container-selinux
container-selinux copied to clipboard
Published
20 hours ago •
containers
containers
systemd crashes while attempting to start under container_user_r role
Hello Mr. Dan and Colleagues,
Currently, I'm trying to run podman containers on multiple users with container_u:container_user_r:container_user_t:s0:c512.c1023 context. For now, I'm running on fresh Fedora 39 Server Edition installation with container support option enabled. The problem is whenever I start the systemd for one of that user, the systemd crashes with SEGV or segmentation fault error.
$ sudo systemctl status user@1008
Job for [email protected] failed because a fatal signal was delivered to the control process.
See "systemctl status [email protected]" and "journalctl -xeu [email protected]" for details.
[FAIL|1]
$ sudo systemctl status user@1008
× [email protected] - User Manager for UID 1008
Loaded: loaded (/usr/lib/systemd/system/[email protected]; static)
Drop-In: /usr/lib/systemd/system/[email protected]
└─10-login-barrier.conf
/usr/lib/systemd/system/service.d
└─10-timeout-abort.conf
Active: failed (Result: signal) since Tue 2023-11-14 17:59:12 WIB; 13s ago
Docs: man:[email protected](5)
Process: 1222 ExecStart=/usr/lib/systemd/systemd --user (code=killed, signal=SEGV)
Main PID: 1222 (code=killed, signal=SEGV)
CPU: 100ms
Nov 14 17:59:12 gudegmadura.co.id systemd[1]: Starting [email protected] - User Manager for UID 1008...
Nov 14 17:59:12 gudegmadura.co.id (systemd)[1222]: pam_unix(systemd-user:session): session opened for user nginx_service(uid=1008) by nginx_service(uid=0)
Nov 14 17:59:12 gudegmadura.co.id systemd[1]: [email protected]: Main process exited, code=killed, status=11/SEGV
Nov 14 17:59:12 gudegmadura.co.id systemd[1]: [email protected]: Failed with result 'signal'.
Nov 14 17:59:12 gudegmadura.co.id systemd[1]: Failed to start [email protected] - User Manager for UID 1008.
[FAIL|3]
Then I tried to troubleshoot it with ausearch as below
$ sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
----
time->Tue Nov 14 17:59:02 2023
type=AVC msg=audit(1699959542.526:149): avc: denied { search } for pid=1199 comm="sudo" name="1" dev="proc" ino=16342 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
----
time->Tue Nov 14 17:59:07 2023
type=AVC msg=audit(1699959547.893:154): avc: denied { search } for pid=1199 comm="sudo" name="1" dev="proc" ino=16342 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
[DONE]
I have no idea why sudoers are not allowed to search for /proc directory and causes segfault on systemd. Did I do something wrong on configuration or AVC report says nothing about the crash? By the way, I noticed something funny...
$ ssh nginx_service@localhost
Enter passphrase for key '/home/thorx86/.ssh/id_ed25519':
Last login: Tue Nov 14 07:11:39 2023 from ::1
[[email protected] ~]$ systemctl status --user
-bash: systemctl: command not found
[[email protected] ~]$ ls /usr/bin/systemctl
ls: cannot access '/usr/bin/systemctl': Permission denied
[[email protected] ~]$
Is systemd intentionally disabled in container_user_r role? If yes, how do I auto-start each podman container on multiple users? Thank you!
Update
Rootless Podman also won't work under container_user_r role, even though using cgroup v2. Here's what happened if I run the container:
[[email protected] ~]$ podman start -ai nginx
WARN[0000] The cgroupv2 manager is set to systemd but there is no systemd user session available
WARN[0000] For using systemd, you may need to log in using a user session
WARN[0000] Alternatively, you can enable lingering with: `loginctl enable-linger 1008` (possibly as root)
WARN[0000] Falling back to --cgroup-manager=cgroupfs
{"msg":"exec container process `/docker-entrypoint.sh`: Permission denied","level":"error","time":"2023-1115T15:04:49.311235Z"}
Then the ausearch logs:
$ sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
----
time->Wed Nov 15 22:02:57 2023
type=SELINUX_ERR msg=audit(1700060577.134:1354): op=security_compute_sid invalid_context="container_u:container_user_r:kmod_t:s0-s0:c512" scontext=container_u:container_user_r:container_runtime_t:s0-s0:c512 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=process
----
time->Wed Nov 15 22:03:25 2023
type=AVC msg=audit(1700060605.934:1363): avc: denied { search } for pid=6020 comm="sudo" name="1" dev="proc" ino=2107 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0
----
time->Wed Nov 15 22:04:08 2023
type=SELINUX_ERR msg=audit(1700060648.070:1412): op=security_compute_sid invalid_context="container_u:container_user_r:kmod_t:s0-s0:c512" scontext=container_u:container_user_r:container_runtime_t:s0-s0:c512 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=process
----
time->Wed Nov 15 22:04:22 2023
type=AVC msg=audit(1700060662.201:1413): avc: denied { transition } for pid=6197 comm="3" path="/docker-entrypoint.sh" dev="overlay" ino=20386 scontext=container_u:container_user_r:container_runtime_t:s0 tcontext=system_u:system_r:container_t:s0:c429,c593 tclass=process permissive=0
----
time->Wed Nov 15 22:04:49 2023
type=AVC msg=audit(1700060689.310:1418): avc: denied { transition } for pid=6260 comm="3" path="/docker-entrypoint.sh" dev="overlay" ino=20386 scontext=container_u:container_user_r:container_runtime_t:s0 tcontext=system_u:system_r:container_t:s0:c429,c593 tclass=process permissive=0
[DONE]
I have no idea what's happening with SELinux. I literally stuck now ☹️ I'm doubt to uninstall container-selinux package then using staff_u for each container is a safe option. Please for the guidance, or at least information how to debug that pesky segfaults (I have experience in GDB but not for running systemd process).
Update 2
Running under user_u also not working. The reason is same, permission denied. AVC report almost similar with previous comment. However, systemd and user DBus is working properly. Changing to permissive mode definitely works as expected, but that's defeat the purpose of SELinux. At this point, I'm not sure if rootless podman is designed to work with SELinux, or perhaps I missed something? I dunno... @rhatdan please for your guidance
What version of podman are you attempting this with?
At that time, Podman is up-to-date. I believe v4.7.2.
I'm going to re-install Fedora Server again after finished my work today and I'll tell you the result. Thank you for your attention
I re-installed the latest stable Fedora Server 39 and container-selinux package release. Then I ran these commands:
# dnf upgrade
# reboot
# restorecon -RF /
# semanage user -a -L s0-s0 -r s0-s0:c0.c1023 -R container_user_r container_u
# useradd -d /home/container -F -m -U -s /bin/bash -Z container_u --selinux-range s0-s0:c0.1023 container
$ exit 0
Then login as container and I ran this command
$ systemctl --user status
-bash: systemctl: command not found
$ ls $(which systemctl)
/usr/bin/which: no systemctl in (/home/container/.local/bin:/home/container/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin)
Well... that's weird, then I went back to admin user (which is staff_u) and run this command:
$ ls $(which systemctl)
-rwxr-xr-x. 1 root root system_u:object_r:systemd_systemctl_exec_t:s0 316K Nov 29 07:00 /usr/bin/systemctl
# systemctl start user@1001
Job for [email protected] failed because a fatal signal was delivered to the control process.
See "systemctl status [email protected]" and "journalctl -xeu [email protected]" for details.
# journalctl -xeu [email protected]
Defined-By: systemd
Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
A start job for unit [email protected] has begun execution.
The job identifier is 3921.
Dec 22 06:10:14 localhost.localdomain (systemd)[2359]: pam_unix(systemd-user:session): session opened for user containe>
Dec 22 06:10:14 localhost.localdomain systemd[1]: [email protected]: Main process exited, code=killed, status=11/SEGV
Subject: Unit process exited
Where 1001 is UID or GID of container user. As you can see, the problem still exist. By the way, all packages already up to date.
$ uname -r
6.6.7-200.fc39.x86_64
Edit
I realized that the latest package isn't actually latest
# dnf info container-selinux
Last metadata expiration check: 0:44:37 ago on Fri 22 Dec 2023 05:32:41 AM WIB.
Installed Packages
Name : container-selinux
Epoch : 2
Version : 2.226.0
Release : 1.fc39
Architecture : noarch
Size : 67 k
Source : container-selinux-2.226.0-1.fc39.src.rpm
Repository : @System
From repo : updates
Summary : SELinux policies for container runtimes
URL : https://github.com/containers/container-selinux
License : GPL-2.0-only
Description : SELinux policy modules for use with container runtimes.
Is it still on rawhide?
# systemctl start user@1001
Job for [email protected] failed because a fatal signal was delivered to the control process.
See "systemctl status [email protected]" and "journalctl -xeu [email protected]" for details.
# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
<no matches>
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
That's odd... perhaps this is entirely systemd bug? I also tried to logged in container user then ran this
$ systemctl --user status
-bash: systemctl: command not found
And then go back to admin user to ran this
# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
<no matches>
I have no idea why previous AVC messages suddenly gone after I re-installed the fedora and upgrade to latest stable. Despite of that, the auditd still working properly
# systemctl status auditd
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled)
Drop-In: /usr/lib/systemd/system/service.d
└─10-timeout-abort.conf
Active: active (running) since Sat 2023-12-23 04:03:52 WIB; 4min 17s ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 812 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
Process: 821 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
Main PID: 814 (auditd)
Tasks: 4 (limit: 2227)
Memory: 5.2M
CPU: 248ms
CGroup: /system.slice/auditd.service
├─814 /sbin/auditd
└─816 /usr/sbin/sedispatch
Dec 23 04:03:51 localhost systemd[1]: Starting auditd.service - Security Auditing Service...
Dec 23 04:03:51 localhost auditd[814]: audit dispatcher initialized with q_depth=2000 and 1 active plugins
Dec 23 04:03:51 localhost auditd[814]: Init complete, auditd 3.1.2 listening for events (startup state enable)
Dec 23 04:03:52 localhost augenrules[821]: /sbin/augenrules: No change
Dec 23 04:03:52 localhost augenrules[833]: No rules
Dec 23 04:03:52 localhost systemd[1]: Started auditd.service - Security Auditing Service.
Dontaudit rules are hiding the denial.
sudo semodule -DB
Now you should see the AVCs
sudo semodule -B
To run the dontaudit rules back on.
# semodule -DB
# systemctl start user@1001
Job for [email protected] failed because a fatal signal was delivered to the control process.
See "systemctl status [email protected]" and "journalctl -xeu [email protected]" for details.
# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.461:184): avc: denied { net_admin } for pid=1177 comm="systemd-user-ru" capability=12 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.461:185): avc: denied { net_admin } for pid=1177 comm="systemd-user-ru" capability=12 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.504:187): avc: denied { read } for pid=1179 comm="(systemd)" name="shadow" dev="dm-0" ino=16927531 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.526:188): avc: denied { siginh } for pid=1180 comm="unix_chkpwd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=process permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.540:194): avc: denied { read write } for pid=1179 comm="systemd" path="socket:[2942]" dev="sockfs" ino=2942 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.540:195): avc: denied { read write } for pid=1179 comm="systemd" path="socket:[2942]" dev="sockfs" ino=2942 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.540:196): avc: denied { siginh } for pid=1179 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Thu Dec 28 19:19:08 2023
type=AVC msg=audit(1703765948.540:197): avc: denied { map } for pid=1179 comm="systemd" path="/usr/lib/systemd/systemd" dev="dm-0" ino=17114599 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
Great! It's starting to show something. For curiosity reason, I tried same command in permissive mode to get more denial information.
# setenforce 0
# systemctl start user@1001
# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.642:225): avc: denied { net_admin } for pid=1225 comm="systemd-user-ru" capability=12 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.682:227): avc: denied { read } for pid=1227 comm="(systemd)" name="shadow" dev="dm-0" ino=16927531 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.682:228): avc: denied { open } for pid=1227 comm="(systemd)" path="/etc/shadow" dev="dm-0" ino=16927531 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.692:234): avc: denied { read write } for pid=1227 comm="systemd" path="socket:[10401]" dev="sockfs" ino=10401 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.692:235): avc: denied { siginh } for pid=1227 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tclass=process permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.692:236): avc: denied { map } for pid=1227 comm="systemd" path="/usr/lib/systemd/systemd" dev="dm-0" ino=17114599 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.692:237): avc: denied { read } for pid=1227 comm="systemd" path="/usr/lib/systemd/systemd" dev="dm-0" ino=17114599 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.692:238): avc: denied { execute } for pid=1227 comm="systemd" path="/usr/lib/systemd/systemd" dev="dm-0" ino=17114599 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.698:239): avc: denied { map } for pid=1227 comm="systemd" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.702:240): avc: denied { search } for pid=1227 comm="systemd" name="1" dev="proc" ino=49 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.702:241): avc: denied { read } for pid=1227 comm="systemd" name="cmdline" dev="proc" ino=4026532019 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.702:242): avc: denied { open } for pid=1227 comm="systemd" path="/proc/cmdline" dev="proc" ino=4026532019 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.702:243): avc: denied { getattr } for pid=1227 comm="systemd" path="/proc/cmdline" dev="proc" ino=4026532019 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.707:244): avc: denied { read } for pid=1227 comm="systemd" name="cgroup" dev="proc" ino=104 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.707:245): avc: denied { open } for pid=1227 comm="systemd" path="/proc/1/cgroup" dev="proc" ino=104 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.707:246): avc: denied { getattr } for pid=1227 comm="systemd" path="/proc/1/cgroup" dev="proc" ino=104 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.707:247): avc: denied { ioctl } for pid=1227 comm="systemd" path="/proc/1/cgroup" dev="proc" ino=104 ioctlcmd=0x5401 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.718:248): avc: denied { prog_load } for pid=1227 comm="systemd" scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tclass=bpf permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.731:249): avc: denied { ioctl } for pid=1227 comm="systemd" path="/proc/cpuinfo" dev="proc" ino=4026532021 ioctlcmd=0x5401 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.744:250): avc: denied { read } for pid=1227 comm="systemd" name="mount" dev="tmpfs" ino=326 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.745:251): avc: denied { getattr } for pid=1227 comm="systemd" path="/dev/dm-0" dev="devtmpfs" ino=392 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.745:252): avc: denied { search } for pid=1227 comm="systemd" name="udev" dev="tmpfs" ino=52 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.745:253): avc: denied { read } for pid=1227 comm="systemd" name="b253:0" dev="tmpfs" ino=804 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.745:254): avc: denied { open } for pid=1227 comm="systemd" path="/run/udev/data/b253:0" dev="tmpfs" ino=804 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.745:255): avc: denied { getattr } for pid=1227 comm="systemd" path="/run/udev/data/b253:0" dev="tmpfs" ino=804 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.746:256): avc: denied { getattr } for pid=1227 comm="systemd" path="/usr/lib/systemd/user" dev="dm-0" ino=25166753 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.747:257): avc: denied { search } for pid=1227 comm="systemd" name="user" dev="dm-0" ino=25166753 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.748:258): avc: denied { getattr } for pid=1227 comm="systemd" path="/usr/lib/systemd/user/dbus-broker.service" dev="dm-0" ino=25207411 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.748:259): avc: denied { read } for pid=1227 comm="systemd" name="user" dev="dm-0" ino=25166753 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.748:260): avc: denied { open } for pid=1227 comm="systemd" path="/usr/lib/systemd/user" dev="dm-0" ino=25166753 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.748:261): avc: denied { getattr } for pid=1227 comm="systemd" path="/usr/lib/systemd/user/session.slice" dev="dm-0" ino=25524631 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.754:262): avc: denied { read } for pid=1227 comm="systemd" name="10-oomd-per-slice-defaults.conf" dev="dm-0" ino=8685363 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.754:263): avc: denied { open } for pid=1227 comm="systemd" path="/usr/lib/systemd/user/slice.d/10-oomd-per-slice-defaults.conf" dev="dm-0" ino=8685363 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.754:264): avc: denied { ioctl } for pid=1227 comm="systemd" path="/usr/lib/systemd/user/slice.d/10-oomd-per-slice-defaults.conf" dev="dm-0" ino=8685363 ioctlcmd=0x5401 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.757:265): avc: denied { read } for pid=1227 comm="systemd" name="systemd" dev="tmpfs" ino=111 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.757:266): avc: denied { open } for pid=1227 comm="systemd" path="/run/udev/tags/systemd" dev="tmpfs" ino=111 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.757:267): avc: denied { getattr } for pid=1227 comm="systemd" path="/run/udev/tags/systemd" dev="tmpfs" ino=111 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.773:268): avc: denied { getattr } for pid=1227 comm="systemd" path="/dev/sr0" dev="devtmpfs" ino=341 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.776:269): avc: denied { getattr } for pid=1227 comm="systemd" path="/dev/ptp0" dev="devtmpfs" ino=540 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.873:270): avc: denied { read } for pid=1227 comm="systemd" name="net" dev="proc" ino=4026531845 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.874:271): avc: denied { read } for pid=1227 comm="systemd" name="dbus-broker.service" dev="dm-0" ino=25207411 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.874:272): avc: denied { open } for pid=1227 comm="systemd" path="/usr/lib/systemd/user/dbus-broker.service" dev="dm-0" ino=25207411 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.874:273): avc: denied { ioctl } for pid=1227 comm="systemd" path="/usr/lib/systemd/user/dbus-broker.service" dev="dm-0" ino=25207411 ioctlcmd=0x5401 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_unit_file_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.888:274): avc: denied { search } for pid=1227 comm="systemd" name="1" dev="proc" ino=49 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.892:275): avc: denied { compute_create } for pid=1227 comm="systemd" scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.895:276): avc: denied { getattr } for pid=1240 comm="(ystemctl)" path="/usr/bin/systemctl" dev="dm-0" ino=25524430 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.896:277): avc: denied { execute } for pid=1240 comm="(ystemctl)" name="systemctl" dev="dm-0" ino=25524430 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.896:278): avc: denied { read open } for pid=1240 comm="(ystemctl)" path="/usr/bin/systemctl" dev="dm-0" ino=25524430 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.896:279): avc: denied { execute_no_trans } for pid=1240 comm="(ystemctl)" path="/usr/bin/systemctl" dev="dm-0" ino=25524430 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.897:280): avc: denied { map } for pid=1240 comm="systemctl" path="/usr/bin/systemctl" dev="dm-0" ino=25524430 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.898:281): avc: denied { getattr } for pid=1241 comm="(tmpfiles)" path="/usr/bin/systemd-tmpfiles" dev="dm-0" ino=25524530 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.898:282): avc: denied { execute } for pid=1241 comm="(tmpfiles)" name="systemd-tmpfiles" dev="dm-0" ino=25524530 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.898:283): avc: denied { read open } for pid=1241 comm="(tmpfiles)" path="/usr/bin/systemd-tmpfiles" dev="dm-0" ino=25524530 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.898:284): avc: denied { execute_no_trans } for pid=1241 comm="(tmpfiles)" path="/usr/bin/systemd-tmpfiles" dev="dm-0" ino=25524530 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.899:285): avc: denied { map } for pid=1241 comm="systemd-tmpfile" path="/usr/bin/systemd-tmpfiles" dev="dm-0" ino=25524530 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1
----
time->Thu Dec 28 19:24:11 2023
type=AVC msg=audit(1703766251.904:286): avc: denied { read } for pid=1240 comm="systemctl" name="root" dev="proc" ino=92 scontext=container_u:container_user_r:container_user_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file permissive=1
EDIT
I just figured out what happened after stored the last logs above as systemd_denials.log then executed audit2allow -i systemd_denials.log -o systemd_fix.te. Here's what the content ofsystemd_fix.te:
#============= container_user_t ==============
allow container_user_t clock_device_t:chr_file getattr;
allow container_user_t dbusd_unit_file_t:file { getattr ioctl open read };
allow container_user_t fixed_disk_device_t:blk_file getattr;
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow container_user_t init_exec_t:file map;
allow container_user_t init_exec_t:file { execute read };
allow container_user_t init_t:dir search;
allow container_user_t init_t:file { getattr ioctl open read };
allow container_user_t init_t:lnk_file read;
allow container_user_t init_t:unix_stream_socket { read write };
allow container_user_t mount_var_run_t:dir read;
allow container_user_t proc_net_t:lnk_file read;
allow container_user_t proc_t:file { getattr ioctl open read };
allow container_user_t removable_device_t:blk_file getattr;
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow container_user_t security_t:file map;
allow container_user_t security_t:security compute_create;
allow container_user_t self:bpf prog_load;
allow container_user_t systemd_systemctl_exec_t:file { execute execute_no_trans getattr open read };
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow container_user_t systemd_systemctl_exec_t:file map;
allow container_user_t systemd_tmpfiles_exec_t:file { execute execute_no_trans getattr open read };
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow container_user_t systemd_tmpfiles_exec_t:file map;
allow container_user_t systemd_unit_file_t:dir { getattr open read search };
allow container_user_t systemd_unit_file_t:file { getattr ioctl open read };
allow container_user_t udev_var_run_t:dir { getattr open read search };
allow container_user_t udev_var_run_t:file { getattr open read };
#============= init_t ==============
allow init_t container_user_t:process siginh;
allow init_t shadow_t:file { open read };
#============= systemd_logind_t ==============
allow systemd_logind_t self:capability net_admin;
Running sudo setsebool -P domain_can_mmap_files=true still won't fix the problem. I think we have to modify the policy manually.