Bug 1258921
Summary: | selinux-policy package update ends up with a semodule crash | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Deepu K S <dkochuka> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED CANTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 6.7 | CC: | cplummer+bz, dkochuka, dwalsh, lvrabec, mgrepl, mmalik, pandrade, plautrba, pvrabec, ssekidde | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-10-27 07:42:01 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1271982 | ||||||
Attachments: |
|
Description
Deepu K S
2015-09-01 14:22:26 UTC
Created attachment 1069038 [details]
PBIS software SELinux policy
Does semodule crash when you update selinux-policy packages in permissive mode? (In reply to Milos Malik from comment #2) > Does semodule crash when you update selinux-policy packages in permissive > mode? Hi Milos, Thanks for looking into this. SELinux is already in Permissive mode. SELINUX=permissive The crash does happen still. Thanks Created attachment 1072552 [details]
ABRT captured problem directory
Created attachment 1072553 [details]
selinux command output from sosreport
Is this machine a limited memory VM? Hi, I'm the customer who reported this. We've seen the issue on a few servers of different memory sizes (1.8GB - 16GB). I can induce the crash every time if the PBIS module (which depends on clamd_t from clamav) is installed on a server running an earlier version of selinux-policy-targeted (prior to 3.7.19-195, I believe) that contained that type, and then I try to update to a later version that removes it. I can also induce the crash just by manually walking through the commands in the postinstall script. This command, prior to the one that was causing the segfault: # semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit_auth -r polkit -r rtkit_daemon -r ModemManager -r telepathysofiasip -r passanger -r rgmanager -r aisexec -r corosync -r pacemaker -r amavis -r clamav -r glusterfs 2>/dev/null When I didn't redirect the output, I got this error: libsepol.print_missing_requirements: pbis's global requirements were not met: type/attribute clamd_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! If I then try to run the next command in the post script, I get the segfault: # semodule -n -r oracle-port -b base.pp.bz2 -i $packages -s targeted 2>&1 | grep -v "oracle-port"; I should also note that since these commands failed, the above modules do NOT get removed, and the new policies do not get loaded. Since the above error is redirected to /dev/null, the failures are silent. To summarize: 1. The postinstall script in the selinux-policy-targeted package attempts to remove a bunch of deprecated modules. However, if one of the modules cannot be removed due to a failed dependency, none of the modules end of getting removed. Furthermore, the failure is silent due to the stderr output being redirected to /dev/null. I would expect: A. Modules that don't have failed dependencies should be removed B. Failures should be at least reported, and preferably handled 2. The postinstall script in the selinux-policy-targeted package also proceeds to re-install the policies included in the package. However, due to the earlier failure to remove the clamav module, this command generates a segfault, and the updated versions of the modules don't get loaded. I would expect: A. No segmentation faults B. That all modules included in selinux-policy-targeted would get loaded following an update on the package. Thanks to Deepu for filing the bug. Yes, the policy handling is not optimal here and we have some changes in RHEL-7. But pbis policy should be updated to use optional_policy() for types which are not a part of the base.pp policy module. For example --- optional_policy(` requre{ type clamd_t; } pbis_client(clamd_t) ') ---- which would prevent this problem. All non-base types should be called with optional_policy() statement because the policy is a modular policy and some of modules can be disabled/removed for example. So semodule segfaulting is the desired behavior? And yum neither loading the new policy nor reporting a failure to do so is also the desired behavior? I agree that the pbis policy should be rewritten and am working with the vendor on that. But I am surprised that you are not interested in fixing the issues I mentioned. I don't see segfaulting semodule. It reports the failure which is expected. The crash_dump should have been in the Comment 4 attachment (collected files from abrt). |