Bug 1323732
Summary: | Selinux prevents snapper timer services | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ondrej Kozina <okozina> |
Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 24 | CC: | dwalsh, lvrabec, okozina |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-185.fc24 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-05-07 11:43:47 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ondrej Kozina
2016-04-04 14:27:31 UTC
Also snapperd seems to be restricted from performing few ioctl calls, but I will need a help on how to debug it properly. The only lines I see in audit.log wrt to blocked ioctls are: type=AVC msg=audit(1459782391.281:764): avc: denied { sys_admin } for pid=3573 comm="snapperd" capability=21 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=capability permissive=0 and ioctl syscal returns 'Operation not permitted' snapperd seems to be unable lower the priority background threads: type=AVC msg=audit(1459782360.278:758): avc: denied { setsched } for pid=3560 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0 Let me know If you want me to create separate bug for it... Hello Ondrej, I fixed your first issue with this change: # chcon -t snapperd_exec_t /usr/lib/snapper/systemd-helper Could you test it also, if we can add snapperd_exec_t file context for /usr/lib/snapper/systemd-helper? Do you have some reproducer for AVCs in comment 1 ? Thank you. (In reply to Lukas Vrabec from comment #2) > Hello Ondrej, > > I fixed your first issue with this change: > # chcon -t snapperd_exec_t /usr/lib/snapper/systemd-helper Yup, that fixed it for me. Thanks! With regard to others: 1) ioctls issued by snapperd while performing actions on btrfs backend: (optional: if you want to see snapperd debug messages edit /usr/share/dbus-1/system-services/org.opensuse.Snapper.service and add "-d" option to Exec= value) 1) create and mount btrfs on /mnt/btrfs 2) create snapper config: snapper -c btrfs create-config /mnt/btrfs 3) now perform restorecon -R /mnt/btrfs (selinux support is not yet merged in snapper) 4) invoke background comparison in snapper daemon by: snapper -c btrfs create -t pre-post --command "touch /mnt/btrfs/some_file" It'll generate denied ioctl on /mnt/btrfs directory (subvolume). 2) Also it'll cause denied setpriority() for snapperd thread with param prio = 20 (which is general issue for any snapper backend not only btrfs) (obviously 2nd denial is not so big deal) "ausearch -m avc,user_avc -ts recent" output for the reproduce above: type=AVC msg=audit(1460409569.810:14537): avc: denied { rlimitinh } for pid=7137 comm="snapperd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- time->Mon Apr 11 23:19:29 2016 type=AVC msg=audit(1460409569.813:14538): avc: denied { siginh } for pid=7137 comm="snapperd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- time->Mon Apr 11 23:19:29 2016 type=AVC msg=audit(1460409569.813:14539): avc: denied { noatsecure } for pid=7137 comm="snapperd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- time->Mon Apr 11 23:19:29 2016 type=AVC msg=audit(1460409569.952:14540): avc: denied { read write } for pid=1 comm="systemd" path="socket:[208448]" dev="sockfs" ino=208448 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ---- time->Mon Apr 11 23:19:29 2016 type=AVC msg=audit(1460409569.952:14541): avc: denied { read write } for pid=1 comm="systemd" path="socket:[208450]" dev="sockfs" ino=208450 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ---- time->Mon Apr 11 23:19:30 2016 type=AVC msg=audit(1460409570.150:14542): avc: denied { setsched } for pid=7140 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- time->Mon Apr 11 23:19:30 2016 type=AVC msg=audit(1460409570.150:14543): avc: denied { setsched } for pid=7140 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- time->Mon Apr 11 23:19:30 2016 type=AVC msg=audit(1460409570.150:14544): avc: denied { sys_admin } for pid=7140 comm="snapperd" capability=21 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=capability permissive=0 OK, I push fixes with labeling /usr/lib/snapper/systemd-helper. commit cdd71e4d94be7e60bbeedfb65e8e6150f866ce38 Author: Lukas Vrabec <lvrabec> Date: Fri Apr 22 14:26:00 2016 +0200 Label /usr/lib/snapper/systemd-helper as snapperd_exec_t. rhbz#1323732 Could you reproduce your issue with following test policy? $ cat snapperd_test.te policy_module(snapperd_test, 1.0) require { type snapperd_t; class process setsched; class capability sys_admin; } #============= snapperd_t ============== allow snapperd_t self:capability sys_admin; allow snapperd_t self:process setsched; $ make -f /usr/share/selinux/devel/Makefile snapperd_test.pp # semodule -i snapperd_test.pp Thank you. Yup, works for me. Both errors are gone, thanks! selinux-policy-3.13.1-184.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e163032315 selinux-policy-3.13.1-184.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |