Bug 1037567

Summary: SELinux is preventing /usr/bin/rm from 'write' accesses on the directory fdinfo.
Product: [Fedora] Fedora Reporter: Christopher Meng <i>
Component: mockAssignee: Miroslav Suchý <msuchy>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dominick.grift, dwalsh, jones.peter.busi, lvrabec, mebrown, mgrepl, msuchy, williams
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: i686   
OS: Unspecified   
Whiteboard: abrt_hash:b51828fdf7732d6f6c0f0fb7f4dabf7f6099b4c7eca65dc958157378bef1ae41
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-20 15:06:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
SELinux alert none

Description Christopher Meng 2013-12-03 11:43:15 UTC 
Description of problem:
rm -rf /var/lib/mock due to mock deadlock:

12-03 19:31 root         DEBUG    fedora-review 0.5.0 920221d 2013-08-30 11:27:49 +0200 started
12-03 19:31 root         DEBUG    Command  line: /usr/bin/fedora-review -rvn glite-lbjp-common-gsoap-plugin-3.2.10-1.fc21.src.rpm
12-03 19:31 root         INFO     Processing local files: glite-lbjp-common-gsoap-plugin-3.2.10-1.fc21.src.rpm
12-03 19:31 root         INFO     Getting .spec and .srpm Urls from : Local files in /home/rpmaker/Desktop
12-03 19:31 root         DEBUG    Active settings after processing options
12-03 19:31 root         DEBUG        resultdir: None
12-03 19:31 root         DEBUG        verbose: True
12-03 19:31 root         DEBUG        no_report: False
12-03 19:31 root         DEBUG        session_log: /home/rpmaker/.cache/fedora-review.log
12-03 19:31 root         DEBUG        list_flags: False
12-03 19:31 root         DEBUG        list_checks: False
12-03 19:31 root         DEBUG        single: None
12-03 19:31 root         DEBUG        rpm_spec: True
12-03 19:31 root         DEBUG        plugins: {}
12-03 19:31 root         DEBUG        exclude: None
12-03 19:31 root         DEBUG        configdir: None
12-03 19:31 root         DEBUG        log_level: 10
12-03 19:31 root         DEBUG        init_done: True
12-03 19:31 root         DEBUG        cache: False
12-03 19:31 root         DEBUG        mock_config: None
12-03 19:31 root         DEBUG        version: False
12-03 19:31 root         DEBUG        uniqueext: None
12-03 19:31 root         DEBUG        flags: []
12-03 19:31 root         DEBUG        bz_url: https://bugzilla.redhat.com
12-03 19:31 root         DEBUG        mock_options: --no-cleanup-after --no-clean
12-03 19:31 root         DEBUG        list_plugins: False
12-03 19:31 root         DEBUG        _log_config_done: True
12-03 19:31 root         DEBUG        other_bz: None
12-03 19:31 root         DEBUG        plugins_arg: None
12-03 19:31 root         DEBUG        repo: None
12-03 19:31 root         DEBUG        use_colors: True
12-03 19:31 root         DEBUG        bug: None
12-03 19:31 root         DEBUG        prebuilt: False
12-03 19:31 root         DEBUG        name: glite-lbjp-common-gsoap-plugin-3.2.10-1.fc21.src.rpm
12-03 19:31 root         DEBUG        url: None
12-03 19:31 root         DEBUG        checksum: sha256
12-03 19:31 root         DEBUG        nobuild: False
12-03 19:31 root         DEBUG        _con_handler: <logging.StreamHandler object at 0xb718de8c>
12-03 19:31 root         INFO       --> SRPM url: file:///home/rpmaker/Desktop/glite-lbjp-common-gsoap-plugin-3.2.10-1.fc21.src.rpm
12-03 19:31 root         INFO     Using review directory: /home/rpmaker/Desktop/glite-lbjp-common-gsoap-plugin
12-03 19:31 root         DEBUG    find_urls completed: 0.052
12-03 19:31 root         INFO     Re-initializing mock build root
12-03 19:31 root         DEBUG    Init command: mock, --init
12-03 19:31 root         DEBUG    Init output: INFO: mock.py version 1.1.35 starting...
Start: init plugins
INFO: selinux enabled
Finish: init plugins
Start: run
Start: lock buildroot
ERROR: Build root is locked by another process.
 None
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/FedoraReview/mock.py", line 481, in init
    self._rpm_eval('%{_libdir}')
  File "/usr/lib/python2.7/site-packages/FedoraReview/mock.py", line 254, in _rpm_eval
    return check_output(cmd).decode('utf-8').strip()
  File "/usr/lib/python2.7/subprocess.py", line 575, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
CalledProcessError: Command '['mock', '--no-cleanup-after', '--no-clean', '--resultdir=/home/rpmaker/Desktop/glite-lbjp-common-gsoap-plugin/results', '--quiet', '--shell', 'rpm --eval \\"%{_libdir}\\"']' returned non-zero exit status 60
12-03 19:31 root         INFO     Init command returned error code 60
12-03 19:31 root         DEBUG    Url download completed: 1.072
12-03 19:31 root         DEBUG    Skipping CheckExcludeArch in /usr/lib/python2.7/site-packages/FedoraReview/plugins/generic.pyc, deprecated by check-excludearch in /usr/share/fedora-review/scripts/check-excludearch.sh
12-03 19:31 root         DEBUG    Skipping CheckLargeDocs in /usr/lib/python2.7/site-packages/FedoraReview/plugins/generic.pyc, deprecated by check-large-docs in /usr/share/fedora-review/scripts/check-large-docs.sh
12-03 19:31 root         DEBUG    Skipping CheckBundledJars in /usr/lib/python2.7/site-packages/FedoraReview/plugins/java.pyc, deprecated by java-check-bundled-jars in /usr/share/fedora-review/scripts/java-check-bundled-jars.sh
12-03 19:31 root         DEBUG    Exception down the road...
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/FedoraReview/review_helper.py", line 215, in run
    self._do_run(outfile)
  File "/usr/lib/python2.7/site-packages/FedoraReview/review_helper.py", line 205, in _do_run
    self._do_report(outfile)
  File "/usr/lib/python2.7/site-packages/FedoraReview/review_helper.py", line 90, in _do_report
    self._run_checks(self.bug.spec_file, self.bug.srpm_file, outfile)
  File "/usr/lib/python2.7/site-packages/FedoraReview/review_helper.py", line 99, in _run_checks
    self.checks = Checks(spec, srpm)
  File "/usr/lib/python2.7/site-packages/FedoraReview/checks.py", line 314, in __init__
    self.spec = SpecFile(spec_file, self.flags)
  File "/usr/lib/python2.7/site-packages/FedoraReview/spec_file.py", line 72, in __init__
    update_macros()
  File "/usr/lib/python2.7/site-packages/FedoraReview/spec_file.py", line 56, in update_macros
    expanded = Mock.get_macro(macro, self, flags)
  File "/usr/lib/python2.7/site-packages/FedoraReview/mock.py", line 341, in get_macro
    self._macros = self._get_default_macros()
  File "/usr/lib/python2.7/site-packages/FedoraReview/mock.py", line 129, in _get_default_macros
    values = self._rpm_eval(tags).split()
  File "/usr/lib/python2.7/site-packages/FedoraReview/mock.py", line 254, in _rpm_eval
    return check_output(cmd).decode('utf-8').strip()
  File "/usr/lib/python2.7/subprocess.py", line 575, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
CalledProcessError: Command '['mock', '--no-cleanup-after', '--no-clean', '--resultdir=/home/rpmaker/Desktop/glite-lbjp-common-gsoap-plugin/results', '--quiet', '--shell', 'rpm --eval \\"%fedora %epel %buildarch %_libdir %_isa %arch\\"']' returned non-zero exit status 60
12-03 19:31 root         ERROR    Exception down the road...(logs in /home/rpmaker/.cache/fedora-review.log)
12-03 19:31 root         DEBUG    Report completed:  1.851 seconds
SELinux is preventing /usr/bin/rm from 'write' accesses on the directory fdinfo.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rm should be allowed write access on the fdinfo directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep rm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                system_u:system_r:init_t:s0
Target Objects                fdinfo [ dir ]
Source                        rm
Source Path                   /usr/bin/rm
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           coreutils-8.21-21.fc21.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-7.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.13.0-0.rc2.git0.1.fc21.i686+PAE
                              #1 SMP Fri Nov 29 21:58:56 UTC 2013 i686 i686
Alert Count                   11
First Seen                    2013-12-03 19:31:47 CST
Last Seen                     2013-12-03 19:31:47 CST
Local ID                      5728da4d-5cb3-4a02-b0e4-4958025062d8

Raw Audit Messages
type=AVC msg=audit(1386070307.85:790): avc:  denied  { write } for  pid=10023 comm="rm" name="fdinfo" dev="proc" ino=1005375 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir


type=SYSCALL msg=audit(1386070307.85:790): arch=i386 syscall=unlinkat success=no exit=EACCES a0=8 a1=9824d5c a2=0 a3=0 items=0 ppid=6681 pid=10023 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts7 comm=rm exe=/usr/bin/rm subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: rm,unconfined_t,init_t,dir,write

Additional info:
reporter:       libreport-2.1.9
hashmarkername: setroubleshoot
kernel:         3.13.0-0.rc2.git0.1.fc21.i686+PAE
type:           libreport
Comment 1 Daniel Walsh 2013-12-04 13:27:38 UTC 
This looks like a process is trying to delete content in the /proc directory tree?  Which are not real files.  Is this a problem that you did not umount /proc from withing the mock chroot?
Comment 2 Christopher Meng 2013-12-04 14:35:38 UTC 
(In reply to Daniel Walsh from comment #1)
> This looks like a process is trying to delete content in the /proc directory
> tree?  Which are not real files.  Is this a problem that you did not umount
> /proc from withing the mock chroot?

I shouldn't unmount anything, all this work should be done by mock, maybe this is a bug of mock exactly.
Comment 3 Christopher Meng 2014-01-03 02:10:49 UTC 
No issues now. Temporarily closed as WORKSFORME.
Comment 4 Miroslav Grepl 2014-08-28 13:37:17 UTC 
*** Bug 1134597 has been marked as a duplicate of this bug. ***
Comment 5 Peter H. Jones 2014-09-30 04:02:05 UTC 
Created attachment 942583 [details]
SELinux alert

Got this in a custom live build in which I hit CTRL-C after I exited from the chroot shell of livecd-creator. Then, I became root and tried to delete the files in my temporary directory.

If I shut down and restart, I expect the rm will work normally.
Comment 6 Miroslav Suchý 2014-10-20 15:06:26 UTC 
This is because mock mount procps in chroot. If you use big hammer (Ctrl+C), then it stay mounted and rm on those procps will fail. You have to either manually unmount it. Or I believe that --orphanskill should help.

Fixing this would require a lot of work, which is likely not worth the work, because we are moving to use systemd-nspawn for crating chroots, and this should no longer happen there.