Fedora CoreOS: Can't run binaries in /opt/*/bin as systemd services

leigh · October 16, 2021, 7:44am

I’m trying to run a binary that’s located at /opt/matterbridge/bin/matterbridge as a systemd service, but SELinux is blocking it.

According to matchpathcon, it should work…

[core@diglett ~]$ matchpathcon /opt/matterbridge/bin/matterbridge
/opt/matterbridge/bin/matterbridge	system_u:object_r:bin_t:s0

…but it doesn’t.

[core@diglett ~]$ sudo restorecon /opt/matterbridge/bin/matterbridge
[core@diglett ~]$ ls -laZ /opt/matterbridge/bin/matterbridge
-rwxr-xr-x+ 1 root root unconfined_u:object_r:var_t:s0 46530560 Oct 16 07:09 /opt/matterbridge/bin/matterbridge

At a guess, it looks like this is because /opt is symlinked to /var/opt.

[core@diglett ~]$ matchpathcon /var/opt/matterbridge/bin/matterbridge
/var/opt/matterbridge/bin/matterbridge	system_u:object_r:var_t:s0

Is there somewhere else I can put my binary where it’ll work (ideally not somewhere it’ll be intermingled with other stuff like /usr/local/bin)? Is it a FCOS bug that the /opt symlink making SELinux behave differently to how it seems to be intended?

vgaetera · October 16, 2021, 11:04am

Collect the exact error messages:

journalctl --no-pager -b -g avc

computersavvy · October 16, 2021, 3:24pm

Have you confirmed that it is an selinux issue? That is, have you run “sudo setenforce 0” then tried again once selinux was turned off to confirm that it works without selinux running?

How is it that /opt is linked to /var/opt? Mine has 2 distinct directories, not linked. Also, both have the same selinux context.

I am running workstation and not coreOS but that seems the only difference

siosm · October 17, 2021, 11:59am

I would restore the default context with sudo restorecon -RFv xyz and try again.

leigh · October 21, 2021, 6:48am

Yes, with SELinux disabled everything works as expected.
/opt being a symlink is just how Fedora CoreOS is set up. AIUI, FCOS is very different to Workstation, in that it’s rpm-ostree based and probably more similar to Silverblue.

[core@diglett ~]$ sudo restorecon -RFv /opt/matterbridge/bin/matterbridge
Relabeled /var/opt/matterbridge/bin/matterbridge from unconfined_u:object_r:var_t:s0 to system_u:object_r:var_t:s0

It still doesn’t work after doing that. The only log entry that seems to correspond is this:

Oct 21 06:48:13 diglett audit[4785]: AVC avc:  denied  { execute } for  pid=4785 comm="(erbridge)" name="matterbridge" dev="sda4" ino=34604788 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0

vgaetera · October 21, 2021, 9:53am

Add a custom file context like this:

sudo semanage fcontext -l | grep -e /opt
sudo semanage fcontext -a -t usr_t "/var/opt(/.*)?"
sudo restorecon -R /var/opt

Or change the context directly:

sudo chcon -R -t usr_t /var/opt

Or create a local exception policy:
Linux Manpages Online - man.cx manual pages

siosm · October 21, 2021, 10:49am

Unfortunately semanage is not installed on Fedora CoreOS. But the advice still applies as nothing relabels the files on Fedora CoreOS during updates so you should be able to change the context to the right one and this should then work.