Forgotten dirs for local systemd-unit-files

[TriMoon]

First-off i'm not an expert on SELinux nor Fedora/Bazzite.

But IMHO, you guys have forgotten to include SELinux config for the local systemd-units that are allowed...
See the output of these commands:

systemd-path systemd-search-system-unit
systemd-path systemd-search-user-unit

• example:

  systemd-path systemd-search-system-unit systemd-search-user-unit \
  | sed "s/:/\n/g; s#$HOME#\$HOME#g; s/`id -u`/\$UID/g" \
  | grep local

IMHO, The missing SELinux rules can be seen in lines 18-20 of the script below...

---

I noticed the absence of these rules because i got SELinux denials while trying to use a service residing under /usr/local/lib/systemd/system.

• This Asus X670e Ethernet Fix service works when put under /etc/systemd/system at moment, but would like it to work under /usr/local/lib/systemd/system

At moment i'm using the below script, while in the git dir, to install it under /usr/local/lib/systemd/system, but somehow it doesn't start at boot-up under Bazzite for reasons i don't understand yet. (It shows enabled though in status of the unit)

#!/usr/bin/env bash
prefix="/usr/local"
sysconfdir="${prefix}/lib/systemd"
bindir="${prefix}/bin"

if test $(id -u) -ne 0; then
    echo "Needs ROOT !"
    exit 1
fi

# Remove all local customizations
semanage fcontext --deleteall

# This doesn't work as wanted...
# semanage fcontext --add --equal /usr/lib/systemd /usr/local/lib/systemd

# SELinux info gathered from: /etc/selinux/targeted/contexts/files/file_contexts
semanage fcontext --add --ftype=d --seuser=system_u --type=systemd_conf_t       "${sysconfdir}((/system|/user)(/.*)?)?"
semanage fcontext --add --ftype=f --seuser=system_u --type=systemd_unit_file_t  "${sysconfdir}((/system|/user)(/.*)?)?"
semanage fcontext --add --ftype=l --seuser=system_u --type=systemd_conf_t       "${sysconfdir}((/system|/user)(/.*)?)?"
# semanage fcontext --noheading --locallist --list ${sysconfdir}
semanage fcontext --noheading --locallist --list
mkdir -pv ${sysconfdir}/{system,user}
cp -va --no-preserve=ownership Intel-NIC-Watchdog.service ${sysconfdir}/system
cp -va --no-preserve=ownership Intel-NIC-Watchdog.sh ${bindir}
restorecon -Frv ${sysconfdir} ${bindir}/Intel-NIC-Watchdog.sh
ls -lRZa --color=auto ${sysconfdir} ${bindir}/Intel-NIC-Watchdog.sh
systemctl daemon-reload
systemctl reenable Intel-NIC-Watchdog
systemctl restart Intel-NIC-Watchdog
sleep 1 # To allow the status to settle before showing it.
systemctl status Intel-NIC-Watchdog

• This script or equvalent will be uploaded in the git repo later when it works at boot-up under Bazzite...

---

Extra info from my Bazzite system at moment:

$ ls -lRZa --color=auto /usr/local/lib/systemd /usr/local/bin/Intel-NIC-Watchdog.sh
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0          4445 Dec 10 22:52 /usr/local/bin/Intel-NIC-Watchdog.sh

/usr/local/lib/systemd:
total 0
drwxr-xr-x. 1 root root system_u:object_r:systemd_conf_t:s0 20 Dec 11 15:24 .
drwxr-xr-x. 1 root root system_u:object_r:lib_t:s0          14 Dec 11 15:24 ..
drwxr-xr-x. 1 root root system_u:object_r:systemd_conf_t:s0 52 Dec 11 15:24 system
drwxr-xr-x. 1 root root system_u:object_r:systemd_conf_t:s0  0 Dec 11 15:24 user

/usr/local/lib/systemd/system:
total 4
drwxr-xr-x. 1 root root system_u:object_r:systemd_conf_t:s0       52 Dec 11 15:24 .
drwxr-xr-x. 1 root root system_u:object_r:systemd_conf_t:s0       20 Dec 11 15:24 ..
-rw-r--r--. 1 root root system_u:object_r:systemd_unit_file_t:s0 451 Dec 10 22:52 Intel-NIC-Watchdog.service

/usr/local/lib/systemd/user:
total 0
drwxr-xr-x. 1 root root system_u:object_r:systemd_conf_t:s0  0 Dec 11 15:24 .
drwxr-xr-x. 1 root root system_u:object_r:systemd_conf_t:s0 20 Dec 11 15:24 ..

$ systemctl status Intel-NIC-Watchdog
○ Intel-NIC-Watchdog.service - Recover from PCIe Link Failures
     Loaded: loaded (/usr/local/lib/systemd/system/Intel-NIC-Watchdog.service; enabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf, 50-keep-warm.conf
     Active: inactive (dead)
       Docs: https://gitlab.com/trimoon-inc/asus_x670e_ethernet_fix
             https://systemd.io/NETWORK_ONLINE/
             https://www.freedesktop.org/software/systemd/man/latest/systemd.special.html

[zpytela]

That's a bit tricky, all local directories are expected to be by admin's control. You can try
semanage fcontext -a -e /usr /usr/local

but we cannot do such a change in policy, it would inactivate lots of existing rules.

[TriMoon]

@zpytela

all local directories are expected to be by admin's control.

Not sure what you mean but at moment systemd is getting refused to read these directories.
Thus we are prevented from placing service files in /usr/local/lib/systemd/system which is for system services, and /usr/local/lib/systemd/user which is for user logins.

The files and directories are meant to be placed by the (organistion's) admin as root user in both dirs i mentioned, but systemd needs to be able to access them to be effective.

• Take note that the organisation's admin config is different from the distribution's config and local admin's config...
  The distribution's config can be overridden by the organisation's config and the organisation's config can be overridden in turn by the local admin config.
  So this distinction should be allowed to work with SELinux...

You can try semanage fcontext -a -e /usr /usr/local
but we cannot do such a change in policy, it would inactivate lots of existing rules.

I can understand that that-that would inactivate lot of existing rules, that's why i'm adding only rules for /usr/local/lib/systemd(/system|/user)? and below which should only contain config files.
(Sure technically one could also place executables/scripts in this tree, but that's outside this use-case.)