Building a new home with systemd-homed on fedora

I am well aware that I can deliver mails to another dir but the home dir. It is in fact the prerequisite for virtual users.

But, users usually have scripts in their home dir e.g. ~/bin, they can’t just write to persistent storage outside their home (unless setup separately). Thus cron jobs are a bust, and there are also other services that might need access. I am not saying that this isn’t possible, but rather just a hassle I’d like to avoid.

Well, again, it seems like this is probably not what you want for those cases.

Their scripts can read from outside the home directory when the user is logged in.
Potentially the mail could be in /var/spool/mail and when the user logs in the script could retrieve the mail for them.

Indeed, this is true. It’s also true for autofs as well. It’s also true for script environments that live in the user’s home folder. It’s important and useful to grok the limitations of such things and if it doesn’t fit your use case, then maybe systemd-homed isn’t the right fit for that environment or you might need to use an alternative path for those scripts to love.

I use scripts and systemd user services to manage my portable home directory.

  • I use timers as a substitute for cron processes
  • I use paths to monitor files and/or directories for creation, deletion or modifications.
  • I use services to start and stop my podman containers
  • I install my flatpaks from flathub in user mode

You should be able to accomplish normal user interactions when you are mounted, logged in and have the correct label context for the home directory. When the user’s and system’s Group permissions match, those permissions are also available.

Hi all

I tried on rawhide(f39) and encountered one failure like this:

make -f /usr/share/selinux/devel/Makefile homed.pp
Compiling targeted homed module
homed.te:151:ERROR ‘syntax error’ at token ‘container_runtime_read_tmpfs_files’ on line 7898:
container_runtime_read_tmpfs_files(systemd_homed_t)
#line 151
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/homed.mod] Error 1

Do you know how can I fix this problem? Or do I need to change to f37/f38 or change to a stable version of homed-selinux?

Thanks
Xiao

Sorry, I do not know how to fix that.
I encountered the discard issue on Fedora Workstation 37, but setting up custom SELinux policies was successful. Maybe try F37.

Hi Arturas

f37 works for me, thanks!

Did you try building the module from a toolbox container?

No. I installed f39 on a machine and did the tests directly there

Hi all.

Upgraded ny MBP with homed-managed user, re-applied custom policy, but still unable to activate the user.

SELinux Troubleshooter says this:

You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:

 # ausearch -c 'systemd-homewor' --raw | audit2allow -M my-systemdhomewor
 # semodule -X 300 -i my-systemdhomewor.pp

New custom policy required ?

Check if the module is loaded

sudo semanage module -l | grep homed

Got this:

homed              400    pp
my-systemdhomed    300    pp

It seems you have two policies for homed. Is one your custom policy? Are both policies identical?

I will check that, but both of those existed in the F37 causing no issues … This issue appeared after upgrade to F38. I upgraded to F38 while logged in with homed-managed user.

Raw Audit Messages

type=AVC msg=audit(1682445078.738:327): avc:  denied  { getattr } for  pid=6876 comm="systemd-homewor" path="/run/udev/data/b7:0" dev="tmpfs" ino=2832 scontext=system_u:system_r:systemd_homework_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1


Hash: systemd-homewor,systemd_homework_t,udev_var_run_t,file,getattr

This denial is not allowed in the current policy. What was the process to get this error?

What was the process to get this error?

sudo homectl activate <my homed user>

There were more errors, mostly I/O. As I upgraded Fedora while I was logged in with my homed user, maybe upgrade process has interrupted some I/O, which in turn resulted into damaged loop file. I deleted my homed user (it was created for experimenting with homed) and tried to create new using exactly same command, but now I get new error:

21:47:28 systemd-homed: Operation on failed: Invalid argument
21:47:28 kernel: I/O error, dev loop0, sector 0 op 0x0:(READ) flags 0x800 phys_seg 1 prio class 2
21:47:28 systemd-homewor: Failed to set up LUKS password for slot 0: Invalid argument
21:47:23 systemd-homed: Operation on failed: Wrong medium type

On F37 same command created fully functional homed-managed user :frowning:

systemd_homework_t should be in permissive mode, so it should of been allowed but still logged in the journal.

I just ran

journalctl -b -g avc | grep systemd_homework_t 
Apr 21 14:14:16 fedora audit[195296]: AVC avc:  denied  { read } for  pid=195296 comm="systemd-homewor" name="b8:17" dev="tmpfs" ino=1169 scontext=system_u:system_r:systemd_homework_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
Apr 21 14:14:16 fedora audit[195296]: AVC avc:  denied  { open } for  pid=195296 comm="systemd-homewor" path="/run/udev/data/b8:17" dev="tmpfs" ino=1169 scontext=system_u:system_r:systemd_homework_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
Apr 21 14:14:16 fedora audit[195296]: AVC avc:  denied  { getattr } for  pid=195296 comm="systemd-homewor" path="/run/udev/data/b8:17" dev="tmpfs" ino=1169 scontext=system_u:system_r:systemd_homework_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
Apr 21 14:14:17 fedora audit[195296]: AVC avc:  denied  { create } for  pid=195296 comm="systemd-homewor" scontext=system_u:system_r:systemd_homework_t:s0 tcontext=system_u:system_r:systemd_homework_t:s0 tclass=user_namespace permissive=1

systemd-homed got updated. I see I have some new rules to add.

What does your journal say about selinux avc denials?

journalctl -b -g 'selinux: avc:'

Apologies, I was stupid and impatient - deleted my homed user with the hope to re-create it without errors, but got new ones instead. This means I cannot check avc denials on old user (deleted) and on new as well (cannot create it yet).