It appears /run/lxd_config/9p/lxd-agent
does not have the correct SELinux type to run as a systemd unit. It needs init_t
, but has nfs_t
as a result of its parent filesystem. Is there a way to force the context on the 9p filesystem when mount it into the guest?
[root@fedora-vm ~]# systemctl start lxd-agent
[ 267.766395] audit: type=1400 audit(1597942425.310:178): avc: denied { execute } for pid=535 comm="(xd-agent)" name="lxd-agent" dev="9p" ino=25 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=0
Job for lxd-agent.service failed because the control process exited with error code.
See "systemctl status lxd-agent.service" and "journalctl -xe" for details.
Disabling SELinux (setenforce 0
) lets the unit start up. Once started, a series of denials get reported too:
[ 545.157546] audit: type=1400 audit(1597942702.698:220): avc: denied { execute } for pid=550 comm="(xd-agent)" name="lxd-agent" dev="9p" ino=25 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=1
[ 545.165207] audit: type=1400 audit(1597942702.698:220): avc: denied { read open } for pid=550 comm="(xd-agent)" path="/run/lxd_config/9p/lxd-agent" dev="9p" ino=25 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=1
[ 545.176389] audit: type=1400 audit(1597942702.698:220): avc: denied { execute_no_trans } for pid=550 comm="(xd-agent)" path="/run/lxd_config/9p/lxd-agent" dev="9p" ino=25 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=1
[ 545.187897] audit: type=1400 audit(1597942702.698:220): avc: denied { map } for pid=550 comm="lxd-agent" path="/run/lxd_config/9p/lxd-agent" dev="9p" ino=25 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=1
[ 545.295613] audit: type=1400 audit(1597942702.840:221): avc: denied { sendto } for pid=556 comm="systemd-notify" path="/run/systemd/notify" scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
[root@fedora-vm ~]# [ 545.306447] audit: type=1130 audit(1597942702.848:222): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=lxd-agent comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 545.313918] audit: type=1400 audit(1597942702.858:223): avc: denied { read } for pid=550 comm="lxd-agent" name="vsock" dev="devtmpfs" ino=17716 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1
[ 545.321918] audit: type=1400 audit(1597942702.858:223): avc: denied { open } for pid=550 comm="lxd-agent" path="/dev/vsock" dev="devtmpfs" ino=17716 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1
[ 545.332160] audit: type=1400 audit(1597942702.858:224): avc: denied { ioctl } for pid=550 comm="lxd-agent" path="/dev/vsock" dev="devtmpfs" ino=17716 ioctlcmd=0x7b9 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=1