Fix SELinux denials on SSH fleet provisioning (#3702)

peterschmidt85 · Andrey Cheptsov · claude · web-flow · commit 3c1b58344937 · 2026-03-27T10:23:44.000+01:00
On SELinux-enforcing hosts (RHEL, Rocky), files moved from /tmp retain
their original SELinux context. systemd (init_t) cannot read files with
user_tmp_t or unconfined_u context, causing the shim service to fail.

Fix by adding chcon after mv to set correct SELinux contexts for the
service file (systemd_unit_file_t) and env file (etc_t). The chcon
is a no-op on non-SELinux systems via 2&gt;/dev/null || true.

Also replace mv with cp+rm for the shim binary download to ensure
correct context in /usr/local/bin/.

Co-authored-by: Andrey Cheptsov &lt;andrey.cheptsov@github.com&gt;
Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/dstack/_internal/core/backends/base/compute.py b/src/dstack/_internal/core/backends/base/compute.py
@@ -906,7 +906,7 @@ def get_shim_pre_start_commands(
         f"dlpath=$(sudo mktemp -t {DSTACK_SHIM_BINARY_NAME}.XXXXXXXXXX)",
         # -sS -- disable progress meter and warnings, but still show errors (unlike bare -s)
         f'sudo curl -sS --compressed --connect-timeout 60 --max-time 240 --retry 1 --output "$dlpath" "{url}"',
-        f'sudo mv "$dlpath" {dstack_shim_binary_path}',
+        f'sudo cp "$dlpath" {dstack_shim_binary_path} && sudo rm "$dlpath"',
         f"sudo chmod +x {dstack_shim_binary_path}",
         f"sudo mkdir {dstack_working_dir} -p",
     ]
diff --git a/src/dstack/_internal/server/services/ssh_fleets/provisioning.py b/src/dstack/_internal/server/services/ssh_fleets/provisioning.py
@@ -73,7 +73,11 @@ def upload_envs(client: paramiko.SSHClient, working_dir: str, envs: Dict[str, st
     tmp_file_path = f"/tmp/{DSTACK_SHIM_ENV_FILE}"
     sftp_upload(client, tmp_file_path, dot_env)
     try:
-        cmd = f"sudo mkdir -p {working_dir} && sudo mv {tmp_file_path} {working_dir}/"
+        dest = f"{working_dir}/{DSTACK_SHIM_ENV_FILE}"
+        cmd = (
+            f"sudo mkdir -p {working_dir} && sudo mv {tmp_file_path} {dest}"
+            f" && {{ sudo chcon system_u:object_r:etc_t:s0 {dest} 2>/dev/null || true; }}"
+        )
         _, stdout, stderr = client.exec_command(cmd, timeout=20)
         out = stdout.read().strip().decode()
         err = stderr.read().strip().decode()
@@ -148,6 +152,7 @@ def run_shim_as_systemd_service(
     try:
         cmd = """\
             sudo mv /tmp/dstack-shim.service /etc/systemd/system/dstack-shim.service && \
+            { sudo chcon system_u:object_r:systemd_unit_file_t:s0 /etc/systemd/system/dstack-shim.service 2>/dev/null || true; } && \
             sudo systemctl daemon-reload && \
             sudo systemctl --quiet enable dstack-shim && \
             sudo systemctl restart dstack-shim

Original file line number	Diff line number	Diff line change
`@@ -906,7 +906,7 @@ def get_shim_pre_start_commands(`
`906`	`906`	`f"dlpath=$(sudo mktemp -t {DSTACK_SHIM_BINARY_NAME}.XXXXXXXXXX)",`
`907`	`907`	`# -sS -- disable progress meter and warnings, but still show errors (unlike bare -s)`
`908`	`908`	`f'sudo curl -sS --compressed --connect-timeout 60 --max-time 240 --retry 1 --output "$dlpath" "{url}"',`
`909`		`- f'sudo mv "$dlpath" {dstack_shim_binary_path}',`
	`909`	`+ f'sudo cp "$dlpath" {dstack_shim_binary_path} && sudo rm "$dlpath"',`
`910`	`910`	`f"sudo chmod +x {dstack_shim_binary_path}",`
`911`	`911`	`f"sudo mkdir {dstack_working_dir} -p",`
`912`	`912`	`]`