Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 2161885

Summary: SELinux preventing systemd-network-generator from creating files in /run/systemd/network/
Product: Red Hat Enterprise Linux 9 Reporter: Nikita Dubrovskii (IBM) <ndubrovs>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED CURRENTRELEASE QA Contact: Amith <apeetham>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: bugzilla, dustymabe, dwalsh, extras-qa, fzatlouk, gmarr, grepl.miroslav, jlebon, kevin, lravicha, lvrabec, mmalik, ndubrovs, omosnace, pkoncity, vmojzis, zbyszek, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 2037047 Environment:
Last Closed: 2023-04-26 19:06:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nikita Dubrovskii (IBM) 2023-01-18 07:34:51 UTC 
+++ This bug was initially created as a clone of Bug #2037047 +++

Description of problem:

If kernel has arguments that are interpreted by systemd-network-generator then the systemd-network-generator.service will fail:


```
[core@localhost ~]$ cat /etc/os-release 
NAME="Red Hat Enterprise Linux CoreOS"
VERSION_ID="4.12"
RHEL_VERSION="9.0"

[core@localhost ~]$ sudo rpm-ostree kargs --append="ip=10.0.2.15::10.0.2.2:255.255.255.0:rhcos:enc2:none" && sudo reboot

---- reboot ----

[core@localhost ~]$ systemctl status systemd-network-generator.service
Jan 17 09:58:34 localhost systemd-network-generator[805]: Failed to create unit file /run/systemd/network/90-enc2.network: Permission denied

[core@localhost ~]$ rpm -q selinux-policy
selinux-policy-34.1.29-1.el9_0.2.noarch

[core@localhost ~]$ rpm -q systemd
systemd-250-6.el9_0.1.s390x

[core@localhost ~]$ ls -Z /usr/lib/systemd/systemd-network-generator
system_u:object_r:init_exec_t:s0 /usr/lib/systemd/systemd-network-generator

[core@localhost ~]$ ls -dZ /run/systemd/network/
system_u:object_r:net_conf_t:s0 /run/systemd/network/

```

How reproducible:

Always

Steps to Reproduce:
1. Start RHCOS 4.12
2. Add `ip=` to kernel command line arguments
3. See systemd-network-generator fail. 

Actual results:

systemd-network-generator fails because it can't write to /run/systemd/network/


Expected results:

No failure

Additional info:
Comment 1 lravicha 2023-02-09 13:19:26 UTC 
Hi, when do we expect a fix for this issue?
I am observing it on bringing up a RHCOS node as bootstrap for installing a Openshift cluster.

On a side note, I am observing this on rhcos 412.90.202301101512-0 and not on rhcos 413.92.202302071516-0 .
what was the fix if so?

related links:
https://releases-rhcos-art.apps.ocp-virt.prod.psi.redhat.com/storage/browser?stream=4.13-9.2&arch=s390x
https://releases-rhcos-art.apps.ocp-virt.prod.psi.redhat.com/storage/browser?stream=4.12-9.0&arch=s390x
Comment 2 Zdenek Pytela 2023-02-15 10:48:20 UTC 
(In reply to lravicha from comment #1)
> Hi, when do we expect a fix for this issue?
> I am observing it on bringing up a RHCOS node as bootstrap for installing a
> Openshift cluster.
> 
> On a side note, I am observing this on rhcos 412.90.202301101512-0 and not
> on rhcos 413.92.202302071516-0 .
> what was the fix if so?
> 
> related links:
> https://releases-rhcos-art.apps.ocp-virt.prod.psi.redhat.com/storage/
> browser?stream=4.13-9.2&arch=s390x
> https://releases-rhcos-art.apps.ocp-virt.prod.psi.redhat.com/storage/
> browser?stream=4.12-9.0&arch=s390x

This issue has been addressed with selinux-policy-38.1.1-1 in RHEL 9.2.
If you need to backport it to an earlier release, please follow your organization workflow to request it and add justification.
Comment 3 lravicha 2023-02-16 15:24:16 UTC 
thanks, the fix with selinux-policy-38.1.1-1 in RHEL 9.2 sounds good atm.