unable to use machinectl with selinux in enforcing mode

[gui-bo]

Hallo,
I am using Fedora Silverblue 31 and i cannot use machinectl with selinux in enforcing mode.
Does anyone know how i can change the SELinux policy to allow it?
Thank you!

[gui@localhost ~]$ sudo machinectl shell gui@Fedora31
Failed to get shell PTY: Input/output error
[gui@localhost ~]$ sudo setenforce 0
[sudo] password for gui: 
[gui@localhost ~]$ sudo machinectl shell gui@Fedora31
Connected to machine Fedora31. Press ^] three times within 1s to exit session.
[gui@Fedora31 ~]$ 

[wrabcak]

@zpytela PTAL

[zpytela]

@gui-bo, please collect all denials from the command attempt made in the SELinux permissive mode. They need to be assessed and a proper action chosen to resolve the issue.

rpm -qa systemd\* selinux-policy\*
ausearch -i -m avc,user_avc -ts recent

Is this issue new in F31? Has it started with some particular update? Does it happen only when using Silverblue image?

[gui-bo]

Hallo, i have this issue since i installed Fedora Silverblue 31 last month.
On Fedora Silverblue 31 (installed on actual physical hardware):

[gui@localhost ~]$ rpm -qa systemd\* selinux-policy\*
systemd-rpm-macros-243.4-1.fc31.noarch
systemd-udev-243.4-1.fc31.x86_64
selinux-policy-3.14.4-40.fc31.noarch
systemd-243.4-1.fc31.x86_64
systemd-libs-243.4-1.fc31.x86_64
selinux-policy-targeted-3.14.4-40.fc31.noarch
systemd-pam-243.4-1.fc31.x86_64
systemd-bootchart-233-5.fc31.x86_64
systemd-container-243.4-1.fc31.x86_64
[gui@localhost ~]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
[gui@localhost ~]$ sudo machinectl shell gui@Fedora31
[sudo] password for gui: 
Failed to get shell PTY: Input/output error
[gui@localhost ~]$ sudo setenforce 0
[gui@localhost ~]$ sudo machinectl shell gui@Fedora31
Connected to machine Fedora31. Press ^] three times within 1s to exit session.
[gui@Fedora31 ~]$ 
Connection to machine Fedora31 terminated.
[gui@localhost ~]$ sudo ausearch -i -m avc,user_avc -ts recent 
----
type=USER_AVC msg=audit(09.12.2019 21:12:29.439:391) : pid=1007 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 

I just installed a VM with normal Fedora 31 and have the same problem:

[gui@localhost ~]$ sudo setenforce 0
[sudo] password for gui: 
[gui@localhost ~]$ sudo machinectl shell gui@Fedora-31
Connected to machine Fedora-31. Press ^] three times within 1s to exit session.
[gui@Fedora-31 ~]$ 
Connection to machine Fedora-31 terminated.
[gui@localhost ~]$ sudo ausearch -i -m avc,user_avc -ts recent
----
type=USER_AVC msg=audit(12/09/2019 21:10:15.665:225) : pid=811 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----
type=AVC msg=audit(12/09/2019 21:10:27.895:231) : avc:  denied  { read } for  pid=1867 comm=(sd-openpt) name=ptmx dev="tmpfs" ino=38703 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=lnk_file permissive=1 
----
type=AVC msg=audit(12/09/2019 21:10:27.895:232) : avc:  denied  { open } for  pid=1867 comm=(sd-openpt) path=/dev/pts/ptmx dev="devpts" ino=2 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1 
----
type=AVC msg=audit(12/09/2019 21:10:27.898:233) : avc:  denied  { read } for  pid=1871 comm=(sd-buscntr) name=run dev="dm-0" ino=285246 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=lnk_file permissive=1 
----
type=AVC msg=audit(12/09/2019 21:10:27.898:234) : avc:  denied  { write } for  pid=1871 comm=(sd-buscntr) name=system_bus_socket dev="tmpfs" ino=37877 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1 
----
type=AVC msg=audit(12/09/2019 21:10:27.898:235) : avc:  denied  { connectto } for  pid=1871 comm=(sd-buscntr) path=/run/dbus/system_bus_socket scontext=system_u:system_r:systemd_machined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 
[gui@localhost ~]$ rpm -qa systemd\* selinux-policy\*
selinux-policy-targeted-3.14.4-40.fc31.noarch
systemd-container-243.4-1.fc31.x86_64
systemd-pam-243.4-1.fc31.x86_64
selinux-policy-3.14.4-40.fc31.noarch
systemd-udev-243.4-1.fc31.x86_64
systemd-rpm-macros-243.4-1.fc31.noarch
systemd-243.4-1.fc31.x86_64
systemd-bootchart-233-5.fc31.x86_64
systemd-libs-243.4-1.fc31.x86_64
[gui@localhost ~]$ sudo setenforce 1
[sudo] password for gui: 
[gui@localhost ~]$ sudo machinectl shell gui@Fedora-31
Failed to get shell PTY: Input/output error

[zpytela]

@gui-bo, at least some of these denials can be addressed in Fedora policy, I am afraid it requires a lot of changes to be made. Are you aware of any customizations made on your system related to these issues? There seem to be paths or symlinks which are not present by default.

Unfortunately, as path is not logged in these denials, the following commands need to be run to grab more information:

auditctl -d never,task
auditctl -w /etc/shadow -p w -k shadow-write

Then rerun the scenario in permissive mode and execute the ausearch command to collect the denials again.

[gui-bo]

I started using fedora-toolbox and podman now. It is the supported and easier way to work with containers in silverblue and it is working really great, even better then a systemd container.
So i dont use systemd containers any more.

Thank you some much!