> It is a policy configuration issue obviously. I am not sure what version > of reference policy Yocto is using in that environment but you might want > to see if it is old. SELinux policy is very dynamic. The initial update is now in RefPolicy "main". https://github.com/SELinuxProject/refpolicy/pull/874 > > Frankly, according to my security policy systemd-machine-id-setup is > selinux aware like many systemd components and so it should address > labeling programmatically (if it is allowed to by the policy selinux enforces) > > Can you produce this issue with selinux in permissive mode? If it works > in permissive mode but not in enforcing mode then selinux is blocking > systemd-machine-id-setup and that might cause the labeling issue. > > By the way I would argue that both init_runtime_t and etc_runtime_t are > not suitable for this and that it should probably have a private > machineid_t type since AFAIK this /etc/machine-id is only ever created > by systemd-machine-id-setup. This is helpful and could be completed in a future RefPolicy PR. For reference, Fedora policy uses "machineid_t". https://github.com/fedora-selinux/selinux-policy/blob/v41.33/policy/modules/system/init.fc#L67 https://github.com/fedora-selinux/selinux-policy/blob/v41.33/policy/modules/system/init.te#L241 > > "Sebert, Holger.ext" <Holger.Sebert.ext at karlstorz.com> writes: > > > Hi! > > > > I am having issues with systemd's machine-id: On first boot it is > > created, i.e. the file /etc/machine-id changes from “unintialized” to a > > hash value; but it has the wrong SELinux file context, namely > > “init_runtime_t”. There was a missing type transition override to etc_runtime_t from the default of init_runtime_t. > > > > Furthermore, I am getting the following error message: > > > > localhost systemd[1]: systemd-machine-id-commit.service: Main process exited, code=exited, status=1/FAILURE > > localhost systemd-machine-id-setup[424]: Failed to unmount transient /etc/machine-id file: No such file or directory. > > localhost systemd-machine-id-setup[424]: We keep that mount until next reboot. > > localhost systemd[1]: systemd-machine-id-commit.service: Failed with result 'exit-code'. > > > > On the next boot, /etc/machine-id has the correct SELinux file context, > > namely, “etc_runtime_t”, but the ID has changed! On subsequent boots, > > it remains unchanged, however. > > > > I think this could be related to this old bug: > > > > https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1411140 > > > > And, indeed, we are also using OverlayFS (in a Yocto/Poky (mickledore) > > environment). Now that it's available, you could give Scarthgap (LTS) a try. > > > > Do you have an idea how to work around this problem? > > > > Best, > > Holger -- Clayton Casciato
Re: /etc/machine-id has wrong SELinux file context and changes on second boot
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: /etc/machine-id has wrong SELinux file context and changes on second boot
- From: Clayton Casciato <majortomtosourcecontrol@xxxxxxxxx>
- Date: Mon, 17 Mar 2025 17:06:43 -0600
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- User-agent: Mozilla Thunderbird
- Prev by Date: Re: .target dependency ordering
- Previous by thread: Re: /etc/machine-id has wrong SELinux file context and changes on second boot
- Next by thread: enable systemd-resolved in early boot (dracut)
- Index(es):
 |