Bug 1077115

Do you know which test it causes?

I didn't find runcon in tests but in the beah harness. All in one file - wrappers.d/unconfined

function _runcon_unconfined_cmd() {
  # Determine correct SELinux context for runcon
  local suser='root'
  local srole='system_r'
  local stype='unconfined_t'
  local additional='-l s0'
  if is_rhel -ge 6 || is_fedora -ge 12; then
    suser='unconfined_u'
    srole='unconfined_r'
    additional='-l s0-s0:c0.c1023'
  elif is_rhel -le 4; then
    additional=''
  fi
  echo runcon -u $suser -r $srole -t $stype $additional
}

function runcon_unconfined() {
  local runcon_cmd=$(_runcon_unconfined_cmd)
  if $runcon_cmd -- true; then
    # Run command with SELinux context of the root
    exec $runcon_cmd -- "$@"
  else
    echo "-- WARNING: '$runcon_cmd -- true' failed. Running in default context!"
    exec "$@"
  fi
}

WRAP_NEXT=$(tortilla get-next-wrapper $(basename $0))
if selinuxenabled; then
  echo "-- INFO: selinux enabled: trying to switch context..."
  runcon_unconfined "$WRAP_NEXT" "$@"
else
  exec "$WRAP_NEXT" "$@"
fi

Miroslav,
I see the same failure with other commands:

type=SYSCALL msg=audit(1395250545.584:106): arch=40000003 syscall=11 success=no exit=-13 a0=bf9d539a a1=bf9d4d54 a2=bf9d4db0 a3=0 items=0 ppid=1659 pid=2681 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="runcon" exe="/usr/bin/runcon" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
type=AVC msg=audit(1395250545.584:106): avc:  denied  { transition } for  pid=2681 comm="runcon" path="/mnt/tests/distribution/virt/install/virtinstall.exp" dev="dm-1" ino=531263 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process


This is from a test case which launches installation of virtual guest and virtinstall.exp is then executed to detect when the installation is complete.

Ok what happens here is beaker is now running as unconfined_service_t instead of initrc_t. So this is a reason why you get it. 

I am not sure for what this test is? Is it a part of more tests?

Milos?

We got to get beaker back to running as initrc_t.  Does beaker always have the same entrypoint? 

We need to label the entrypoint as initrc_exec_t rather then bin_t.

Then again, maybe we should allow unconfined_service_t to transition to unconfined_t.

I believe that running unconfined_service_t is a good thing. Further I believe it is a good thing to separate unconfined_service_t from unconfined_t.

On the other hand we need the commands in the tests to be run as unconfined_t (bug 669665).

This "runcon true" is just a noise. What the harness is trying achieve is to run the tests as unconfined (bug 669665). There must be a better (more correct) way to achieve that.

The tortilla command (see comment 4) runs the test snippets from some location. Currently, the tortilla command is run through runcon.

Proposal 
 - If the tests were labelled with unconfined_exec_t we could avoid runcon
 - If the tortilla were using some fixed location we could have unconfined_exec_t auto labeling rule (in rths.te)
 - rhts.te could allow for exec transition from (unconfined_service_t,unconfined_exec_t) to unconfined_t

(Note that there already exists custon rhts.te on each testing machine).

This seems to be more clean way than cluttering upstream policy. Hence I conclude, that this should be a bug against beaker not the policy.

Lukas,
I agree. Not sure to which component the bug should be switched.

Miroslav, 
I think your last comment was addressed to Simon not to me. Am I right?

(In reply to Lukas Vrabec from comment #11)
> Miroslav, 
> I think your last comment was addressed to Simon not to me. Am I right?

Yes. I apologize.

Ok, no problem.

After discussion with Simon, we believe that the only place where this bug can be changed is beah. I made a policy and some changes to beah files which works for us on current Fedora Rawhide in Beaker.

The core is changing context of unconfined tortilla wrapper.
Content of file beah.fc:
> /var/lib/beah/tortilla/wrappers.d/unconfined - gen_context(system_u:object_r:unconfined_exec_t,s0)

According to this change we have to allow transitions for unconfined_service_t.
Content of file beah.te:
> gen_require(`
>         type unconfined_t;
>         type unconfined_service_t;
>         type unconfined_exec_t;
> ')
> allow unconfined_service_t unconfined_exec_t:file entrypoint;
> allow unconfined_service_t unconfined_t:process transition;
> type_transition unconfined_service_t unconfined_exec_t:process unconfined_t;

This causes this tortilla wrapper is running in selinux context system_u:unconfined_r:unconfined_t and there is no need to use runcon. So I came with patch testing current selinux context and it we are in desired context, skip runcon. 
http://pastebin.test.redhat.com/203498

I implemented this as a workaround in our Fedora-to-rawhide test to see the result and it works fine.
Before: https://beaker.engineering.redhat.com/recipes/1312044
After: https://beaker.engineering.redhat.com/recipes/1313389

Only problem can be that user is still system_u, so I would like to ask Miroslav for policy correction to achieve unconfined_u and see the same results like runcon did.

Also I would like to ask people from Beaker to take a look at this bugzilla.

(In reply to Jakub Jelen from comment #14)
> After discussion with Simon, we believe that the only place where this bug
> can be changed is beah. I made a policy and some changes to beah files which
> works for us on current Fedora Rawhide in Beaker.
> 
> The core is changing context of unconfined tortilla wrapper.
> Content of file beah.fc:
> > /var/lib/beah/tortilla/wrappers.d/unconfined - gen_context(system_u:object_r:unconfined_exec_t,s0)
> 
> According to this change we have to allow transitions for
> unconfined_service_t.
> Content of file beah.te:
> > gen_require(`
> >         type unconfined_t;
> >         type unconfined_service_t;
> >         type unconfined_exec_t;
> > ')
> > allow unconfined_service_t unconfined_exec_t:file entrypoint;
> > allow unconfined_service_t unconfined_t:process transition;
> > type_transition unconfined_service_t unconfined_exec_t:process unconfined_t;
> 
> This causes this tortilla wrapper is running in selinux context
> system_u:unconfined_r:unconfined_t and there is no need to use runcon. So I
> came with patch testing current selinux context and it we are in desired
> context, skip runcon. 
> http://pastebin.test.redhat.com/203498
> 
> I implemented this as a workaround in our Fedora-to-rawhide test to see the
> result and it works fine.
> Before: https://beaker.engineering.redhat.com/recipes/1312044
> After: https://beaker.engineering.redhat.com/recipes/1313389
> 
> Only problem can be that user is still system_u, so I would like to ask
> Miroslav for policy correction to achieve unconfined_u and see the same
> results like runcon did.

You don't care about "system_u" in targeted policy. This part of SELinux context is inherited from

SYSTEM_U:system_r:unconfined_service_t:s0-s0:c0.c1023

process in this case.

> 
> Also I would like to ask people from Beaker to take a look at this bugzilla.

After reading through the bug, I'm not clear on the exact request for Beaker here. Change the "unconfined" wrapper to skip calling runcon if the context is already correct, as Jakub suggests?

Or something else?

Solution are two modification of beah:

 (1) Start shipping beah selinux policy (beah.te, beah.fc) as described by Jakub
 (2) Modify unconfined wrapper to skip runcon, when the process
     is already unconfined.

Jakub has tested this solution on various releases Fedora/RHEL.

Does it sound reasonable to beah upstream?

Just to correct Simon, we test this on Fedora Rawhide.

* This is because the change of running context of beaker (initrc_t -> unconfined_service_t).
* Other distributions still runs as initrc_t.

But in other points, Simon is correct. We would like to add selinux policy and modify unconfined wrapper:

And during last days we found one typo (there should be two dashes):

Content of file beah.fc:
> /var/lib/beah/tortilla/wrappers.d/unconfined -- gen_context(system_u:object_r:unconfined_exec_t,s0)

And yes,
this is the point:
 * Change selinux context of unconfined wrapper (the above mentioned policy).
 * Modify wrapper not to call runcon, if we are in target context.

And it is again almost one month untouched. Or is there something else what is not certain?

Thanks for the nudge Jacob - I had missed the replies above and hadn't added the bug to the accepted list.

I've now added it, and it should be addressed in the next beah release (currently expected later this month).

(In reply to Jakub Jelen from comment #20)
>  * Modify wrapper not to call runcon, if we are in target context.

Any hints about what this code should look like? Is there anything better than just

    if [[ $(runcon | cut -d: -f3) == "unconfined_t" ]] ; then
        exit 0
    fi

or similar?

The pastebinned patch mentioned in comment 14 seems to have expired, it comes up empty for me.

(In reply to Dan Callaghan from comment #22)

Obviously it can't just exit 0, because of all the tortilla wrapping business... I more meant, is there any better way to check the current context type besides runcon | cut?

yes, it expired, thank you for notice. I made new pastebin with diff we are using:

http://pastebin.test.redhat.com/212856

You can skip the first "id -Z" - this is just test output.

On Gerrit: http://gerrit.beaker-project.org/3125

Jakub, can you please take a look and see if there's anything I've missed? So far I have only tested that it builds properly, tomorrow I will check if it actually works :-)

filled a new bug to track the anaconda problem that block the testing, bug 1108973

Beah 0.7.5 has been released on beaker-project.org.

Seems to be back here with Fedora 22 [1]. I was hoping that it will fix with final release, but not. Seems like the same issue as bz1149988.

Shall I clone it to Fedora/Beaker give it proper attention? Seems like workaround presented in c43 [2] works for me [3], but it would be great to have it in Beah/SELinux policy/somewhere so I would not have to workaround for every Fedora run in Beaker.

[1] https://beaker.engineering.redhat.com/jobs/964842
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1149988#c43
[3] https://beaker.engineering.redhat.com/jobs/964924

I clone your jobs and currently it[1] is failed.

https://beaker.engineering.redhat.com/jobs/970106

type=AVC msg=audit(1433245218.243:113): avc:  denied  { transition } for  pid=778 comm="runcon" path="/usr/bin/true" dev="dm-0" ino=1576042 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0

Pavel, perhaps you've wanted to re-open the bug?

I wanted, but I found current bug 1225007.