Bug 1333176

Summary:	Cannot start rpm-ostree with SELinux in enforcing mode
Product:	[Fedora] Fedora	Reporter:	Lukas Slebodnik <lslebodn>
Component:	rpm-ostree	Assignee:	Colin Walters <walters>
Status:	CLOSED DUPLICATE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	24	CC:	mattdm, walters
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-05-04 21:09:05 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Lukas Slebodnik 2016-05-04 20:53:03 UTC

Description of problem:
I upgraded my fedora 23 atomic host to the latest fedora 24 atomic host
and I'm not able to start service rpm-ostreed.
I know it's caused by SELinux policy but I would like to have a confirmation
from maintainer whether it's expected and selinux-policy should be updated. 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Boot fedora 23 atomic image (https://getfedora.org/en/cloud/download/atomic.html)
2. rebase to fedora 24 atomic
-bash-4.3# ostree remote add --no-gpg-verify fedora24-atomic \
        https://dl.fedoraproject.org/pub/fedora/linux/atomic/24/
-bash-4.3# ostree pull fedora24-atomic:fedora-atomic/24/x86_64/docker-host
-bash-4.3# rpm-ostree rebase fedora24-atomic:fedora-atomic/24/x86_64/docker-host

3. systemctl reboot
4. start service rpm-ostreed (directly using systemctl or indirectly via rpm-ostree)  
-bash-4.3# systemctl start rpm-ostreed

Actual results:
Job for rpm-ostreed.service failed because the control process exited with error code. See "systemctl status rpm-ostreed.service" and "journalctl -xe" for details.

+ avcs
-bash-4.3# ausearch -m avc -i
----
type=PROCTITLE msg=audit(05/04/2016 20:51:37.914:199) : proctitle=(-ostreed) 
type=SYSCALL msg=audit(05/04/2016 20:51:37.914:199) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x555f6f4f4e60 a1=0x555f6f470100 a2=0x555f6f4bbbc0 a3=0x555f6f4f5090 items=0 ppid=1 pid=1721 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(-ostreed) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/04/2016 20:51:37.914:199) : avc:  denied  { execute } for  pid=1721 comm=(-ostreed) name=rpm-ostreed dev="dm-0" ino=5296258 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=0

Expected results:
service is successfully started and therefore command rpm-ostree is usable.

Additional info:

Comment 1 Lukas Slebodnik 2016-05-04 20:54:07 UTC

AVC in permissive mode

-bash-4.3# > /var/log/audit/audit.log 
-bash-4.3# setenforce 0
-bash-4.3# systemctl start rpm-ostreed
-bash-4.3# ausearch -m avc -i
----
type=PROCTITLE msg=audit(05/04/2016 20:53:23.013:206) : proctitle=/usr/libexec/rpm-ostreed 
type=SYSCALL msg=audit(05/04/2016 20:53:23.013:206) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x555f6f4f4e60 a1=0x555f6f4bbaa0 a2=0x555f6f4bd5f0 a3=0x555f6f4dede0 items=0 ppid=1 pid=1738 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpm-ostreed exe=/usr/libexec/rpm-ostreed subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/04/2016 20:53:23.013:206) : avc:  denied  { execute_no_trans } for  pid=1738 comm=(-ostreed) path=/usr/libexec/rpm-ostreed dev="dm-0" ino=5296258 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(05/04/2016 20:53:23.013:206) : avc:  denied  { read open } for  pid=1738 comm=(-ostreed) path=/usr/libexec/rpm-ostreed dev="dm-0" ino=5296258 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(05/04/2016 20:53:23.013:206) : avc:  denied  { execute } for  pid=1738 comm=(-ostreed) name=rpm-ostreed dev="dm-0" ino=5296258 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(05/04/2016 20:53:23.035:207) : proctitle=/usr/libexec/rpm-ostreed 
type=SYSCALL msg=audit(05/04/2016 20:53:23.035:207) : arch=x86_64 syscall=faccessat success=yes exit=0 a0=0xd a1=0x7f29924f37ca a2=W_OK a3=0x0 items=0 ppid=1 pid=1738 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpm-ostreed exe=/usr/libexec/rpm-ostreed subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/04/2016 20:53:23.035:207) : avc:  denied  { write } for  pid=1738 comm=rpm-ostreed name=objects dev="dm-0" ino=102 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=dir permissive=1

Comment 2 Lukas Slebodnik 2016-05-04 21:00:33 UTC

There are also many AVCs in permissive mode after calling  rolllback
-bash-4.3# > /var/log/audit/audit.log
-bash-4.3# rpm-ostree rollback

-bash-4.3# ausearch -m avc -i | audit2allow 


#============= init_t ==============

#!!!! WARNING: 'boot_t' is a base type.
allow init_t boot_t:dir { create rmdir };
allow init_t boot_t:file { create rename unlink write };
allow init_t boot_t:lnk_file { create rename unlink };
allow init_t bootloader_exec_t:file { execute execute_no_trans getattr ioctl open read };

#!!!! WARNING: 'system_conf_t' is a base type.
allow init_t system_conf_t:dir { add_name create remove_name rmdir write };
allow init_t system_conf_t:file { create rename unlink write };

#!!!! WARNING: 'usr_t' is a base type.
allow init_t usr_t:dir { create rmdir };

#!!!! WARNING: 'usr_t' is a base type.
allow init_t usr_t:file { create unlink write };
allow init_t usr_t:lnk_file { create rename unlink };

Comment 3 Colin Walters 2016-05-04 21:09:05 UTC


*** This bug has been marked as a duplicate of bug 1330318 ***

Comment 4 Lukas Slebodnik 2016-05-04 21:29:18 UTC

I think that the main problem is that service rpm-ostreed is running with init_t type 

-bash-4.3# rpm -q selinux-policy rpm-ostree
selinux-policy-3.13.1-182.fc24.noarch
rpm-ostree-2015.11-2.fc24.x86_64
-bash-4.3# ps auxZ | grep tre[e]
system_u:system_r:init_t:s0     root      1738  0.2  2.0 478452 41264 ?        Ssl  20:53   0:01 /usr/libexec/rpm-ostreed


But it works with the same selinux type on fedora 23 atomic
and enforcing mode
-bash-4.3# rpm -q selinux-policy rpm-ostree
selinux-policy-3.13.1-158.14.fc23.noarch
rpm-ostree-2015.11-1.fc23.x86_64
-bash-4.3# ps auxZ | grep tre[e]
system_u:system_r:init_t:s0     root      1180  0.0  0.6 396904 13216 ?        Ssl  21:08   0:00 /usr/libexec/rpm-ostreed