Add support for systemd-homed

[richiedaze]

Testing

Enable homed features on Fedora

sudo authselect enable-feature \
    with-systemd-homed

sudo systemctl enable --now \
    systemd-homed

Relabel homed context

sudo restorecon -v \
    /usr/lib/systemd/systemd-homed \
    /usr/lib/systemd/systemd-homework \
    /usr/lib/systemd/system/systemd-homed-activate.service \
    /usr/lib/systemd/system/systemd-homed.service \
    /var/lib/systemd/home/

Create a testuser for homed

sudo homectl create testuser

[zpytela]

Thank you for the PR, I am afraid it will take me some time to go through it. What did you use for testing?

[richiedaze]

Building a new home with systemd-homed on fedora

Tested on:

• Fedora Workstation
• Silverblue
• Kinoite

[dngray]

Also tested on

• Sway Atomic

[zpytela]

Building a new home with systemd-homed on fedora

Tested on:

* Fedora Workstation

* Silverblue

* Kinoite

Thank you, the link is also quite helpful. I meant if it was "testing by usage" or some automated test or features which can be automated. We have very basic test.

[richiedaze]

@zpytela, I have tried almost every combination available to the homectl tool for the last 3 years. This policy has more than basic support to function properly. Every now and then upstream modifies the code, and I have adjusted the policy along side them to maintain robustness.

[zpytela]

@zpytela, I have tried almost every combination available to the homectl tool for the last 3 years. This policy has more than basic support to function properly. Every now and then upstream modifies the code, and I have adjusted the policy along side them to maintain robustness.

Thank you, that sounds very good, so you think this is ready to merge to F40?

[richiedaze]

Yes Sir.

[packit-as-a-service]

Cockpit tests failed for commit 7d68e9e. @martinpitt, @jelly, @mvollmer please check.

[martinpitt]

This breaks a lot of Cockpit tests, all which want to connect to the user's session bus:

warning: failed to connect to session bus: [Errno 123] sd_bus_default_user: No medium found

I picked a random journal and it has a lot of

USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/systemd-logind.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="reply_unit_path" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
AVC avc: denied { read } for pid=758 comm="auditd" name="userdb" dev="tmpfs" ino=42 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0
pam_systemd(sshd:session): Failed to create session: Could not activate remote peer: unit failed.

Note that these tests don't run with homed, this is a "classic" user account.

Aside from this: I'm really excited, thanks for this work! I've run homed on my laptop for many years now, and switched off SELinux because of it.

[martinpitt]

Reproducer without cockpit, in a standard Fedora 40 VM:

Install the COPR:

dnf copr enable -y packit/fedora-selinux-selinux-policy-2018
dnf update -y --repo='*copr*'
reboot

Then log in as user. This doesn't start the user's systemd session, nor a D-Bus, and the journal says

AVC avc:  denied  { connectto } for  pid=1013 comm="sshd" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/systemd-logind.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="reply_unit_path" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
pam_systemd(sshd:session): Failed to create session: Could not activate remote peer: unit failed.
pam_unix(sshd:session): session opened for user admin(uid=1000) by admin(uid=0)

(and lots more)

[richiedaze]

@martinpitt,

Reproducer without cockpit, in a standard Fedora 40 VM:

Install the COPR:

dnf copr enable -y packit/fedora-selinux-selinux-policy-2018
dnf update -y --repo='*copr*'
reboot

2. In grub, edit to runlevel 3

3. Allow system to resume normally

   sudo semanage permissive -a system_dbusd_t

   Needed allow rules to add to the policy

   journalctl -b | audit2allow
   
   #============= avahi_t ==============
   allow avahi_t systemd_userdbd_runtime_t:dir read;
   allow avahi_t systemd_userdbd_runtime_t:lnk_file read;
   allow avahi_t systemd_userdbd_runtime_t:sock_file write;
   
   #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
   allow avahi_t systemd_userdbd_t:unix_stream_socket connectto;
   
   #============= init_t ==============
   allow init_t systemd_machined_t:unix_stream_socket connectto;
   
   #============= policykit_auth_t ==============
   allow policykit_auth_t systemd_userdbd_runtime_t:dir read;
   
   #============= policykit_t ==============
   allow policykit_t systemd_userdbd_runtime_t:dir read;
   
   #============= system_dbusd_t ==============
   allow system_dbusd_t bluetooth_unit_file_t:service { start status };
   allow system_dbusd_t colord_unit_file_t:service { start status };
   allow system_dbusd_t fwupd_unit_file_t:service { start status };
   allow system_dbusd_t systemd_logind_inhibit_var_run_t:fifo_file write;
   allow system_dbusd_t systemd_unit_file_t:service { start status };
   
   #============= systemd_userdbd_t ==============
   
   #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
   allow systemd_userdbd_t systemd_machined_t:unix_stream_socket connectto;
   
   #============= xdm_t ==============
   allow xdm_t systemd_userdbd_runtime_t:sock_file write;

This repo policy for some reason didn't include the systemd-homed module for testing.

sudo semanage module -l | grep systemd-homed

[packit-as-a-service]

Cockpit tests failed for commit 6de9bf4. @martinpitt, @jelly, @mvollmer please check.

[martinpitt]

This last run still fails all tests. The journal shows lots of

AVC avc:  denied  { read } for  pid=201669 comm="cockpit-session" name="userdb" dev="tmpfs" ino=42 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0
USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/systemd-logind.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="reply_unit_path" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
AVC avc:  denied  { write } for  pid=217331 comm="cockpit-session" name="io.systemd.Multiplexer" dev="tmpfs" ino=545 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=0

(and maybe I missed some more)

[packit-as-a-service]

Cockpit tests failed for commit e032607. @martinpitt, @jelly, @mvollmer please check.

[martinpitt]

The rawhide failures still look very grim. Pretty much all cockpit tests fail on

USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/polkit.service" cmdline="/usr/bin
/dbus-broker-launch --scope system --audit" function="reply_unit_path" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

I think this is still a regression in this PR. selinux/rawhide has been broken for a longer time already, see e.g. this recent run. But that "only" broke two tests, not all of them, and the failure is much more specific.

[packit-as-a-service]

Cockpit tests failed for commit e2378ed. @martinpitt, @jelly, @mvollmer please check.

[packit-as-a-service]

Cockpit tests failed for commit 17042b1. @martinpitt, @jelly, @mvollmer please check.

[martinpitt]

This still breaks the user bus:

warning: failed to connect to session bus: [Errno 123] sd_bus_default_user: No medium found

[packit-as-a-service]

Cockpit tests failed for commit fe8ac44. @martinpitt, @jelly, @mvollmer please check.

[martinpitt]

Now it breaks the session bus (I didn't check user bus again):

Failed to list users: Could not activate remote peer 'org.freedesktop.login1': unit failed
Failed to list sessions: Could not activate remote peer 'org.freedesktop.login1': unit failed
Failed to list sessions: Could not activate remote peer 'org.freedesktop.login1': unit failed

[packit-as-a-service]

Cockpit tests failed for commit 3a3ecf4. @martinpitt, @jelly, @mvollmer please check.

[packit-as-a-service]

Cockpit tests failed for commit 71626fa. @martinpitt, @jelly, @mvollmer please check.

[packit-as-a-service]

Cockpit tests failed for commit c36d8b8. @martinpitt, @jelly, @mvollmer please check.

[packit-as-a-service]

Cockpit tests failed for commit a29dfa8. @martinpitt, @jelly, @mvollmer please check.

[packit-as-a-service]

Cockpit tests failed for commit d20397d. @martinpitt, @jelly, @mvollmer please check.

[richiedaze]

Related info #1222 #1639

[zpytela]

Here is my review, I am sorry for the delay. Please do not make any changes right now until things are clarified. In general it looks very well. We'd appreciate any hint for automated testing on some basic level, in addition to the previous link.

[packit-as-a-service]

Cockpit tests failed for commit 8b10286. @martinpitt, @jelly, @mvollmer please check.

[packit-as-a-service]

Cockpit tests failed for commit 7edaac6. @martinpitt, @jelly, @mvollmer please check.

[packit-as-a-service]

Cockpit tests failed for commit d135996. @martinpitt, @jelly, @mvollmer please check.

[packit-as-a-service]

Cockpit tests failed for commit ce8040b. @martinpitt, @jelly, @mvollmer please check.

[zpytela]

One more question: systemd_homed_tmpfs_t is used for generic temporary filesystem and e.g. /dev/shm, but the comment refers to /tmp which uses tmp_t. Which one is it actually used for?

[richiedaze]

One more question: systemd_homed_tmpfs_t is used for generic temporary filesystem and e.g. /dev/shm, but the comment refers to /tmp which uses tmp_t. Which one is it actually used for?

It's tmpfs_t, I removed the comments. Thank you for the review.

[packit-as-a-service]

Cockpit tests failed for commit 86ec558. @martinpitt, @jelly, @mvollmer please check.

[packit-as-a-service]

Cockpit tests failed for commit 97a648e. @martinpitt, @jelly, @mvollmer please check.

[zpytela]

I think it is now ready to be merged, thank you for your patience.
Can you consider squashing the commits?

[zpytela]

Merging, thank you.