Bug 1258921

Summary: selinux-policy package update ends up with a semodule crash
Product: Red Hat Enterprise Linux 6 Reporter: Deepu K S <dkochuka>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CANTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.7CC: cplummer+bz, dkochuka, dwalsh, lvrabec, mgrepl, mmalik, pandrade, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-27 07:42:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1271982    
Attachments:
Description Flags
PBIS software SELinux policy none

Description Deepu K S 2015-09-01 14:22:26 UTC
Description of problem:
Updating the Selinux-policy and Selinux-policy-targeted packages throws below semodule crash error.

semodule: link.c:840: alias_copy_callback: Assertion `base_type->primary == target_type->s.value' failed.

Further investigation found that the crash happens in postscripts under,
# semodule -n -r oracle-port -b base.pp.bz2 -i $packages -s targeted 2>&1 | grep -v "oracle-port";

A custom PBIS software's SELinux policy is installed on system. 
If we manually remove the pbis module before running the "semodule -n -s targeted ... -r clamav" command, then both semodule commands succeed.
The PBIS policy files is attached for reference.


Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 6.7
selinux-policy-3.7.19-279.el6_7.4.noarch
selinux-policy-targeted-3.7.19-279.el6_7.4.noarch
policycoreutils-2.0.83-19.47.el6_6.1.x86_64


How reproducible:
Always.


Steps to Reproduce:
1. # yum update selinux-policy selinux-policy-targeted 
OR
# rpm -Uvh selinux-policy-3.7.19-279.el6_7.4.noarch.rpm selinux-policy-targeted-3.7.19-279.el6_7.4.noarch.rpm

2. Check for messages or if ABRT is configured, it will notify of crash.


Actual results:
===YUM=============================
$ sudo yum --enablerepo=cwc-latest update selinux-policy-targeted
Downloading Packages:
(1/2): selinux-policy-3.7.19-279.el6.noarch.rpm                                                           | 881 kB     00:00
(2/2): selinux-policy-targeted-3.7.19-279.el6.noarch.rpm                                         | 3.1 MB     00:00
--------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                  13 MB/s | 3.9 MB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : selinux-policy-3.7.19-279.el6.noarch                                                                               1/4
  Updating   : selinux-policy-targeted-3.7.19-279.el6.noarch                                                               2/4
semodule: link.c:840: alias_copy_callback: Assertion `base_type->primary == target_type->s.value' failed.
  Cleanup    : selinux-policy-targeted-3.7.19-260.el6_6.3.noarch                                                         3/4
  Cleanup    : selinux-policy-3.7.19-260.el6_6.3.noarch                                                                          4/4
cwc-latest/productid                                                                                           | 1.6 kB     00:00
cwc-rhel6-previous/productid                                                                           | 1.6 kB     00:00
  Verifying  : selinux-policy-3.7.19-279.el6.noarch                                                                                1/4
  Verifying  : selinux-policy-targeted-3.7.19-279.el6.noarch                                                              2/4
  Verifying  : selinux-policy-3.7.19-260.el6_6.3.noarch                                                                       3/4
  Verifying  : selinux-policy-targeted-3.7.19-260.el6_6.3.noarch                                                      4/4

Updated:
  selinux-policy-targeted.noarch 0:3.7.19-279.el6

Dependency Updated:
  selinux-policy.noarch 0:3.7.19-279.el6

$ echo $?
0

===RPM===
$ sudo rpm -Uvh selinux-policy-3.7.19-279.el6.noarch.rpm selinux-policy-targeted-3.7.19-279.el6.noarch.rpm
Preparing...                ########################################### [100%]
   1:selinux-policy         ########################################### [ 50%]
   2:selinux-policy-targeted########################################### [100%]
semodule: link.c:840: alias_copy_callback: Assertion `base_type->primary == target_type->s.value' failed.
$ echo $?
0
=====================================

This has been happening on latest RHEL 6.7 and older RHEL 6 versions. The error is thrown using both yum/rpm update, however both updates return an exit value 0.

Expected results:
No crashes.

Additional info:
ABRT detects the crash and reports it to user. If ABRT isn't running, the user isn't aware that a crash has been happened.

Comment 1 Deepu K S 2015-09-01 14:25:50 UTC
Created attachment 1069038 [details]
PBIS software SELinux policy

Comment 2 Milos Malik 2015-09-01 14:48:34 UTC
Does semodule crash when you update selinux-policy packages in permissive mode?

Comment 3 Deepu K S 2015-09-02 14:10:25 UTC
(In reply to Milos Malik from comment #2)
> Does semodule crash when you update selinux-policy packages in permissive
> mode?

Hi Milos,

Thanks for looking into this.
SELinux is already in Permissive mode.

SELINUX=permissive

The crash does happen still.

Thanks

Comment 4 Deepu K S 2015-09-11 13:05:56 UTC
Created attachment 1072552 [details]
ABRT captured problem directory

Comment 5 Deepu K S 2015-09-11 13:08:17 UTC
Created attachment 1072553 [details]
selinux command output from sosreport

Comment 6 Daniel Walsh 2015-09-11 19:18:50 UTC
Is this machine a limited memory VM?

Comment 7 Christina Plummer 2015-09-12 00:02:41 UTC
Hi, I'm the customer who reported this.  We've seen the issue on a few servers of different memory sizes (1.8GB - 16GB).  

I can induce the crash every time if the PBIS module (which depends on clamd_t from clamav) is installed on a server running an earlier version of selinux-policy-targeted (prior to 3.7.19-195, I believe) that contained that type, and then I try to update to a later version that removes it. 

I can also induce the crash just by manually walking through the commands in the postinstall script.

This command, prior to the one that was causing the segfault: 
# semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit_auth -r polkit -r rtkit_daemon -r ModemManager -r telepathysofiasip -r passanger -r rgmanager -r aisexec -r corosync -r pacemaker -r amavis -r clamav -r glusterfs 2>/dev/null

When I didn't redirect the output, I got this error:

libsepol.print_missing_requirements: pbis's global requirements were not met: type/attribute clamd_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

If I then try to run the next command in the post script, I get the segfault:
# semodule -n -r oracle-port -b base.pp.bz2 -i $packages -s targeted 2>&1 | grep -v "oracle-port";

I should also note that since these commands failed, the above modules do NOT get removed, and the new policies do not get loaded.  Since the above error is redirected to /dev/null, the failures are silent.

To summarize:
1. The postinstall script in the selinux-policy-targeted package attempts to remove a bunch of deprecated modules.  However, if one of the modules cannot be removed due to a failed dependency, none of the modules end of getting removed.  Furthermore, the failure is silent due to the stderr output being redirected to /dev/null.  I would expect:
  A. Modules that don't have failed dependencies should be removed
  B. Failures should be at least reported, and preferably handled

2. The postinstall script in the selinux-policy-targeted package also proceeds to re-install the policies included in the package.  However, due to the earlier failure to remove the clamav module, this command generates a segfault, and the updated versions of the modules don't get loaded.  I would expect:
  A. No segmentation faults
  B. That all modules included in selinux-policy-targeted would get loaded following an update on the package.

Thanks to Deepu for filing the bug.

Comment 10 Miroslav Grepl 2015-10-27 07:42:01 UTC
Yes, the policy handling is not optimal here and we have some changes in RHEL-7. 

But pbis policy should be updated to use optional_policy() for types which are not a part of the base.pp policy module.

For example

---

optional_policy(`
 requre{
  type clamd_t;
 }
 pbis_client(clamd_t)
')

----

which would prevent this problem. All non-base types should be called with optional_policy() statement because the policy is a modular policy and some of modules can be disabled/removed for example.

Comment 11 Christina Plummer 2015-11-03 20:34:14 UTC
So semodule segfaulting is the desired behavior?

And yum neither loading the new policy nor reporting a failure to do so is also the desired behavior?

I agree that the pbis policy should be rewritten and am working with the vendor on that.  But I am surprised that you are not interested in fixing the issues I mentioned.

Comment 12 Miroslav Grepl 2015-12-11 09:42:54 UTC
I don't see segfaulting semodule. It reports the failure which is expected.

Comment 13 Christina Plummer 2016-01-25 15:09:26 UTC
The crash_dump should have been in the Comment 4 attachment (collected files from abrt).