SELinux Issues in Fedora 42 bootc for Installed Packages (PCP, Cockpit) and systemd-homed #1690
Description
I'm installing Fedora 42 via bootc. There are numerous SELinux errors on system boot up.
The relevant part of my Containerfile:
FROM quay.io/fedora/fedora-bootc:42
RUN dnf -y install dnf5-plugins && \
dnf config-manager addrepo --from-repofile https://pkgs.tailscale.com/stable/fedora/tailscale.repo && \
dnf -y install \
langpacks-en_GB \
screen \
git \
fuse \
snapraid \
cockpit \
cockpit-podman \
cockpit-networkmanager \
cockpit-ostree \
cockpit-storaged \
cockpit-files \
cockpit-selinux \
pcp \
pcp-system-tools \
usbutils \
igt-gpu-tools \
tailscale \
restic \
awscli2 \
socat \
https://github.com/trapexit/mergerfs/releases/download/2.40.2/mergerfs-2.40.2-1.fc42.x86_64.rpm && \
dnf clean all
RUN systemctl mask \
bootc-fetch-apply-updates.timer
RUN systemctl enable \
cockpit.socket \
podman.socket \
pmcd.service \
pmlogger.service \
tailscaled.serviceIf I run the suggested commands for these errors:
sudo ausearch -c 'cp' --raw | audit2allow -M my-cp
sudo ausearch -c 'pmcd' --raw | audit2allow -M my-pmcd
sudo ausearch -c 'rm' --raw | audit2allow -M my-rm
sudo ausearch -c 'systemd-homed' --raw | audit2allow -M my-systemdhomedThe following policies are created:
my-cp.te:
module my-cp 1.0;
require {
type pcp_pmie_t;
type var_log_t;
type pcp_pmlogger_t;
class file { unlink write };
}
#============= pcp_pmie_t ==============
allow pcp_pmie_t var_log_t:file { unlink write };
#============= pcp_pmlogger_t ==============
allow pcp_pmlogger_t var_log_t:file { unlink write };
my-pmcd.te:
module my-pmcd 1.0;
require {
type pcp_pmcd_t;
type var_log_t;
class file { rename unlink write };
}
#============= pcp_pmcd_t ==============
allow pcp_pmcd_t var_log_t:file { rename unlink write };
my-rm.te:
module my-rm 1.0;
require {
type init_t;
type var_log_t;
type pcp_pmlogger_t;
type fusermount_exec_t;
type pcp_pmie_t;
class file { execute unlink };
}
#============= init_t ==============
allow init_t fusermount_exec_t:file execute;
#============= pcp_pmie_t ==============
allow pcp_pmie_t var_log_t:file unlink;
#============= pcp_pmlogger_t ==============
allow pcp_pmlogger_t var_log_t:file unlink;
my-systemdhomed.te:
module my-systemdhomed 1.0;
require {
type default_t;
type systemd_homed_t;
class dir read;
}
#============= systemd_homed_t ==============
allow systemd_homed_t default_t:dir read;
I've also found that I get an SELinux error on boot up regarding cockpit-tls that prevents cockpit from starting, but this only occurs when I have built the container I'm booting into, in a podman-in-podman container (e..g. running podman build in a podman container - such as a CI/CD pipeline runner):
type=AVC msg=audit(1760215466.297:300): avc: denied { execute } for pid=8932 comm="(kpit-tls)" name="cockpit-tls" dev="overlay" ino=14056 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:cockpit_ws_exec_t:s0"
When this failure happens the following commands are recommended:
touch /.autorelabel; reboot
semanage fcontext -a -t FILE_TYPE 'cockpit-tls' # it's not clear what the file type should be
Are there any known issues regarding SELinux and bootc? Or are these issues with the downstream packages? The systemd-homed error is interesting as I don't think I install or configure that myself.
I know SELinux generates these policies for those of us who don't know how it works but I don't feel comfortable running commands I don't understand and I'm assuming this should be done when the package is installed.