.noarch Tue Apr 30 15:06:28 2024 selinux-policy-20240411-226.12.noarch Tue Apr 30 15:06:17 2024 policycoreutils-3.6-210.26.x86_64 Tue Apr 30 15:06:17 2024 selinux-tools-3.6-191.10.x86_64 Tue Apr 30 15:06:16 2024 libsepol2-3.6-105.13.x86_64 Tue Apr 30 15:06:16 2024 libsemanage2-3.6-122.10.x86_64 Tue Apr 30 15:06:16 2024 libsemanage-conf-3.6-122.10.x86_64 Tue Apr 30 15:06:16 2024 libselinux1-3.6-191.10.x86_64 Tue Apr 30 15:06:15 2024
It looks to me like it fixes 1 of the 2 AVCs you reported, do you see the same? > Apr 30 14:38:33 localhost kernel: audit: type=1400 audit(1714487912.626:6): avc: denied { map_read map_write } for pid=485 comm="systemd-fstab-g" scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 This one should be gone with the security:SELinux policy. > Apr 30 14:38:33 localhost kernel: audit: type=1400 audit(1714487912.659:8): avc: denied { read } for pid=485 comm="systemd-fstab-g" name="fstab.extra" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 This one unfortunately looks new. We'll look into this one
Reproducible (in case we need to reproduce it in the future again): - Have selinux enabled guest VM (tw or microos) - On host: Add SMBIOS tags to libvirt xml: 1. virsh dumpxml selinux-bugs-vm > foo 2. edit "foo" (make sure to add the xmlns:qemu in the domain tag as well): ``` <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'> ... <qemu:commandline> <qemu:arg value='-smbios'/> <qemu:arg value='type=11,value=io.systemd.credential.binary:fstab.extra=Z2l0IC9ydW4vcWVtdS9naXQgOXAgdHJhbnM9dmlydGlvLHZlcnNpb249OXAyMDAwLkwK'/> </qemu:commandline> </domain> ``` 3. virsh define foo 4. Boot the guest VM - On guest, there should be a new fstab.extra file: $ sudo ls -alZ /run/credentials/@system/ total 4 drwx------. 2 root root system_u:object_r:tmpfs_t:s0 60 May 16 15:58 . drwxr-xr-x. 3 root root system_u:object_r:var_run_t:s0 60 May 16 15:58 .. -r--------. 1 root root system_u:object_r:tmpfs_t:s0 51 May 16 15:58 fstab.extra $ sudo systemctl daemon-restart $ sudo ausearch -m avc -ts 16:00 ---- time->Thu May 16 16:05:42 2024 type=AVC msg=audit(1715868342.425:117): avc: denied { map_read map_write } for pid=1416 comm="nfs-server-gene" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 ---- time->Thu May 16 16:05:42 2024 type=AVC msg=audit(1715868342.431:118): avc: denied { map_read map_write } for pid=1422 comm="systemd-fstab-g" scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 ---- time->Thu May 16 16:05:42 2024 type=AVC msg=audit(1715868342.435:119): avc: denied { map_read map_write } for pid=1424 comm="systemd-gpt-aut" scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 ---- time->Thu May 16 16:05:42 2024 type=AVC msg=audit(1715868342.438:120): avc: denied { read } for pid=1422 comm="systemd-fstab-g" name="fstab.extra" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 Will work on a fix
should be fixed with this one: https://build.opensuse.org/request/show/1180332
also merged upstream, closing, please reopen if you encounter further issues :)