Bug 1299054

Summary: SELinux prevents rhsmcertd-worker from accessing a lock
Product: Red Hat Enterprise Linux 7 Reporter: Stef Walter <stefw>
Component: rhel-server-atomicAssignee: Colin Walters <walters>
Status: CLOSED CURRENTRELEASE QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, stefw, walters
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-19 21:31:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Stef Walter 2016-01-15 20:06:03 UTC 
Description of problem:

type=1400 audit(1452883155.324:7): avc: denied { write } for pid=2704 comm="rhsmcertd-worke" name=".dbenv.lock" dev="dm-0" ino=8979114 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file

This happens intermittently on RHEL Atomic Host during the Cockpit integration tests. 

This seems to happen shortly after mounting a container:

Jan 15 18:39:14 localhost.localdomain.localdomain docker[1910]: time="2016-01-15T18:39:14.951350343Z" level=info msg="POST /v1.20/containers/create"
Jan 15 18:39:15 localhost.localdomain.localdomain systemd[1]: Device dev-disk-by\x2duuid-4d2bce40\x2d1a3e\x2d4192\x2d8ae5\x2d8d297b2cbbae.device appeared twice with different sysfs paths /sys/devices/virtual/block/dm-4 and /sys/devices/virtual/block/dm-5
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: XFS (dm-5): Mounting V4 Filesystem
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: XFS (dm-5): Ending clean mount
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: SELinux: initialized (dev dm-5, type xfs), uses xattr
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: XFS (dm-5): Unmounting Filesystem
Jan 15 18:39:15 localhost.localdomain.localdomain systemd[1]: Device dev-disk-by\x2duuid-4d2bce40\x2d1a3e\x2d4192\x2d8ae5\x2d8d297b2cbbae.device appeared twice with different sysfs paths /sys/devices/virtual/block/dm-4 and /sys/devices/virtual/block/dm-5
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: XFS (dm-5): Mounting V4 Filesystem
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: XFS (dm-5): Ending clean mount
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: SELinux: initialized (dev dm-5, type xfs), uses xattr
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: XFS (dm-5): Unmounting Filesystem
Jan 15 18:39:15 localhost.localdomain.localdomain docker[1910]: time="2016-01-15T18:39:15.301390405Z" level=info msg="POST /v1.20/containers/a79b8a26fa7f4533af6ac7b6456d032dcf02474b6003e1a2d052f716b8e43389/start"
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: type=1400 audit(1452883155.324:7): avc:  denied  { write } for  pid=2704 comm="rhsmcertd-worke" name=".dbenv.lock" dev="dm-0" ino=8979114 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
Jan 15 18:39:15 localhost.localdomain.localdomain systemd[1]: Device dev-disk-by\x2duuid-4d2bce40\x2d1a3e\x2d4192\x2d8ae5\x2d8d297b2cbbae.device appeared twice with different sysfs paths /sys/devices/virtual/block/dm-4 and /sys/devices/virtual/block/dm-5
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: XFS (dm-5): Mounting V4 Filesystem
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: XFS (dm-5): Ending clean mount
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: SELinux: initialized (dev dm-5, type xfs), uses xattr


Versions:

selinux-policy-targeted-3.13.1-60.el7.noarch
subscription-manager-1.15.9-15.el7.x86_64

# atomic host status
  TIMESTAMP (UTC)         VERSION   ID             OSNAME               REFSPEC                                                        
* 2015-12-03 19:40:36     7.2.1     aaf67b91fa     rhel-atomic-host     rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard     
  2015-11-10 16:11:46     7.2       ec85fba1bf     rhel-atomic-host     rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
Comment 1 Stef Walter 2016-01-15 20:08:48 UTC 
This bug was discovered by the Cockpit integration tests.

https://fedorapeople.org/groups/cockpit/logs/pull-3456-3041953a-rhel-atomic/

Cockpit will be ignoring this message in the integration tests from here on out:

https://github.com/cockpit-project/cockpit/pull/3492
Comment 3 Miroslav Grepl 2016-01-18 08:24:16 UTC 
It looks 

/var/lib/rpm

is mislabeled on Atomic Hosts. What does

$ ls -dZ /var/lib/rpm

?
Comment 4 Stef Walter 2016-01-18 08:30:59 UTC 
# ls -dZ /var/lib/rpm
lrwxrwxrwx. root root system_u:object_r:rpm_var_lib_t:s0 /var/lib/rpm -> ../../usr/share/rpm

# ls -dZ /usr/share/rpm
drwxr-xr-x. root root system_u:object_r:usr_t:s0       /usr/share/rpm
Comment 6 Daniel Walsh 2016-08-19 21:31:48 UTC 
Hopefully this is fixed.
Comment 7 Stef Walter 2016-08-22 13:57:12 UTC 
The file contexts are still identical to those above:

-bash-4.2# ls -dZ /var/lib/rpm
lrwxrwxrwx. root root system_u:object_r:rpm_var_lib_t:s0 /var/lib/rpm -> ../../usr/share/rpm
-bash-4.2# ls -dZ /usr/share/rpm
drwxr-xr-x. root root system_u:object_r:usr_t:s0       /usr/share/rpm
-bash-4.2# atomic host status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.2.6 (2016-07-29 19:54:25)
        Commit: b672bf8a457cb28e003dee20c53749636ef5fce3e4743afe4aaad269d3aaa62a
        OSName: rhel-atomic-host

Removing the workaround in Cockpit so we can get proof either way:

https://github.com/cockpit-project/cockpit/pull/4918