systemd-homed not working on f41

[tulilirockz]

Havent tested it on any other version, but homectl create doesn't seem to work on my current image. I am using Bluefin-dx:latest which is based on Fedora 41.

system logs:

Nov 28 20:55:11 studio audit[1449]: AVC avc:  denied  { read } for  pid=1449 comm="systemd-homed" name="home" dev="dm-0" ino=508067 scontext=syste
m_u:system_r:systemd_homed_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0                                                       
Nov 28 20:55:11 studio audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed
 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'                                                          
Nov 28 20:55:11 studio audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed
-activate comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'                                                 
Nov 28 20:55:46 studio audit[1449]: AVC avc:  denied  { write } for  pid=1449 comm="systemd-homed" name="home" dev="dm-0" ino=508067 scontext=syst
em_u:system_r:systemd_homed_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0                                                      
Nov 28 20:57:03 studio audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed 
comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'                                                           
Nov 28 20:57:04 studio audit[4462]: AVC avc:  denied  { read } for  pid=4462 comm="systemd-homed" name="home" dev="dm-0" ino=508067 scontext=syste
m_u:system_r:systemd_homed_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0                                                       
Nov 28 20:57:04 studio audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-homed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
# then this x1000 times or so
Nov 28 21:09:27 studio audit[4462]: AVC avc:  denied  { fowner } for  pid=4462 comm="systemd-homed" capability=3  scontext=system_u:system_r:systemd_homed_t:s0 tcontext=system_u:system_r:systemd_homed_t:s0 tclass=capability permissive=0

rpm -qa | grep selinux:

libselinux-3.7-5.fc41.x86_64
libselinux-utils-3.7-5.fc41.x86_64
selinux-policy-41.26-1.fc41.noarch
selinux-policy-targeted-41.26-1.fc41.noarch
container-selinux-2.234.2-1.fc41.noarch
passt-selinux-0^20241121.g238c69f-1.fc41.noarch
python3-libselinux-3.7-5.fc41.x86_64
flatpak-selinux-1.15.10-1.fc41.noarch
rpm-plugin-selinux-4.20.0-1.fc41.x86_64
smartmontools-selinux-7.4-6.fc41.noarch
freeipa-selinux-4.12.2-4.fc41.noarch
swtpm-selinux-0.9.0-4.fc41.noarch
osbuild-selinux-132-1.fc41.noarch
nbdkit-selinux-1.40.4-1.fc41.noarch
incus-selinux-6.7-0.1.fc41.noarch
cockpit-selinux-329.1-1.fc41.noarch

authselect current:

Profile ID: local                                                                                                                                 
Enabled features:
- with-silent-lastlog
- with-mdns4                                                                                                                                
- with-fingerprint                                                                                                                              
- with-systemd-homed

bootc status: (if that is even useful)

apiVersion: org.containers.bootc/v1
kind: BootcHost
metadata:
  name: host
spec:
  image:
    image: ghcr.io/ublue-os/bluefin-dx:latest
    transport: registry
    signature: containerPolicy
  bootOrder: default
status:
  staged: null
  booted:
    image:
      image:
        image: ghcr.io/ublue-os/bluefin-dx:latest
        transport: registry
        signature: containerPolicy
      version: latest-41.20241128
      timestamp: 2024-11-28T04:59:59Z
      imageDigest: sha256:d0b155e298b6dc1b40eac09208bea4fdbfbd125a080fd85573afd8a63a181867
    cachedUpdate: null
    incompatible: false
    pinned: false
    store: ostreeContainer
    ostree:
      checksum: 3c432c099cf531d99ec3cd740ce708f321a816ee7f56c288059e7f1d04d4ba7f
      deploySerial: 0
  rollback:
    image:
      image:
        image: ghcr.io/ublue-os/bluefin-dx:latest
        transport: registry
        signature: containerPolicy
      version: latest-41.20241127.1
      timestamp: 2024-11-27T10:45:44Z
      imageDigest: sha256:e23e65b5eafaa256c095081b4eb110b81ee486e07f1fef1a9dbe9bb4775bcf8c
    cachedUpdate:
      image:
        image: ghcr.io/ublue-os/bluefin-dx:latest
        transport: registry
        signature: containerPolicy
      version: latest-41.20241128
      timestamp: 2024-11-28T04:59:59Z
      imageDigest: sha256:d0b155e298b6dc1b40eac09208bea4fdbfbd125a080fd85573afd8a63a181867
    incompatible: false
    pinned: false
    store: ostreeContainer
    ostree:
      checksum: 9ec430dad8244ef31dab4b4ed79ea916c78adae61b168f7a2f7845b2cb68e6e7
      deploySerial: 0
  rollbackQueued: false
  type: bootcHost

journalctl -b | audit2allow -m myerrors:

# this also has a setroubleshootd definition there but still

module myerrors 1.0;

require {
	type install_exec_t;
	type systemd_homed_t;
	type var_t;
	type systemd_homework_t;
	type setroubleshootd_t;
	class dir { read write };
	class capability fowner;
	class file execute;
}

#============= setroubleshootd_t ==============
allow setroubleshootd_t install_exec_t:file execute;

#============= systemd_homed_t ==============
allow systemd_homed_t self:capability fowner;
allow systemd_homed_t var_t:dir { read write };

#============= systemd_homework_t ==============
allow systemd_homework_t var_t:dir read;

[tulilirockz]

Applying the audit2allow rule fixes it completely (although I suppose it isnt the best idea to use that one?)

[tulilirockz]

Also got this:

Nov 28 23:15:11 studio audit[1392]: AVC avc:  denied  { add_name } for  pid=1392 comm="systemd-homed" name="tulili" scontext=system_u:system_r:sys
temd_homed_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0

[RoepLuke]

As far as i can see #2018 was merged into the rawhide branch on 24th Sept 2024.
I'm not really sure where the current policy state for F41 Silverblue is in this repository, but I assume the changes haven't been merged/backported into it since then and by that logic not been distributed.

But I really am confused by the parallel efforts to create the systemd-homed selinux policy in the above mentioned pull request as well as in multiple Fedora Discussions [1] [2] [3].
They seem to have been completed successfully but I am unable to trace where or how the changes went into the Fedora Workstation or Silverblue SELinux policy.

Or these are problems of Silverblue specifically with my device setup, the below commands work perfectly fine for me on Fedora Workstation with SELinux enabled (that's far from a clean install however).

So hopefully it'll be fixed in F42. Wanted to try it out on a clean, luks2-full-disk-encrypted install of Silverblue the last few days but had these SELinux Alerts trying to create a homed user:

$ sudo systemctl enable --now systemd-homed
$ sudo authselect enable-feature with-systemd-homed
$ sudo homectl create test --password-change-now=true --storage=luks --fs-type=btrfs --luks-extra-mount-options=defcontext=system_u:object_r:user_home_dir_t:s0
<Password Prompt>
<Password Confirm Prompt>
Operation on home test failed: Access denied

$ sudo journalctl -e --identifier=systemd-homed
Dec 27 19:38:31 fedora systemd-homed[1196]: Successfully loaded private key pair.
Dec 27 19:38:31 fedora systemd-homed[1196]: Watching /home.
Dec 27 19:38:31 fedora systemd-homed[1196]: Failed to open /var/cache/systemd/home/: Permission denied
Dec 30 21:51:17 fedora systemd-homed[1196]: Failed to create blob dir for user 'test': Permission denied
Dec 30 21:51:17 fedora systemd-homed[1196]: test: changing state absent → creating
Dec 30 21:51:17 fedora systemd-homed[1196]: Operation on test failed: Permission denied

$ sudo journalctl -e --identifier=systemd-homework
Dec 30 21:51:17 fedora systemd-homework[45211]: Failed to open system blob base dir: Permission denied

$ sudo journalctl -e --identifier=audit --grep=denied --no-pager
Dec 27 19:38:31 fedora audit[1196]: AVC avc:  denied  { read } for  pid=1196 comm="systemd-homed" name="home" dev="dm-0" ino=90707 scontext=system_u:system_r:systemd_homed_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0
Dec 30 21:51:17 fedora audit[45211]: AVC avc:  denied  { read } for  pid=45211 comm="systemd-homewor" name="home" dev="dm-0" ino=90707 scontext=system_u:system_r:systemd_homework_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0
Dec 30 21:51:17 fedora audit[1196]: AVC avc:  denied  { write } for  pid=1196 comm="systemd-homed" name="home" dev="dm-0" ino=90707 scontext=system_u:system_r:systemd_homed_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0

I also don't know if restoring SELinux file context is still required, it didn't change the behavior for me:

sudo restorecon -rv \
    /usr/lib/systemd/systemd-homed \
    /usr/lib/systemd/systemd-homework \
    /usr/lib/systemd/system/systemd-homed.service \
    /usr/lib/systemd/system/systemd-homed-activate.service \
    /var/lib/systemd/home

[richiedaze]

@RoepLuke, the original source code is https://github.com/richiedaze/homed-selinux, it was meant for testing on fedora. Oringinally, this policy was created on silverblue for silverblue, then modified for all the other variants. This policy was tested by me for a year, then tested publicly tested for another year before I was recommended to modify this policy for upstream and create a pull request to have it merged into the fedora-selinux policy.

Prior to f41, using systemd-homed would create directories/files that would receive default labels. Merging the policy does not relabel these directories/files, thus needing a restorecon to fix label mismatches. New f41+ installs does not require restorecon modification because the directories/files where created with the proper labels because the policy was already implemented.

@tulilirockz @RoepLuke , the systemd-homed policy was merged in f41, along with a new release of systemd which modified systemd-homed with Add bulk directory support to homed #30646 that didn't contain the addition to the policy. Fix systemd-homed blobs directory permissions was added to the policy to address these issues.

@tulilirockz these issues should have been resolved, if so, please close this issue. If not, please post the current selinux denials so that we can resolve this issue. Ty