Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

systemd-homed not working on f41 #2452

Open
tulilirockz opened this issue Nov 29, 2024 · 2 comments
Open

systemd-homed not working on f41 #2452

tulilirockz opened this issue Nov 29, 2024 · 2 comments

Comments

@tulilirockz
Copy link

tulilirockz commented Nov 29, 2024
edited
Loading

Havent tested it on any other version, but homectl create doesn't seem to work on my current image. I am using Bluefin-dx:latest which is based on Fedora 41.

system logs:

Nov 28 20:55:11 studio audit[1449]: AVC avc:  denied  { read } for  pid=1449 comm="systemd-homed" name="home" dev="dm-0" ino=508067 scontext=syste
m_u:system_r:systemd_homed_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0                                                       
Nov 28 20:55:11 studio audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed
 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'                                                          
Nov 28 20:55:11 studio audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed
-activate comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'                                                 
Nov 28 20:55:46 studio audit[1449]: AVC avc:  denied  { write } for  pid=1449 comm="systemd-homed" name="home" dev="dm-0" ino=508067 scontext=syst
em_u:system_r:systemd_homed_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0                                                      
Nov 28 20:57:03 studio audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed 
comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'                                                           
Nov 28 20:57:04 studio audit[4462]: AVC avc:  denied  { read } for  pid=4462 comm="systemd-homed" name="home" dev="dm-0" ino=508067 scontext=syste
m_u:system_r:systemd_homed_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0                                                       
Nov 28 20:57:04 studio audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
# then this x1000 times or so
Nov 28 21:09:27 studio audit[4462]: AVC avc:  denied  { fowner } for  pid=4462 comm="systemd-homed" capability=3  scontext=system_u:system_r:systemd_homed_t:s0 tcontext=system_u:system_r:systemd_homed_t:s0 tclass=capability permissive=0

rpm -qa | grep selinux:

libselinux-3.7-5.fc41.x86_64
libselinux-utils-3.7-5.fc41.x86_64
selinux-policy-41.26-1.fc41.noarch
selinux-policy-targeted-41.26-1.fc41.noarch
container-selinux-2.234.2-1.fc41.noarch
passt-selinux-0^20241121.g238c69f-1.fc41.noarch
python3-libselinux-3.7-5.fc41.x86_64
flatpak-selinux-1.15.10-1.fc41.noarch
rpm-plugin-selinux-4.20.0-1.fc41.x86_64
smartmontools-selinux-7.4-6.fc41.noarch
freeipa-selinux-4.12.2-4.fc41.noarch
swtpm-selinux-0.9.0-4.fc41.noarch
osbuild-selinux-132-1.fc41.noarch
nbdkit-selinux-1.40.4-1.fc41.noarch
incus-selinux-6.7-0.1.fc41.noarch
cockpit-selinux-329.1-1.fc41.noarch

authselect current:

Profile ID: local                                                                                                                                 
Enabled features:
- with-silent-lastlog
- with-mdns4                                                                                                                                
- with-fingerprint                                                                                                                              
- with-systemd-homed

bootc status: (if that is even useful)

apiVersion: org.containers.bootc/v1
kind: BootcHost
metadata:
  name: host
spec:
  image:
    image: ghcr.io/ublue-os/bluefin-dx:latest
    transport: registry
    signature: containerPolicy
  bootOrder: default
status:
  staged: null
  booted:
    image:
      image:
        image: ghcr.io/ublue-os/bluefin-dx:latest
        transport: registry
        signature: containerPolicy
      version: latest-41.20241128
      timestamp: 2024-11-28T04:59:59Z
      imageDigest: sha256:d0b155e298b6dc1b40eac09208bea4fdbfbd125a080fd85573afd8a63a181867
    cachedUpdate: null
    incompatible: false
    pinned: false
    store: ostreeContainer
    ostree:
      checksum: 3c432c099cf531d99ec3cd740ce708f321a816ee7f56c288059e7f1d04d4ba7f
      deploySerial: 0
  rollback:
    image:
      image:
        image: ghcr.io/ublue-os/bluefin-dx:latest
        transport: registry
        signature: containerPolicy
      version: latest-41.20241127.1
      timestamp: 2024-11-27T10:45:44Z
      imageDigest: sha256:e23e65b5eafaa256c095081b4eb110b81ee486e07f1fef1a9dbe9bb4775bcf8c
    cachedUpdate:
      image:
        image: ghcr.io/ublue-os/bluefin-dx:latest
        transport: registry
        signature: containerPolicy
      version: latest-41.20241128
      timestamp: 2024-11-28T04:59:59Z
      imageDigest: sha256:d0b155e298b6dc1b40eac09208bea4fdbfbd125a080fd85573afd8a63a181867
    incompatible: false
    pinned: false
    store: ostreeContainer
    ostree:
      checksum: 9ec430dad8244ef31dab4b4ed79ea916c78adae61b168f7a2f7845b2cb68e6e7
      deploySerial: 0
  rollbackQueued: false
  type: bootcHost

journalctl -b | audit2allow -m myerrors:

# this also has a setroubleshootd definition there but still

module myerrors 1.0;

require {
	type install_exec_t;
	type systemd_homed_t;
	type var_t;
	type systemd_homework_t;
	type setroubleshootd_t;
	class dir { read write };
	class capability fowner;
	class file execute;
}

#============= setroubleshootd_t ==============
allow setroubleshootd_t install_exec_t:file execute;

#============= systemd_homed_t ==============
allow systemd_homed_t self:capability fowner;
allow systemd_homed_t var_t:dir { read write };

#============= systemd_homework_t ==============
allow systemd_homework_t var_t:dir read;
@tulilirockz
Copy link
Author

tulilirockz commented Nov 29, 2024
edited
Loading

Applying the audit2allow rule fixes it completely (although I suppose it isnt the best idea to use that one?)

@tulilirockz
Copy link
Author

Also got this:

Nov 28 23:15:11 studio audit[1392]: AVC avc:  denied  { add_name } for  pid=1392 comm="systemd-homed" name="tulili" scontext=system_u:system_r:sys
temd_homed_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tulilirockz