Fedora - LXD/snapd and SELinux


#1

I am currently using Fedora 29. I have to say I don’t know much about SELinux :slight_smile:

When installing LXD from the snap, it fails because LXD can’t start. By looking at the logs, it seems that lots of actions where denied by SELinux:

...
Mar 27 10:09:17 xps-sla audit[4173]: AVC avc:  denied  { mounton } for  pid=4173 comm="snap-confine" path="/dev/pts" dev="devpts" ino=1 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=dir permissive=1
Mar 27 10:09:17 xps-sla audit[4173]: AVC avc:  denied  { mount } for  pid=4173 comm="snap-confine" name="/" dev="devpts" ino=1 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=filesystem permissive=1
Mar 27 10:09:17 xps-sla audit[4173]: AVC avc:  denied  { mounton } for  pid=4173 comm="snap-confine" path="/dev/ptmx" dev="devtmpfs" ino=59 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file permissive=1
Mar 27 10:09:17 xps-sla audit[4181]: AVC avc:  denied  { remove_name } for  pid=4181 comm="5" name="snap.lxd.fstab.tqC7bPm1GgWp~" dev="tmpfs" ino=80968 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
Mar 27 10:09:17 xps-sla audit[4181]: AVC avc:  denied  { rename } for  pid=4181 comm="5" name="snap.lxd.fstab.tqC7bPm1GgWp~" dev="tmpfs" ino=80968 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Mar 27 10:09:17 xps-sla audit[4180]: AVC avc:  denied  { mounton } for  pid=4180 comm="snap-confine" path="/run/snapd/ns/lxd.mnt" dev="tmpfs" ino=80494 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Mar 27 10:09:17 xps-sla audit[4173]: AVC avc:  denied  { open } for  pid=4173 comm="snap-confine" path="/run/udev/tags" dev="tmpfs" ino=12187 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
Mar 27 10:09:17 xps-sla audit[4173]: AVC avc:  denied  { getattr } for  pid=4173 comm="snap-confine" path="/run/udev/tags" dev="tmpfs" ino=12187 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
Mar 27 10:09:17 xps-sla audit[4173]: AVC avc:  denied  { write } for  pid=4173 comm="snap-confine" name="/" dev="cgroup" ino=1 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
Mar 27 10:09:17 xps-sla audit[4173]: AVC avc:  denied  { add_name } for  pid=4173 comm="snap-confine" name="snap.lxd" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
Mar 27 10:09:17 xps-sla audit[4173]: AVC avc:  denied  { create } for  pid=4173 comm="snap-confine" name="snap.lxd" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
Mar 27 10:09:17 xps-sla audit[4173]: AVC avc:  denied  { setattr } for  pid=4173 comm="snap-confine" name="snap.lxd" dev="cgroup" ino=8 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
Mar 27 10:09:17 xps-sla audit[4173]: AVC avc:  denied  { write } for  pid=4173 comm="snap-confine" name="tasks" dev="cgroup" ino=11 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
Mar 27 10:09:17 xps-sla audit[4173]: AVC avc:  denied  { setgid } for  pid=4173 comm="snap-confine" capability=6  scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:snappy_t:s0 tclass=capability permissive=1
Mar 27 10:09:17 xps-sla audit[4173]: AVC avc:  denied  { setuid } for  pid=4173 comm="snap-confine" capability=7  scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:snappy_t:s0 tclass=capability permissive=1
Mar 27 10:09:17 xps-sla audit[1]: AVC avc:  denied  { write } for  pid=1 comm="systemd" name="lxd" dev="dm-1" ino=794879 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:snappy_var_t:s0 tclass=dir permissive=0
Mar 27 10:09:17 xps-sla systemd[1]: Failed to create listening socket: Permission denied
Mar 27 10:09:17 xps-sla systemd[1]: snap.lxd.daemon.unix.socket: Failed to listen on sockets: Permission denied
Mar 27 10:09:17 xps-sla systemd[1]: snap.lxd.daemon.unix.socket: Failed with result 'resources'.
Mar 27 10:09:17 xps-sla systemd[1]: Failed to listen on Socket unix for snap application lxd.daemon.

I don’t want to disable SELinux, so is there a good documentation to find what to configure and how, so that LXD can work?


#2

Hello, are snaps working with your setup, that is, the hello world test


#3

It does, however SELinux does not seem very happy even with the hello-world snap:

stanislas@xps-sla ~> sudo snap install hello-world
[sudo] password for stanislas: 
hello-world 6.3 from Canonical✓ installed
stanislas@xps-sla ~> set PATH /snap/bin/ $PATH
stanislas@xps-sla ~> hello-world 
2019/03/27 15:26:45.137686 cmd_run.go:367: restoring default SELinux context of /home/stanislas/snap
Hello World!

(Stéphane Graber) #4

I believe the issue is related to socket activation of snaps on Fedora and explains why this is somewhat limited to LXD.

There’s unfortunately not a whole lot we can do about it.
I did report this issue to both the snapd team and the snapd maintainer in Fedora but nothing seems to have come from it…

Maybe reviving this issue will get things fixed this time around.


#5

That’s a shame! Thanks for the link.


#6

tried it, no issue with hello-world, indeed a permission error on socket when attempting snap install lxd, did a setenforce 0, restarted snap install lxd, setenforce 1, lxc launch test, success.
Restart VM, still works. Give it a try.


#7

Good news: