SELinux blocking socket activation on Fedora

The LXD snap is about to start using socket activation for all our users.
Testing shows that our current edge snap with socket activation enabled works properly on all distributions except for Fedora 26, 27 and 28.

Looking around, this appears to be a SELinux problem, our snapcraft.yaml defines ${SNAP_COMMON}/lxd/unix.socket as the path for socket activation, which expands to /var/snap/lxd/common/lxd/unix.socket.

This path doesn’t appear to be allowed according to SELinux policy and so systemd fails to setup the socket unit, which in turn makes the snap fail to start which in turn makes it completely fail to install…

We have logic in our snap to handle distros that lack socket activation support in snapd, but as far as I can tell, given where and when this is failing on Fedora, there’s nothing we can do to catch this case and workaround it.

We’re scheduled to roll out socket activation by the end of the week, if we can’t figure out a way to get things working on Fedora, that’d be a bit of a problem for those users…

@zyga-snapd @Conan_Kudo

1 Like

Reproducer is (on Fedora):

snap install lxd --edge

Install error is:

[root@snap-fedora-28 ~]# snap install lxd --edge
error: cannot perform the following tasks:
- Start snap "lxd" (8406) services ([start snap.lxd.daemon.unix.socket] failed with exit status 1: Job for snap.lxd.daemon.unix.socket failed.
See "systemctl status snap.lxd.daemon.unix.socket" and "journalctl -xe" for details.
)

Relevant audit entry is:

type=AVC msg=audit(1534564925.015:36461): avc:  denied  { write } for  pid=1 comm="systemd" name="lxd" dev="sda1" ino=659854 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:snappy_var_t:s0 tclass=dir permissive=0

I was trying to use Fedora 28 and LXD snap last week and I ran into a set of issues. In the end I disabled selinux enforcement (setenforce 0) and the errors still persisted. At some point we were blocked by a regular permission issue, not a selinux issue.

I’m not saying I know what the problem was but that even taking selinux out of the picture I was not able to successfully use LXD.

I’ll try to look at this again but given my experiences I wrote about below I don’t know if I can successfully fix this.

Hmm, on our CI side, everything was working fine on Fedora 26, 27 and 28 prior to adding socket activation to our snap. Let me know what kind of other issues you run into as it’s certainly supposed to otherwise work fine.

1 Like

@zyga-snapd @Conan_Kudo any update on this?

So far we’ve had to turn off all CI on Fedora on our side because of this and will soon have no choice but to break all our Fedora users when we promote this change to the stable channel.

No update yet, I will try to figure out what is broken first thing on Monday

1 Like

I’m investigating this now. I have reproduced the issue and am looking at minimum policy changes that would make it work.

1 Like

Hello,

Is there any news about this? I am on Fedora 29 and LXD is not usable. Thanks!

1 Like

The problem has been addressed in SELinux cleanup we’re preparing for snapd 2.39. Unfortunately, until that version is release and packaged, you will have to fall back to switching to permissive mode.

3 Likes