Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

systemd crashes while attempting to start under container_user_r role #282

Open
Thor-x86 opened this issue Nov 14, 2023 · 11 comments
Open

Comments

@Thor-x86
Copy link

Hello Mr. Dan and Colleagues,

Currently, I'm trying to run podman containers on multiple users with container_u:container_user_r:container_user_t:s0:c512.c1023 context. For now, I'm running on fresh Fedora 39 Server Edition installation with container support option enabled. The problem is whenever I start the systemd for one of that user, the systemd crashes with SEGV or segmentation fault error.

$ sudo systemctl status user@1008
Job for user@1008.service failed because a fatal signal was delivered to the control process.
See "systemctl status user@1008.service" and "journalctl -xeu user@1008.service" for details.
[FAIL|1]

$ sudo systemctl status user@1008
× user@1008.service - User Manager for UID 1008
     Loaded: loaded (/usr/lib/systemd/system/user@.service; static)
    Drop-In: /usr/lib/systemd/system/user@.service.d
             └─10-login-barrier.conf
             /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: failed (Result: signal) since Tue 2023-11-14 17:59:12 WIB; 13s ago
       Docs: man:user@.service(5)
    Process: 1222 ExecStart=/usr/lib/systemd/systemd --user (code=killed, signal=SEGV)
   Main PID: 1222 (code=killed, signal=SEGV)
        CPU: 100ms

Nov 14 17:59:12 gudegmadura.co.id systemd[1]: Starting user@1008.service - User Manager for UID 1008...
Nov 14 17:59:12 gudegmadura.co.id (systemd)[1222]: pam_unix(systemd-user:session): session opened for user nginx_service(uid=1008) by nginx_service(uid=0)
Nov 14 17:59:12 gudegmadura.co.id systemd[1]: user@1008.service: Main process exited, code=killed, status=11/SEGV
Nov 14 17:59:12 gudegmadura.co.id systemd[1]: user@1008.service: Failed with result 'signal'.
Nov 14 17:59:12 gudegmadura.co.id systemd[1]: Failed to start user@1008.service - User Manager for UID 1008.
[FAIL|3]

Then I tried to troubleshoot it with ausearch as below

$ sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
----
time->Tue Nov 14 17:59:02 2023
type=AVC msg=audit(1699959542.526:149): avc:  denied  { search } for  pid=1199 comm="sudo" name="1" dev="proc" ino=16342 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
----
time->Tue Nov 14 17:59:07 2023
type=AVC msg=audit(1699959547.893:154): avc:  denied  { search } for  pid=1199 comm="sudo" name="1" dev="proc" ino=16342 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
[DONE]

I have no idea why sudoers are not allowed to search for /proc directory and causes segfault on systemd. Did I do something wrong on configuration or AVC report says nothing about the crash? By the way, I noticed something funny...

$ ssh nginx_service@localhost
Enter passphrase for key '/home/thorx86/.ssh/id_ed25519':
Last login: Tue Nov 14 07:11:39 2023 from ::1
[nginx_service@gudegmadura.co.id ~]$ systemctl status --user
-bash: systemctl: command not found
[nginx_service@gudegmadura.co.id ~]$ ls /usr/bin/systemctl
ls: cannot access '/usr/bin/systemctl': Permission denied
[nginx_service@gudegmadura.co.id ~]$ 

Is systemd intentionally disabled in container_user_r role? If yes, how do I auto-start each podman container on multiple users? Thank you!

@Thor-x86
Copy link
Author

Update

Rootless Podman also won't work under container_user_r role, even though using cgroup v2. Here's what happened if I run the container:

[nginx_service@gudegmadura.co.id ~]$ podman start -ai nginx
WARN[0000] The cgroupv2 manager is set to systemd but there is no systemd user session available
WARN[0000] For using systemd, you may need to log in using a user session
WARN[0000] Alternatively, you can enable lingering with: `loginctl enable-linger 1008` (possibly as root)
WARN[0000] Falling back to --cgroup-manager=cgroupfs
{"msg":"exec container process `/docker-entrypoint.sh`: Permission denied","level":"error","time":"2023-1115T15:04:49.311235Z"}

Then the ausearch logs:

$ sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
----
time->Wed Nov 15 22:02:57 2023
type=SELINUX_ERR msg=audit(1700060577.134:1354): op=security_compute_sid invalid_context="container_u:container_user_r:kmod_t:s0-s0:c512" scontext=container_u:container_user_r:container_runtime_t:s0-s0:c512 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=process
----
time->Wed Nov 15 22:03:25 2023
type=AVC msg=audit(1700060605.934:1363): avc:  denied  { search } for  pid=6020 comm="sudo" name="1" dev="proc" ino=2107 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
----
time->Wed Nov 15 22:04:08 2023
type=SELINUX_ERR msg=audit(1700060648.070:1412): op=security_compute_sid invalid_context="container_u:container_user_r:kmod_t:s0-s0:c512" scontext=container_u:container_user_r:container_runtime_t:s0-s0:c512 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=process
----
time->Wed Nov 15 22:04:22 2023
type=AVC msg=audit(1700060662.201:1413): avc:  denied  { transition } for  pid=6197 comm="3" path="/docker-entrypoint.sh" dev="overlay" ino=20386 scontext=container_u:container_user_r:container_runtime_t:s0 tcontext=system_u:system_r:container_t:s0:c429,c593 tclass=process permissive=0
----
time->Wed Nov 15 22:04:49 2023
type=AVC msg=audit(1700060689.310:1418): avc:  denied  { transition } for  pid=6260 comm="3" path="/docker-entrypoint.sh" dev="overlay" ino=20386 scontext=container_u:container_user_r:container_runtime_t:s0 tcontext=system_u:system_r:container_t:s0:c429,c593 tclass=process permissive=0
[DONE]

I have no idea what's happening with SELinux. I literally stuck now ☹️ I'm doubt to uninstall container-selinux package then using staff_u for each container is a safe option. Please for the guidance, or at least information how to debug that pesky segfaults (I have experience in GDB but not for running systemd process).

@Thor-x86
Copy link
Author

Update 2

Running under user_u also not working. The reason is same, permission denied. AVC report almost similar with previous comment. However, systemd and user DBus is working properly. Changing to permissive mode definitely works as expected, but that's defeat the purpose of SELinux. At this point, I'm not sure if rootless podman is designed to work with SELinux, or perhaps I missed something? I dunno... @rhatdan please for your guidance

@rhatdan
Copy link
Member

rhatdan commented Nov 20, 2023

What version of podman are you attempting this with?

@Thor-x86
Copy link
Author

What version of podman are you attempting this with?

At that time, Podman is up-to-date. I believe v4.7.2.

@rhatdan
Copy link
Member

rhatdan commented Dec 20, 2023

Could you try again to make sure it is 4.7.2 or better yet 4.8.*

@Thor-x86
Copy link
Author

I'm going to re-install Fedora Server again after finished my work today and I'll tell you the result. Thank you for your attention

@Thor-x86
Copy link
Author

Thor-x86 commented Dec 21, 2023

I re-installed the latest stable Fedora Server 39 and container-selinux package release. Then I ran these commands:

# dnf upgrade
# reboot
# restorecon -RF /
# semanage user -a -L s0-s0 -r s0-s0:c0.c1023 -R container_user_r container_u
# useradd -d /home/container -F -m -U -s /bin/bash -Z container_u --selinux-range s0-s0:c0.1023 container
$ exit 0

Then login as container and I ran this command

$ systemctl --user status
-bash: systemctl: command not found

$ ls $(which systemctl)
/usr/bin/which: no systemctl in (/home/container/.local/bin:/home/container/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin)

Well... that's weird, then I went back to admin user (which is staff_u) and run this command:

$ ls $(which systemctl)
-rwxr-xr-x. 1 root root system_u:object_r:systemd_systemctl_exec_t:s0 316K Nov 29 07:00 /usr/bin/systemctl

# systemctl start user@1001
Job for user@1001.service failed because a fatal signal was delivered to the control process.
See "systemctl status user@1001.service" and "journalctl -xeu user@1001.service" for details.

# journalctl -xeu user@1001.service
 Defined-By: systemd
Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

A start job for unit user@1001.service has begun execution.

The job identifier is 3921.
Dec 22 06:10:14 localhost.localdomain (systemd)[2359]: pam_unix(systemd-user:session): session opened for user containe>
Dec 22 06:10:14 localhost.localdomain systemd[1]: user@1001.service: Main process exited, code=killed, status=11/SEGV
Subject: Unit process exited

Where 1001 is UID or GID of container user. As you can see, the problem still exist. By the way, all packages already up to date.

$ uname -r
6.6.7-200.fc39.x86_64

Edit

I realized that the latest package isn't actually latest

# dnf info container-selinux
Last metadata expiration check: 0:44:37 ago on Fri 22 Dec 2023 05:32:41 AM WIB.
Installed Packages
Name         : container-selinux
Epoch        : 2
Version      : 2.226.0
Release      : 1.fc39
Architecture : noarch
Size         : 67 k
Source       : container-selinux-2.226.0-1.fc39.src.rpm
Repository   : @System
From repo    : updates
Summary      : SELinux policies for container runtimes
URL          : https://github.com/containers/container-selinux
License      : GPL-2.0-only
Description  : SELinux policy modules for use with container runtimes.

Is it still on rawhide?

@rhatdan
Copy link
Member

rhatdan commented Dec 22, 2023

What are the latest AVC messages you are seeing?

@Thor-x86
Copy link
Author

# systemctl start user@1001
Job for user@1001.service failed because a fatal signal was delivered to the control process.
See "systemctl status user@1001.service" and "journalctl -xeu user@1001.service" for details.

# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
<no matches>

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

That's odd... perhaps this is entirely systemd bug? I also tried to logged in container user then ran this

$ systemctl --user status
-bash: systemctl: command not found

And then go back to admin user to ran this

# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
<no matches>

I have no idea why previous AVC messages suddenly gone after I re-installed the fedora and upgrade to latest stable. Despite of that, the auditd still working properly

# systemctl status auditd
● auditd.service - Security Auditing Service
     Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Sat 2023-12-23 04:03:52 WIB; 4min 17s ago
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation
    Process: 812 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
    Process: 821 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
   Main PID: 814 (auditd)
      Tasks: 4 (limit: 2227)
     Memory: 5.2M
        CPU: 248ms
     CGroup: /system.slice/auditd.service
             ├─814 /sbin/auditd
             └─816 /usr/sbin/sedispatch

Dec 23 04:03:51 localhost systemd[1]: Starting auditd.service - Security Auditing Service...
Dec 23 04:03:51 localhost auditd[814]: audit dispatcher initialized with q_depth=2000 and 1 active plugins
Dec 23 04:03:51 localhost auditd[814]: Init complete, auditd 3.1.2 listening for events (startup state enable)
Dec 23 04:03:52 localhost augenrules[821]: /sbin/augenrules: No change
Dec 23 04:03:52 localhost augenrules[833]: No rules
Dec 23 04:03:52 localhost systemd[1]: Started auditd.service - Security Auditing Service.

@rhatdan
Copy link
Member

rhatdan commented Dec 23, 2023

Dontaudit rules are hiding the denial.

sudo semodule -DB

Now you should see the AVCs

sudo semodule -B

To run the dontaudit rules back on.

@Thor-x86
Copy link
Author

Thor-x86 commented Dec 28, 2023

# semodule -DB

# systemctl start user@1001
Job for user@1001.service failed because a fatal signal was delivered to the control process.
See "systemctl status user@1001.service" and "journalctl -xeu user@1001.service" for details.

# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.461:184): avc:  denied  { net_admin } for  pid=1177 comm="systemd-user-ru" capability=12  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.461:185): avc:  denied  { net_admin } for  pid=1177 comm="systemd-user-ru" capability=12  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.504:187): avc:  denied  { read } for  pid=1179 comm="(systemd)" name="shadow" dev="dm-0" ino=16927531 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.526:188): avc:  denied  { siginh } for  pid=1180 comm="unix_chkpwd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=process permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.540:194): avc:  denied  { read write } for  pid=1179 comm="systemd" path="socket:[2942]" dev="sockfs" ino=2942 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.540:195): avc:  denied  { read write } for  pid=1179 comm="systemd" path="socket:[2942]" dev="sockfs" ino=2942 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.540:196): avc:  denied  { siginh } for  pid=1179 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.540:197): avc:  denied  { map } for  pid=1179 comm="systemd" path="/usr/lib/systemd/systemd" dev="dm-0" ino=17114599 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0

Great! It's starting to show something. For curiosity reason, I tried same command in permissive mode to get more denial information.

# setenforce 0

# systemctl start user@1001

# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.642:225): avc:  denied  { net_admin } for  pid=1225 comm="systemd-user-ru" capability=12  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.682:227): avc:  denied  { read } for  pid=1227 comm="(systemd)" name="shadow" dev="dm-0" ino=16927531 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.682:228): avc:  denied  { open } for  pid=1227 comm="(systemd)" path="/etc/shadow" dev="dm-0" ino=16927531 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.692:234): avc:  denied  { read write } for  pid=1227 comm="systemd" path="socket:[10401]" dev="sockfs" ino=10401 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.692:235): avc:  denied  { siginh } for  pid=1227 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tclass=process permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.692:236): avc:  denied  { map } for  pid=1227 comm="systemd" path="/usr/lib/systemd/systemd" dev="dm-0" ino=17114599 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.692:237): avc:  denied  { read } for  pid=1227 comm="systemd" path="/usr/lib/systemd/systemd" dev="dm-0" ino=17114599 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.692:238): avc:  denied  { execute } for  pid=1227 comm="systemd" path="/usr/lib/systemd/systemd" dev="dm-0" ino=17114599 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.698:239): avc:  denied  { map } for  pid=1227 comm="systemd" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.702:240): avc:  denied  { search } for  pid=1227 comm="systemd" name="1" dev="proc" ino=49 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.702:241): avc:  denied  { read } for  pid=1227 comm="systemd" name="cmdline" dev="proc" ino=4026532019 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.702:242): avc:  denied  { open } for  pid=1227 comm="systemd" path="/proc/cmdline" dev="proc" ino=4026532019 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.702:243): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/proc/cmdline" dev="proc" ino=4026532019 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.707:244): avc:  denied  { read } for  pid=1227 comm="systemd" name="cgroup" dev="proc" ino=104 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.707:245): avc:  denied  { open } for  pid=1227 comm="systemd" path="/proc/1/cgroup" dev="proc" ino=104 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.707:246): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/proc/1/cgroup" dev="proc" ino=104 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.707:247): avc:  denied  { ioctl } for  pid=1227 comm="systemd" path="/proc/1/cgroup" dev="proc" ino=104 ioctlcmd=0x5401 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.718:248): avc:  denied  { prog_load } for  pid=1227 comm="systemd" scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tclass=bpf permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.731:249): avc:  denied  { ioctl } for  pid=1227 comm="systemd" path="/proc/cpuinfo" dev="proc" ino=4026532021 ioctlcmd=0x5401 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.744:250): avc:  denied  { read } for  pid=1227 comm="systemd" name="mount" dev="tmpfs" ino=326 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.745:251): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/dev/dm-0" dev="devtmpfs" ino=392 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.745:252): avc:  denied  { search } for  pid=1227 comm="systemd" name="udev" dev="tmpfs" ino=52 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.745:253): avc:  denied  { read } for  pid=1227 comm="systemd" name="b253:0" dev="tmpfs" ino=804 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.745:254): avc:  denied  { open } for  pid=1227 comm="systemd" path="/run/udev/data/b253:0" dev="tmpfs" ino=804 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.745:255): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/run/udev/data/b253:0" dev="tmpfs" ino=804 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.746:256): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/usr/lib/systemd/user" dev="dm-0" ino=25166753 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.747:257): avc:  denied  { search } for  pid=1227 comm="systemd" name="user" dev="dm-0" ino=25166753 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.748:258): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/usr/lib/systemd/user/dbus-broker.service" dev="dm-0" ino=25207411 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.748:259): avc:  denied  { read } for  pid=1227 comm="systemd" name="user" dev="dm-0" ino=25166753 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.748:260): avc:  denied  { open } for  pid=1227 comm="systemd" path="/usr/lib/systemd/user" dev="dm-0" ino=25166753 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.748:261): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/usr/lib/systemd/user/session.slice" dev="dm-0" ino=25524631 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.754:262): avc:  denied  { read } for  pid=1227 comm="systemd" name="10-oomd-per-slice-defaults.conf" dev="dm-0" ino=8685363 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.754:263): avc:  denied  { open } for  pid=1227 comm="systemd" path="/usr/lib/systemd/user/slice.d/10-oomd-per-slice-defaults.conf" dev="dm-0" ino=8685363 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.754:264): avc:  denied  { ioctl } for  pid=1227 comm="systemd" path="/usr/lib/systemd/user/slice.d/10-oomd-per-slice-defaults.conf" dev="dm-0" ino=8685363 ioctlcmd=0x5401 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.757:265): avc:  denied  { read } for  pid=1227 comm="systemd" name="systemd" dev="tmpfs" ino=111 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.757:266): avc:  denied  { open } for  pid=1227 comm="systemd" path="/run/udev/tags/systemd" dev="tmpfs" ino=111 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.757:267): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/run/udev/tags/systemd" dev="tmpfs" ino=111 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.773:268): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/dev/sr0" dev="devtmpfs" ino=341 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.776:269): avc:  denied  { getattr } for  pid=1227 comm="systemd" path="/dev/ptp0" dev="devtmpfs" ino=540 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.873:270): avc:  denied  { read } for  pid=1227 comm="systemd" name="net" dev="proc" ino=4026531845 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.874:271): avc:  denied  { read } for  pid=1227 comm="systemd" name="dbus-broker.service" dev="dm-0" ino=25207411 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.874:272): avc:  denied  { open } for  pid=1227 comm="systemd" path="/usr/lib/systemd/user/dbus-broker.service" dev="dm-0" ino=25207411 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.874:273): avc:  denied  { ioctl } for  pid=1227 comm="systemd" path="/usr/lib/systemd/user/dbus-broker.service" dev="dm-0" ino=25207411 ioctlcmd=0x5401 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.888:274): avc:  denied  { search } for  pid=1227 comm="systemd" name="1" dev="proc" ino=49 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.892:275): avc:  denied  { compute_create } for  pid=1227 comm="systemd" scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.895:276): avc:  denied  { getattr } for  pid=1240 comm="(ystemctl)" path="/usr/bin/systemctl" dev="dm-0" ino=25524430 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.896:277): avc:  denied  { execute } for  pid=1240 comm="(ystemctl)" name="systemctl" dev="dm-0" ino=25524430 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.896:278): avc:  denied  { read open } for  pid=1240 comm="(ystemctl)" path="/usr/bin/systemctl" dev="dm-0" ino=25524430 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.896:279): avc:  denied  { execute_no_trans } for  pid=1240 comm="(ystemctl)" path="/usr/bin/systemctl" dev="dm-0" ino=25524430 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.897:280): avc:  denied  { map } for  pid=1240 comm="systemctl" path="/usr/bin/systemctl" dev="dm-0" ino=25524430 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.898:281): avc:  denied  { getattr } for  pid=1241 comm="(tmpfiles)" path="/usr/bin/systemd-tmpfiles" dev="dm-0" ino=25524530 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.898:282): avc:  denied  { execute } for  pid=1241 comm="(tmpfiles)" name="systemd-tmpfiles" dev="dm-0" ino=25524530 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.898:283): avc:  denied  { read open } for  pid=1241 comm="(tmpfiles)" path="/usr/bin/systemd-tmpfiles" dev="dm-0" ino=25524530 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.898:284): avc:  denied  { execute_no_trans } for  pid=1241 comm="(tmpfiles)" path="/usr/bin/systemd-tmpfiles" dev="dm-0" ino=25524530 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.899:285): avc:  denied  { map } for  pid=1241 comm="systemd-tmpfile" path="/usr/bin/systemd-tmpfiles" dev="dm-0" ino=25524530 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.904:286): avc:  denied  { read } for  pid=1240 comm="systemctl" name="root" dev="proc" ino=92 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file permissive=1

EDIT

I just figured out what happened after stored the last logs above as systemd_denials.log then executed audit2allow -i systemd_denials.log -o systemd_fix.te. Here's what the content ofsystemd_fix.te:

#============= container_user_t ==============
allow container_user_t clock_device_t:chr_file getattr;
allow container_user_t dbusd_unit_file_t:file { getattr ioctl open read };
allow container_user_t fixed_disk_device_t:blk_file getattr;

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow container_user_t init_exec_t:file map;
allow container_user_t init_exec_t:file { execute read };
allow container_user_t init_t:dir search;
allow container_user_t init_t:file { getattr ioctl open read };
allow container_user_t init_t:lnk_file read;
allow container_user_t init_t:unix_stream_socket { read write };
allow container_user_t mount_var_run_t:dir read;
allow container_user_t proc_net_t:lnk_file read;
allow container_user_t proc_t:file { getattr ioctl open read };
allow container_user_t removable_device_t:blk_file getattr;

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow container_user_t security_t:file map;
allow container_user_t security_t:security compute_create;
allow container_user_t self:bpf prog_load;
allow container_user_t systemd_systemctl_exec_t:file { execute execute_no_trans getattr open read };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow container_user_t systemd_systemctl_exec_t:file map;
allow container_user_t systemd_tmpfiles_exec_t:file { execute execute_no_trans getattr open read };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow container_user_t systemd_tmpfiles_exec_t:file map;
allow container_user_t systemd_unit_file_t:dir { getattr open read search };
allow container_user_t systemd_unit_file_t:file { getattr ioctl open read };
allow container_user_t udev_var_run_t:dir { getattr open read search };
allow container_user_t udev_var_run_t:file { getattr open read };

#============= init_t ==============
allow init_t container_user_t:process siginh;
allow init_t shadow_t:file { open read };

#============= systemd_logind_t ==============
allow systemd_logind_t self:capability net_admin;

Running sudo setsebool -P domain_can_mmap_files=true still won't fix the problem. I think we have to modify the policy manually.

Thor-x86 added a commit to Thor-x86/container-selinux that referenced this issue Dec 28, 2023
The pull request fixes issue containers#282

Signed-off-by: Athaariq Ardhiansyah <foss@athaariq.my.id>
Thor-x86 added a commit to Thor-x86/container-selinux that referenced this issue Dec 28, 2023
The pull request fixes issue containers#282

Signed-off-by: Athaariq Ardhiansyah <foss@athaariq.my.id>
Thor-x86 added a commit to Thor-x86/container-selinux that referenced this issue Dec 28, 2023
The pull request fixes issue containers#282

Signed-off-by: Athaariq Ardhiansyah <foss@athaariq.my.id>
Thor-x86 pushed a commit to Thor-x86/container-selinux that referenced this issue Dec 28, 2023
The pull request fixes issue containers#282

Signed-off-by: Athaariq Ardhiansyah <athaariq@gmail.com>
Thor-x86 added a commit to Thor-x86/container-selinux that referenced this issue Dec 28, 2023
The pull request fixes issue containers#282

Signed-off-by: Athaariq Ardhiansyah <athaariqa@gmail.com>
Thor-x86 added a commit to Thor-x86/container-selinux that referenced this issue Dec 28, 2023
The pull request fixes issue containers#282

Signed-off-by: Athaariq Ardhiansyah <foss@athaariq.my.id>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants