Page MenuHomeDevCentral
Create Task
Maniphest T2113

systemd-hostnamed service can't be launched - SELinux blocks it - starship
Closed, ResolvedPublic
Actions

Description

Fun issue with SELinux when spawning a shell with starship requiring the hostname through system-hostnamed service:

Dwellers
$ journalctl -f
[…]
May 18 08:53:20 dwellers.nasqueron.org systemd[1]: Starting systemd-hostnamed.service - Hostname Service...
May 18 08:53:21 dwellers.nasqueron.org audit[3059878]: AVC avc:  denied  { create } for  pid=3059878 comm="systemd-hostnam" name="io.systemd.Hostname" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file permissive=0
May 18 08:53:21 dwellers.nasqueron.org audit[3059878]: SYSCALL arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=7ffe68d1cf90 a2=23 a3=561c08c0e010 items=0 ppid=1 pid=3059878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
May 18 08:53:21 dwellers.nasqueron.org audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-hostnamed"
May 18 08:53:21 dwellers.nasqueron.org systemd-hostnamed[3059878]: Failed to bind to Varlink socket: Permission denied
May 18 08:53:21 dwellers.nasqueron.org systemd[1]: systemd-hostnamed.service: Main process exited, code=exited, status=1/FAILURE
May 18 08:53:21 dwellers.nasqueron.org systemd[1]: systemd-hostnamed.service: Failed with result 'exit-code'.
May 18 08:53:21 dwellers.nasqueron.org systemd[1]: Failed to start systemd-hostnamed.service - Hostname Service.
[…]

Revisions and Commits

rOPS Nasqueron Operations
D3658rOPSe5ec87dfe258 Allow systemd-hostnamed to create socket when called from Varlink

Related Objects

Event Timeline

dereckson triaged this task as Normal priority.May 18 2025, 08:55
dereckson created this task.
dereckson added a comment.Wed, Sep 10, 21:01

audit2allow policy

Context is init_var_run_t while systemd-hostname wants systemd_hostnamed_t.

Policy expected:

systemd-hostnamed.te
module systemd-hostnamed 1.0;

require {
        type init_var_run_t;
        type systemd_hostnamed_t;
        class sock_file create;
}

#============= systemd_hostnamed_t ==============
allow systemd_hostnamed_t init_var_run_t:sock_file create;

Next steps

If we would be in another distribution family, to load a custom policy as above would make sense.

But on CentOS Stream, it should be supported out of the box.

Both systemd and selinux can be updated on CentOS Stream, so let's start with a package update, and if still present, we'll report upstream.

dereckson added a comment.Wed, Sep 10, 21:08

Still an error with last packages versions.

dereckson added a comment.Wed, Sep 10, 21:10

Normal behavior observed with the policy:

Sep 10 21:10:02 dwellers.nasqueron.org systemd[1]: Starting systemd-hostnamed.service - Hostname Service...
Sep 10 21:10:02 dwellers.nasqueron.org systemd[1]: Started systemd-hostnamed.service - Hostname Service.
Sep 10 21:10:02 dwellers.nasqueron.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Sep 10 21:10:02 dwellers.nasqueron.org systemd[2235]: Started snap.starship.starship-2c433cb5-3ffe-4c28-a736-624772356a4f.scope.
dereckson renamed this task from systemd-hostnamed service can't be launched - SELinux blocks it to systemd-hostnamed service can't be launched - SELinux blocks it - starship.Wed, Sep 10, 21:11
dereckson claimed this task.
dereckson lowered the priority of this task from Normal to Low.

Decreasing priority, as it only occurs with Starship.

dereckson mentioned this in T2122: Package starship for EPEL.Wed, Sep 10, 22:00
dereckson added a comment.Wed, Sep 10, 22:03

Was looking to offer a fix upstream, like read hostname from /proc/sys/kernel/hostname on Linux, but then I've realised this is an interaction issue with snap, starship, systemd and SELinux.

The issue can only occur when gethostname() is called on specific cases like D-Bus or here Varlink.

21:24:56 < Dereckson> Tiens je viens de m'apercevoir qu'un bug d'intercation entre SElinux, starship et systemd c'est une histoire drôle en fait
21:25:00 < Dereckson> "SELinux, systemd and a full Rust piece of software to set a prompt are in a boat..."
21:26:21 < Dereckson> Chaque nouveau shell (donc chaque division d'un panneau dans tmux) lance starship, qui appelle gethostname() ; jusque là, pourquoi pas ?
21:26:46 < Dereckson> Sauf que starship est installé via snap.
21:28:01 < Dereckson> Donc du coup gethostname() appelle systemd-hostnamed qui doit créer un socket (où d'ailleurs ? l'audit de SELinux ne me l'a pas documenté, pas sûr que ce soit dans /run/systemd)
21:28:36 < Dereckson> Déjà là, ça devient intéressant de savoir que sur un Linux "moderne", il faut lancer un serveur pour récupérer le hostname
21:29:34 < Dereckson> bref, systemd-hostnamed a besoin de créer son socket, et SELinux bloque car il est dans du init_var_run_t, et pas du systemd_var_run_t
21:29:46 < Dereckson> Le fix est trivial : allow systemd_hostnamed_t init_var_run_t:sock_file create;
21:30:16 < Dereckson> Mais ce qui me sidère dans l'histoire c'est le coup du prompt qui appelle un logiciel Rust complet qui lance un service de systemd pour récupérer le hostname
21:31:05 < Dereckson> on se demande pourquoi ça prend quelques centaines de ms de lancer un shell sur ectte machine après
[...]
21:49:32 < Dereckson> à noter que gethostname N'invoque PAS systemd-hostnamed en dehors de cas spéciaux comme dbus ou ici Varlink
21:50:04 < Dereckson> donc fallait vraiment le faire exprès : snap, starhip, systemd, SELinux
21:53:19 < Dereckson> (la solution la plus simple serait de packager starship sur EPEL)
21:53:45 < Dereckson> (au lieu de jouer avec snap)

Going to submit a policy fix to fix that issue now, then we'll get rid of this hell scenario with T2122.

dereckson added a revision: D3658: Allow systemd-hostnamed to create socket when called from Varlink.Wed, Sep 10, 22:06
dereckson mentioned this in T2115: Update Dwellers packages.Wed, Sep 10, 22:24
dereckson closed this task as Resolved by committing rOPSe5ec87dfe258: Allow systemd-hostnamed to create socket when called from Varlink.Wed, Sep 10, 22:51
dereckson added a commit: rOPSe5ec87dfe258: Allow systemd-hostnamed to create socket when called from Varlink.
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator