Hello there,
I'm trying to start a new systemd-container with machinectl which gives me an error like:
Job for systemd-nspawn@fedora-33-dev.service failed because the control process exited with error code.
See "systemctl status systemd-nspawn@fedora-33-dev.service" and "journalctl -xeu systemd-nspawn@fedora-33-dev.service" for details.
In the journal is nothing really interesting just:
Aug 12 09:27:08 desktop-louis systemd-nspawn[4937]: Failed to register machine: Access denied
Aug 12 09:27:08 desktop-louis systemd-nspawn[4940]: Parent died too early
Now if I set se linux to permissive, it work without any problems but I get the following if I lookup the selinux logs:
SELinux is preventing systemd-machine from search access on the directory 4940.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that systemd-machine should be allowed search access on the 4940 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-machine' --raw | audit2allow -M my-systemdmachine
# semodule -X 300 -i my-systemdmachine.pp
Additional Information:
Source Context system_u:system_r:systemd_machined_t:s0
Target Context system_u:system_r:unconfined_service_t:s0
Target Objects 4940 [ dir ]
Source systemd-machine
Source Path systemd-machine
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-34.14-1.fc34.noarch
Local Policy RPM selinux-policy-targeted-34.14-1.fc34.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name desktop-louis
Platform Linux desktop-louis 5.13.8-200.fc34.x86_64 #1 SMP
Wed Aug 4 19:59:54 UTC 2021 x86_64 x86_64
Alert Count 1
First Seen 2021-08-12 09:27:08 CEST
Last Seen 2021-08-12 09:27:08 CEST
Local ID 0ded547d-2c08-4e48-a664-159ec9c9675b
Raw Audit Messages
type=AVC msg=audit(1628753228.555:412): avc: denied { search } for pid=846 comm="systemd-machine" name="4940" dev="proc" ino=65001 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0
Hash: systemd-machine,systemd_machined_t,unconfined_service_t,dir,search
If I then look up the (presumably inode number 4940) with sudo find / -inum 4940, I get the following:
/sys/kernel/tracing/events/compaction/mm_compaction_kcompactd_wake/hist
/sys/kernel/debug/tracing/events/compaction/mm_compaction_kcompactd_wake/hist
/sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/init.scope/cgroup.events
/sys/firmware/acpi/interrupts/gpe13
/usr/share/app-info/icons/fedora/64x64/org.fedoraproject.google-noto-serif-fonts.png
Now here comes my question, how should I continue with this problem and where should I report this problem to.
Ps. Sorry if I made something wrong fist time using a mailing list.
Thanks
Louis
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
