Lxd-agent fails to start due to SELinux denial

It appears /run/lxd_config/9p/lxd-agent does not have the correct SELinux type to run as a systemd unit. It needs init_t, but has nfs_t as a result of its parent filesystem. Is there a way to force the context on the 9p filesystem when mount it into the guest?

[root@fedora-vm ~]# systemctl start lxd-agent
[  267.766395] audit: type=1400 audit(1597942425.310:178): avc:  denied  { execute } for  pid=535 comm="(xd-agent)" name="lxd-agent" dev="9p" ino=25 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=0
Job for lxd-agent.service failed because the control process exited with error code.
See "systemctl status lxd-agent.service" and "journalctl -xe" for details.

Disabling SELinux (setenforce 0) lets the unit start up. Once started, a series of denials get reported too:

[  545.157546] audit: type=1400 audit(1597942702.698:220): avc:  denied  { execute } for  pid=550 comm="(xd-agent)" name="lxd-agent" dev="9p" ino=25 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=1
[  545.165207] audit: type=1400 audit(1597942702.698:220): avc:  denied  { read open } for  pid=550 comm="(xd-agent)" path="/run/lxd_config/9p/lxd-agent" dev="9p" ino=25 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=1
[  545.176389] audit: type=1400 audit(1597942702.698:220): avc:  denied  { execute_no_trans } for  pid=550 comm="(xd-agent)" path="/run/lxd_config/9p/lxd-agent" dev="9p" ino=25 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=1
[  545.187897] audit: type=1400 audit(1597942702.698:220): avc:  denied  { map } for  pid=550 comm="lxd-agent" path="/run/lxd_config/9p/lxd-agent" dev="9p" ino=25 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=1
[  545.295613] audit: type=1400 audit(1597942702.840:221): avc:  denied  { sendto } for  pid=556 comm="systemd-notify" path="/run/systemd/notify" scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
[root@fedora-vm ~]# [  545.306447] audit: type=1130 audit(1597942702.848:222): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=lxd-agent comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  545.313918] audit: type=1400 audit(1597942702.858:223): avc:  denied  { read } for  pid=550 comm="lxd-agent" name="vsock" dev="devtmpfs" ino=17716 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1
[  545.321918] audit: type=1400 audit(1597942702.858:223): avc:  denied  { open } for  pid=550 comm="lxd-agent" path="/dev/vsock" dev="devtmpfs" ino=17716 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1
[  545.332160] audit: type=1400 audit(1597942702.858:224): avc:  denied  { ioctl } for  pid=550 comm="lxd-agent" path="/dev/vsock" dev="devtmpfs" ino=17716 ioctlcmd=0x7b9 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1

I hacked around a bit and got lxd-agent working with SELinux enforcing. I did the following:

# install -m755 /run/lxd_config/9p/lxd-agent /usr/local/bin/
# sed -e 's#ExecStart=/run/lxd_config/9p/lxd-agent#ExecStart=/usr/local/bin/lxd-agent#' /usr/lib/systemd/system/lxd-agent.service
# touch /.autorelabel
# reboot

This sets a correct executable file type on the lxd-agent binary and repairs the context for the systemd unit. I couldn’t figure out how to change the context on the lxd-agent binary in place on the 9p filesystem, but that would be ideal; then the binary could be updated by lxd without needing to touch the guest filesystem.

Copying the agent in /usr/local/bin isn’t really an option, so I’m hoping we can maybe instead rely on a systemd option to change the label at startup time or pass the context mount flag to the 9p filesystem to label it as something other than nfs_t.

Oh for sure. That feels like a much better solution. I mostly copied the binary as a test step. It looks like SELinux gets disabled completely as well until a reboot occurs?

I think that’s because the image don’t ship with the selinux policies, as soon as you install a package that brings them in, you run into selinux problems.

mount -t 9p config /run/lxd_config/9p/ -o context=system_u:object_r:bin_t:s0

This allows the agent to start, however connections fail because of some issue with /dev/vsock.

[17904.972881] audit: type=1400 audit(1597980225.377:213): avc:  denied  { read } for  pid=1152 comm="lxd-agent" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=vsock_socket permissive=0

Not too sure what to do to avoid that one yet.

OOHH yep. I see selinux-policy-targeted in my install history now. I definitely did that.