Fedora Doc error about setting up an Nspawn container

The instructions on setting up the Nspawn container are erroneous because the page says to restorecon -vFr to the /var/lib/machines BEFORE installing there a chroot system. The instructions do not say anything about running restorecon -vFr on the container AFTER everything has been installed.

1 Like

This requires an issue ticket for Server working group.

@boredsquirrel can you tag it with server and product discussion please?
@pboy is this something your team could verify and respond to @soconfused ? Thanks.

1 Like

Thank you. I think it’s kind of crucial to get the correct (restricted) SELinux context onto the containers after installing the base system into them.

From Ask Fedora to Project Discussion

Added containers-sig, docs-team

Server? Where?

Btw is there no SELinux SIG?

Added server-wg

Done :wink:

The instructions are correct, I think. When you perform a standard systemd-container installation, rpm creates the /var/lib/machines directory, and it gets the correct permissions and SELinux labels. We can’t rely on this, as a standard server installation provides a separate logical volume for the directory. The directory must therefore be created beforehand.

When you create the directory, it automatically receives the correct SELinux label. It is not the software to be installed that is responsible, but the SELinux package, which knows which label the application software directories require. As soon as you mount a volume at the directory, the label is lost or is obscured by the label that is assigned to the file system to be mounted. By default, this is the label of the /var branch. To be on the safe side, you must therefore adjust the SELinux label the first time you mount it.

If an RPM installation already finds a required directory and can no longer create and configure it itself, the various programs handle this differently. To be on the safe side, we provide the directory exactly as if the program installation had created it itself.

Thank you very much for your comment. Perhaps it would be helpful if we added a brief explanation in the documentation. And if you find any other (possible) errors or ambiguities, we would be grateful for any information.

You should add information in the documentation because the documentation right now does not instruct setting SELinux labels on any ready-to-run container folders in the /var/lib/machines directory or elsewhere. And that’s the crucial aspect. If you do not set the systemd_machined_var_lib_t context on any container to be run, it will not be containerized from the host system. Nothing, I repeat, nothing will set the correct SELinux context on containers except for you, AFTER you prepare the container to be run.

It’s a bit different. Following our instructions, the /var/lib/machines directory get the correct label (system_u:object_r:systemd_machined_var_lib_t:s0). When you create a subdirectory for the container file system, it automatically inherits that label. In this respect, everything works correctly as described.

If you deviate from this and, for example, create a separate log. Volume for each container, then you must indeed adapt the SELinux label. I do not know at the moment whether the BTRFS file system adopts the label of the parent directory for subvolumes.

Anyway, we are in the process of updating the guide to F40/41. See Container systemd-nspawn – Installation :: Fedora Docs Staging. I will go into more detail about the different storage strategies and their configuration.

Well, I created a folder in /var/lib/machines and then installed a system into that folder using dnf --installroot=[that folder], and its contents did not inherit the SELinux label of the parent directory (/var/lib/machines).