selinux cloud-init-hotplugd.socket not having permissions to fifo sockets
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-init |
Expired
|
Medium
|
Unassigned | ||
CentOS |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Initial cloud-init-
Deploying on rocky linux 8.4 we can see SELinux errors preventing the cloud-init-
from journalctl -b 0:
systemd[1]: cloud-init-
systemd[1]: cloud-init-
systemd[1]: Failed to listen on cloud-init hotplug hook socket.
...
setroubleshoot
setroubleshoot
[rocky@
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
[rocky@
● cloud-init-
Loaded: loaded (/usr/lib/
Active: failed (Result: resources)
Listen: /run/cloud-
Jul 14 03:39:49 ip-172-
Jul 14 03:39:49 ip-172-
Jul 14 03:39:49 ip-172-
[rocky@
● cloud-init-
Loaded: loaded (/usr/lib/
Active: inactive (dead)
When setting selinux to permissive, we can see no errors from the systemd services
[rocky@
[rocky@
[rocky@
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
[rocky@
● cloud-init-
Loaded: loaded (/usr/lib/
Active: active (listening) since Wed 2021-07-14 03:53:19 UTC; 1min 16s ago
Listen: /run/cloud-
Tasks: 0 (limit: 4797)
Memory: 0B
CGroup: /system.
Jul 14 03:53:19 ip-172-
Attempting to generate a selinux policy for this systemd.socket I get the following:
[rocky@
module cloud-init-hotplug 1.0;
require {
type init_t;
type net_conf_t;
class dir add_name;
class fifo_file { create open read write };
}
#============= init_t ==============
allow init_t net_conf_t:dir add_name;
allow init_t net_conf_
[rocky@
[rocky@
[rocky@
[rocky@
[rocky@
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
[rocky@
[rocky@
[rocky@
[rocky@
● cloud-init-
Loaded: loaded (/usr/lib/
Active: active (listening) since Wed 2021-07-14 03:59:55 UTC; 1min 51s ago
Listen: /run/cloud-
Tasks: 0 (limit: 4797)
Memory: 0B
CGroup: /system.
Changed in centos: | |
status: | New → Invalid |
Changed in cloud-init: | |
status: | New → Triaged |
Here are the proposed systemd socket and service files:
# /systemd/ cloud-init- hotplugd. socket
[Unit] cloud-init hotplug hook socket /run/cloud- init/hook- hotplug- cmd cloud-init. target
Description=

[Socket]
ListenFIFO=

[Install]
WantedBy=
# systemd/ cloud-init- hotplugd. service cloud-init hotplug hook daemon init-hotplugd. socket
[Unit]
Description=
After=cloud-
[Service]
exec /usr/bin/cloud-init devel hotplug-hook $args; \
exit 0' r=cloud- init-hotplugd
Type=simple
ExecStart=/bin/bash -c 'read args <&3; echo "args=$args"; \
SyslogIdentifie
TimeoutStopSec=5