Last few "holes" in Fedora Silverblue - libvirt/swtpm/virt-manager and systemd-homed

Hi.

First, some context. Inspired by works done by Universal Blue and related communities I decided to try bootc technology myself. I used blue-build.org to build my variant off the GitHub - ublue-os/main: OCI base images of Fedora with batteries included. I chose this variant as the base because it’s close what Fedora Silverblue is OOTB. The goal of having custom OS image is to make my installs look and feel same, to provide my settings and flatpak apps I normally install (to --user, not --system) after OS is installed. Among my use cases are - virt-manager to run Windows VM(s) for my consultancy work and to have systemd-homed managed user home for better privacy and security. With all the required technology in place there are few “holes” I’d like to help “plugging” it:

  1. With necessary SELinux policies in place for systemd-homed, I still have to set SELinux contexts to systemd-homed executables under /usr/lib/systemd/manually. The /usr is read-only, thus sudo mount -o remount,rw /usr is necessary. This leaves /usr writable until next reboot, which is not good from security point of view.
  2. Similar thing for /usr/bin/swtpm - I have to fix SELinux context manually. Again, making /usr writable. And yes, I read threads about swtpm in this forum and elsewhere - some of the fixes are on its way.
  3. There are directories needed by both systemd-homed and swtpm and missing in the fresh install. Some require specific ownership of it. E.g., /var/lib/swtpm-localca needed by swtpm and it should be owned by tss group, without that directory it is impossible to create new VMs requiring TPM.

Couple of points to move out of the way:

  1. Why virt-manager and not gnome-boxes flatpak? gnome-boxes flatpak has no USB forwarding which is blocker for me.
  2. cat /etc/os-release gives this
output
NAME="Fedora Linux"
VERSION="40.20240902.0 (Silverblue)"
ID=fedora
VERSION_ID=40
VERSION_CODENAME=""
PLATFORM_ID="platform:f40"
PRETTY_NAME="Fedora Linux 40.20240902.0 (Silverblue)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:40"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://silverblue.fedoraproject.org"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora-silverblue/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://github.com/fedora-silverblue/issue-tracker/issues"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=40
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=40
SUPPORT_END=2025-05-13
VARIANT="Silverblue"
VARIANT_ID=silverblue
OSTREE_VERSION='40.20240902.0'

Just to make it clear - I want to help to fix this by testing, reporting, etc. I might be wrong, but to me it seams pretty easy to set proper SELinux contexts and create required directories OOTB. This would greatly improve UX.
Said that, I need you advice where to log bugs/feature requests to resolve issues mentioned above.

Regards
ArtūrasB.

2 Likes

The issue with the SELinux labels in container layered builds is Bootable Containers: Incorrect SELinux labels for package layered with a SELinux module (#45) · Issues · fedora / Fedora Atomic Desktops / SIG Issue Tracker · GitLab. There are workarounds that does not involve completely remounting /usr read-write. Another option is GitHub - hhd-dev/rechunk.

For point 3, this is unexpected. Looks like there are tmpfiles.d entries missing? Would be great to file an issue in Issues · fedora / Fedora Atomic Desktops / SIG Issue Tracker · GitLab with as much details as possible.

For layering libvirt, I’ve been looking at other options but I don’t have a solution yet: Overlaying libvirt on Silverblue / Kinoite / Sericea / Onyx and CoreOS. Systemd’s sysext might work: systemd-sysext

2 Likes

I don’t know the state of systemd-homed support in Fedora but that’s also something I think would be great to have setup by default for all Atomic Desktops. I’ve created Use systemd-homed by default for all user home dirs (#53) · Issues · fedora / Fedora Atomic Desktops / SIG Issue Tracker · GitLab to track the work here.

Help welcomed! Feel free to join the #atomic-desktops:fedoraproject.org
Matrix channel as well!

2 Likes

Thank you for your quick response.

Thanks for sharing, I’ll watch this.

Could you point me to those workarounds, please ? Until this is solved properly, I’m like to make my workarounds of my “personal OS” less dangerous :slight_smile:

Will do.

I really don’t mind to run couple of extra commands to get libvirt/virt-manager working in Silverblue until proper fixes/updates are in place :slight_smile: But missing directories and SELinux contexts should be a low hanging fruit to deal with, IMHO.

1 Like

This is my opinion.

I think we are ready with SELinux policies for systemd-homed. Tremendous work has been done by @richiedaze , he created SELinux policies and this guide to get it working in Fedora (including Atomic variants) - Building a new home with systemd-homed on fedora

He was also worked on including proper SELinux policies to Fedora OOTB - Add support for systemd-homed by richiedaze · Pull Request #2018 · fedora-selinux/selinux-policy · GitHub. I don’t know latest updates, maybe @richiedaze will say something about it himself.

So having his guide and SELinux policies one can create and use systemd-homed managed users. If SELinux policies were in place and PAM was updated with sysyemd-homed (e.g., via authselect) OOTB, users could just create homed-managed users with homectl.

Also I’ve learned recently that some of systemd-homed related work is happening in the GNOME project:
https://thisweek.gnome.org/posts/2024/08/twig-160/

It looks like the is some work planned in GUI area, but I don’t know details, thus might be wrong.

I’d say fixing SELinux contexts, adding missing directories and enabling systemd-homed in PAM config OOTB is the MVP for systemd-homedto become usable. Of course, GUI goodies, e.g., user creation/modifications via GNOME settings, are welcome too :smiley:

1 Like

From Ask Fedora to Project Discussion

Added confined-users, kinoite-team, security-sig, silverblue-team and removed flatpak, gnome, selinux, silverblue

as I see that a lot of people layer the virt-manager packages, a solution could help.

this might not make sense before the switch to bootc? but by then we may already have systemd-sysextensions

Hi. Issue is logged - Missing directories in /var/lib for libvirt & swtpm (#54) · Issues · fedora / Fedora Atomic Desktops / SIG Issue Tracker · GitLab .

1 Like

I have been waiting since January for someone to have time to review this pull request, patience is a virtue . I am now trying to figure out the errors myself and see if I can fix them myself.

From what I can see from the pull request there are several problems.

  • Every time the policy gets built, my modifications don’t get added to the policy even though it clams to build successfully.

  • Testfarm always fails complaining about sessions

Testing

I can build the policy, with the modifications included, successfully from my source policy.

Don’t know why copr don’t include the modifications when building the policy on pull request from fedora-selinux/selinux-policy?

I am trying to learn how testfarm works locally, to test it myself on the build, and to try to fix those errors as well.

Could anyone share a tip or point to a solution on how to change/set SELinux context label of read-only file(s) without remounting whole file system/directory read-write ?
Internet search did not help. I guess I don’t know proper keywords for the search :smiley:

post deleted

OK, it seams I found a solution just have to test it.

1 Like

They are linked in Bootable Containers: Incorrect SELinux labels for package layered with a SELinux module (#45) · Issues · fedora / Fedora Atomic Desktops / SIG Issue Tracker · GitLab

1 Like

Update of the issue with systemd-homed. As fixing SELinux contexts for systemd-homed did not work in Bluefin way (using bind mounts), I mounted /usr rw and fixed SELinux labels. Later, I assume after an update, systemd-homed executables and systemd services where re-labeled with default SELinux which rendered my homed-managed user unusable (pun intended :smiley:).
Because of this I must revert back to “stock” Silverblue until bootc gets proper SELinux labels for systemd-homed stuff and libvirt/virt-manager as well.
That’s pity as I liked bootc approach, but I also realize time is needed to get things fixed properly.