Add support for systemd-homed

[richiedaze]

Testing

Enable homed features on Fedora

sudo authselect enable-feature \
    with-systemd-homed

sudo systemctl enable --now \
    systemd-homed

Relabel homed context

sudo restorecon -v \
    /usr/lib/systemd/systemd-homed \
    /usr/lib/systemd/systemd-homework \
    /usr/lib/systemd/system/systemd-homed-activate.service \
    /usr/lib/systemd/system/systemd-homed.service \
    /var/lib/systemd/home/

Create a testuser for homed

sudo homectl create testuser

[zpytela]

Thank you for the PR, I am afraid it will take me some time to go through it. What did you use for testing?

[richiedaze]

Building a new home with systemd-homed on fedora

Tested on:

• Fedora Workstation
• Silverblue
• Kinoite

[dngray]

Also tested on

• Sway Atomic

[zpytela]

Building a new home with systemd-homed on fedora

Tested on:

* Fedora Workstation

* Silverblue

* Kinoite

Thank you, the link is also quite helpful. I meant if it was "testing by usage" or some automated test or features which can be automated. We have very basic test.

[richiedaze]

@zpytela, I have tried almost every combination available to the homectl tool for the last 3 years. This policy has more than basic support to function properly. Every now and then upstream modifies the code, and I have adjusted the policy along side them to maintain robustness.

[zpytela]

@zpytela, I have tried almost every combination available to the homectl tool for the last 3 years. This policy has more than basic support to function properly. Every now and then upstream modifies the code, and I have adjusted the policy along side them to maintain robustness.

Thank you, that sounds very good, so you think this is ready to merge to F40?

[richiedaze]

Yes Sir.

[packit-as-a-service]

Cockpit tests failed for commit 7d68e9e. @martinpitt, @jelly, @mvollmer please check.

[martinpitt]

This breaks a lot of Cockpit tests, all which want to connect to the user's session bus:

warning: failed to connect to session bus: [Errno 123] sd_bus_default_user: No medium found

I picked a random journal and it has a lot of

USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/systemd-logind.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="reply_unit_path" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
AVC avc: denied { read } for pid=758 comm="auditd" name="userdb" dev="tmpfs" ino=42 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0
pam_systemd(sshd:session): Failed to create session: Could not activate remote peer: unit failed.

Note that these tests don't run with homed, this is a "classic" user account.

Aside from this: I'm really excited, thanks for this work! I've run homed on my laptop for many years now, and switched off SELinux because of it.

[martinpitt]

Reproducer without cockpit, in a standard Fedora 40 VM:

Install the COPR:

dnf copr enable -y packit/fedora-selinux-selinux-policy-2018
dnf update -y --repo='*copr*'
reboot

Then log in as user. This doesn't start the user's systemd session, nor a D-Bus, and the journal says

AVC avc:  denied  { connectto } for  pid=1013 comm="sshd" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/systemd-logind.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="reply_unit_path" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
pam_systemd(sshd:session): Failed to create session: Could not activate remote peer: unit failed.
pam_unix(sshd:session): session opened for user admin(uid=1000) by admin(uid=0)

(and lots more)

[richiedaze]

@martinpitt,

Reproducer without cockpit, in a standard Fedora 40 VM:

Install the COPR:

dnf copr enable -y packit/fedora-selinux-selinux-policy-2018
dnf update -y --repo='*copr*'
reboot

2. In grub, edit to runlevel 3

3. Allow system to resume normally

   sudo semanage permissive -a system_dbusd_t

   Needed allow rules to add to the policy

   journalctl -b | audit2allow
   
   #============= avahi_t ==============
   allow avahi_t systemd_userdbd_runtime_t:dir read;
   allow avahi_t systemd_userdbd_runtime_t:lnk_file read;
   allow avahi_t systemd_userdbd_runtime_t:sock_file write;
   
   #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
   allow avahi_t systemd_userdbd_t:unix_stream_socket connectto;
   
   #============= init_t ==============
   allow init_t systemd_machined_t:unix_stream_socket connectto;
   
   #============= policykit_auth_t ==============
   allow policykit_auth_t systemd_userdbd_runtime_t:dir read;
   
   #============= policykit_t ==============
   allow policykit_t systemd_userdbd_runtime_t:dir read;
   
   #============= system_dbusd_t ==============
   allow system_dbusd_t bluetooth_unit_file_t:service { start status };
   allow system_dbusd_t colord_unit_file_t:service { start status };
   allow system_dbusd_t fwupd_unit_file_t:service { start status };
   allow system_dbusd_t systemd_logind_inhibit_var_run_t:fifo_file write;
   allow system_dbusd_t systemd_unit_file_t:service { start status };
   
   #============= systemd_userdbd_t ==============
   
   #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
   allow systemd_userdbd_t systemd_machined_t:unix_stream_socket connectto;
   
   #============= xdm_t ==============
   allow xdm_t systemd_userdbd_runtime_t:sock_file write;

This repo policy for some reason didn't include the systemd-homed module for testing.

sudo semanage module -l | grep systemd-homed

[packit-as-a-service]

Cockpit tests failed for commit 6de9bf4. @martinpitt, @jelly, @mvollmer please check.

[martinpitt]

This last run still fails all tests. The journal shows lots of

AVC avc:  denied  { read } for  pid=201669 comm="cockpit-session" name="userdb" dev="tmpfs" ino=42 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0
USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/systemd-logind.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="reply_unit_path" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
AVC avc:  denied  { write } for  pid=217331 comm="cockpit-session" name="io.systemd.Multiplexer" dev="tmpfs" ino=545 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=0

(and maybe I missed some more)

[packit-as-a-service]

Cockpit tests failed for commit e032607. @martinpitt, @jelly, @mvollmer please check.

[martinpitt]

The rawhide failures still look very grim. Pretty much all cockpit tests fail on

USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/polkit.service" cmdline="/usr/bin
/dbus-broker-launch --scope system --audit" function="reply_unit_path" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

I think this is still a regression in this PR. selinux/rawhide has been broken for a longer time already, see e.g. this recent run. But that "only" broke two tests, not all of them, and the failure is much more specific.

[packit-as-a-service]

Cockpit tests failed for commit e2378ed. @martinpitt, @jelly, @mvollmer please check.

[packit-as-a-service]

Cockpit tests failed for commit 17042b1. @martinpitt, @jelly, @mvollmer please check.

[martinpitt]

This still breaks the user bus:

warning: failed to connect to session bus: [Errno 123] sd_bus_default_user: No medium found