Habitat and SELinux


#1

Hello,

StackOverflow Crosspost

I’ve just gotten started with Habitat, after running into this issue: https://forums.facto rio.com/viewtopic.php?f=49&t=54619 with a game server on an older glibc. (Actually, compiling glibc was easy, getting the game server to properly use it was more of a hassle…)

Enter Habitat!

After a bit of [trying]: https://github.com/maraaaa/habitat-factorio/commits/master it works! And OMG! Running Factorio on “any” OS seems to be a breeze! Until…

Trying to run hab as a service on my home machine running SELinux… (Is it strange that my home machine is hardened more than the server running services for our Corp?)

SO seemed like a more appropriate location to post this question being that it seems to be an SELinux problem and not a Habitat problem… But after a couple weeks, “tons” of views (it’s my first SO post… and it’s gotten more than one a day, that is a ton for me! :smile: ), maybe it’s time to check the habitat forums! (I just learned about them a week ago actually…) It seems [no one else]: https://forums.habitat.sh/search?q=selinux has had the same problems… so maybe a good topic for the forum!

Anyway, to summarize:

  • Followed docs and created a systemd unit file
  • Able to start habitat when SELinux is disabled (not a solution!)
  • Able to start habitat “manually” with hab sup run
  • GoogleFU seems to indicate the error has to do with being linked from /usr/bin ???
  • Am very rusty on SELinux, so really looking for some guidance before just wildly creating modules… (Anyone else got SELinux troubles?)

Happy to post [the errors here from the SO forum]: https://stackoverflow.com/questions/49837987/running-habitat-as-a-service-with-selinux)… but it would literally just be a copy paste of that post to here, which didn’t really seem valuable…

Anyway, even if the guidance is “go talk to the systemd folks” that will be a better lead than generated from SO! :grinning:

Thanks!


#2

This forum actively asks new users to break helpful links… so, sorry… guess you’ll have to remove the spaces yourself…


#3

@maraaaa I can’t believe you’d want to harden your home machine. MADNESS! :smiley:

Just a clarifying question: If you run hab sup run outside of a systemd context , do you still get the selinux errors?

Based on the output it definitely seems like it doesn’t like whatever is in the init process execing something else. @eeyun might have some thoughts on this as well


#4

@maraaaa I can’t believe you’d want to harden your home machine. MADNESS! :smiley:

I know madness!

Just a clarifying question: If you run hab sup run outside of a systemd context , do you still get the selinux errors?

Negative. Runs just fine. In fact, I’ve toyed with adding a /bin/hab sup run to my /etc/rc.local just to see if it would work… But I hardly ever reboot my machine… lol

Thanks for the quick reply!


#5

Hmm indeed I have a few gut feelings I could trace around. I’ll take a look at this in a little bit here. Right now, getting ready for the commute through Copenhagen and on thumbs only!


#6

Pretty sure we checked the journald logs… and this is only coming because of the 0.56 release (congrats BTW, few… shall we say learning curves… but always awesome to see releases like this!)

Jun 08 00:09:18 server.local audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=habitat comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jun 08 00:09:18 server.local audit[24670]: AVC avc:  denied  { execute } for  pid=24670 comm="(hab)" name="hab" dev="dm-0" ino=1451340 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0
Jun 08 00:09:18 server.local systemd[24670]: habitat.service: Failed at step EXEC spawning /bin/hab: Permission denied
-- Subject: Process /bin/hab could not be executed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- The process /bin/hab could not be executed and failed.
-- 
-- The error number returned by this process is 13.
Jun 08 00:09:18 server.local systemd[1]: habitat.service: Main process exited, code=exited, status=203/EXEC
Jun 08 00:09:18 server.local systemd[1]: habitat.service: Unit entered failed state.
Jun 08 00:09:18 server.local audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=habitat comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Jun 08 00:09:18 server.local systemd[1]: habitat.service: Failed with result 'exit-code'.
Jun 08 00:09:21 server.local dbus-daemon[970]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.131' (uid=0 pid=941 comm="/usr/sbin/sedispatch " label="system_u:system_r:audisp_t:s0") (using servicehelper)
Jun 08 00:09:21 server.local dbus-daemon[970]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Jun 08 00:09:22 server.local setroubleshoot[24677]: failed to retrieve rpm info for /hab/pkgs/core/hab/0.56.0/20180530234036/bin/hab
Jun 08 00:09:29 server.local setroubleshoot[24677]: Plugin Exception catchall_labels
Jun 08 00:09:29 server.local setroubleshoot[24677]: SELinux is preventing (hab) from execute access on the file /hab/pkgs/core/hab/0.56.0/20180530234036/bin/hab. For complete SELinux messages run: sealert -l fd88f2f5-adb6-4c9c-bca2-f12866c34836
Jun 08 00:09:29 server.local python3[24677]: SELinux is preventing (hab) from execute access on the file /hab/pkgs/core/hab/0.56.0/20180530234036/bin/hab.
                                          
                                          *****  Plugin catchall (100. confidence) suggests   **************************
                                          
                                          If you believe that (hab) should be allowed execute access on the hab file by default.
                                          Then you should report this as a bug.
                                          You can generate a local policy module to allow this access.
                                          Do
                                          allow this access for now by executing:
                                          # ausearch -c '(hab)' --raw | audit2allow -M my-hab
                                          # semodule -X 300 -i my-hab.pp

(could also be SElinux or auditd updates… but I’m going to say it’s the 0.56 update that uncovered this info :slight_smile: )

I think though… that this selinux module will only work until the next time habitat is updated since the path to the binary will change…?


#7

Well not necessarily, it kind of depends how you’re handling your install. For now we have precompiled binaries that can be curled down and placed anywhere on $PATH. The hab binary itself doesn’t quite care where it exists. However the supervisor also gets pulled down and it’s install path will change on every release.