From 7b02ebdbdb9a2457819baf7f9cf27ca69c6c4c44 Mon Sep 17 00:00:00 2001 From: Andrey Cheptsov Date: Thu, 26 Mar 2026 18:24:43 +0100 Subject: [PATCH] Fix SELinux denials on SSH fleet provisioning On SELinux-enforcing hosts (RHEL, Rocky), files moved from /tmp retain their original SELinux context. systemd (init_t) cannot read files with user_tmp_t or unconfined_u context, causing the shim service to fail. Fix by adding chcon after mv to set correct SELinux contexts for the service file (systemd_unit_file_t) and env file (etc_t). The chcon is a no-op on non-SELinux systems via 2>/dev/null || true. Also replace mv with cp+rm for the shim binary download to ensure correct context in /usr/local/bin/. Co-Authored-By: Claude Opus 4.6 (1M context) --- src/dstack/_internal/core/backends/base/compute.py | 2 +- .../_internal/server/services/ssh_fleets/provisioning.py | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/dstack/_internal/core/backends/base/compute.py b/src/dstack/_internal/core/backends/base/compute.py index 9450b7be5..3304b6e93 100644 --- a/src/dstack/_internal/core/backends/base/compute.py +++ b/src/dstack/_internal/core/backends/base/compute.py @@ -906,7 +906,7 @@ def get_shim_pre_start_commands( f"dlpath=$(sudo mktemp -t {DSTACK_SHIM_BINARY_NAME}.XXXXXXXXXX)", # -sS -- disable progress meter and warnings, but still show errors (unlike bare -s) f'sudo curl -sS --compressed --connect-timeout 60 --max-time 240 --retry 1 --output "$dlpath" "{url}"', - f'sudo mv "$dlpath" {dstack_shim_binary_path}', + f'sudo cp "$dlpath" {dstack_shim_binary_path} && sudo rm "$dlpath"', f"sudo chmod +x {dstack_shim_binary_path}", f"sudo mkdir {dstack_working_dir} -p", ] diff --git a/src/dstack/_internal/server/services/ssh_fleets/provisioning.py b/src/dstack/_internal/server/services/ssh_fleets/provisioning.py index 3a7c21e6d..553b82f85 100644 --- a/src/dstack/_internal/server/services/ssh_fleets/provisioning.py +++ b/src/dstack/_internal/server/services/ssh_fleets/provisioning.py @@ -73,7 +73,11 @@ def upload_envs(client: paramiko.SSHClient, working_dir: str, envs: Dict[str, st tmp_file_path = f"/tmp/{DSTACK_SHIM_ENV_FILE}" sftp_upload(client, tmp_file_path, dot_env) try: - cmd = f"sudo mkdir -p {working_dir} && sudo mv {tmp_file_path} {working_dir}/" + dest = f"{working_dir}/{DSTACK_SHIM_ENV_FILE}" + cmd = ( + f"sudo mkdir -p {working_dir} && sudo mv {tmp_file_path} {dest}" + f" && {{ sudo chcon system_u:object_r:etc_t:s0 {dest} 2>/dev/null || true; }}" + ) _, stdout, stderr = client.exec_command(cmd, timeout=20) out = stdout.read().strip().decode() err = stderr.read().strip().decode() @@ -148,6 +152,7 @@ def run_shim_as_systemd_service( try: cmd = """\ sudo mv /tmp/dstack-shim.service /etc/systemd/system/dstack-shim.service && \ + { sudo chcon system_u:object_r:systemd_unit_file_t:s0 /etc/systemd/system/dstack-shim.service 2>/dev/null || true; } && \ sudo systemctl daemon-reload && \ sudo systemctl --quiet enable dstack-shim && \ sudo systemctl restart dstack-shim