Bug 1333176
| Summary: | Cannot start rpm-ostree with SELinux in enforcing mode | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Lukas Slebodnik <lslebodn> |
| Component: | rpm-ostree | Assignee: | Colin Walters <walters> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 24 | CC: | mattdm, walters |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-05-04 21:09:05 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Lukas Slebodnik
2016-05-04 20:53:03 UTC
AVC in permissive mode
-bash-4.3# > /var/log/audit/audit.log
-bash-4.3# setenforce 0
-bash-4.3# systemctl start rpm-ostreed
-bash-4.3# ausearch -m avc -i
----
type=PROCTITLE msg=audit(05/04/2016 20:53:23.013:206) : proctitle=/usr/libexec/rpm-ostreed
type=SYSCALL msg=audit(05/04/2016 20:53:23.013:206) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x555f6f4f4e60 a1=0x555f6f4bbaa0 a2=0x555f6f4bd5f0 a3=0x555f6f4dede0 items=0 ppid=1 pid=1738 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpm-ostreed exe=/usr/libexec/rpm-ostreed subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(05/04/2016 20:53:23.013:206) : avc: denied { execute_no_trans } for pid=1738 comm=(-ostreed) path=/usr/libexec/rpm-ostreed dev="dm-0" ino=5296258 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(05/04/2016 20:53:23.013:206) : avc: denied { read open } for pid=1738 comm=(-ostreed) path=/usr/libexec/rpm-ostreed dev="dm-0" ino=5296258 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(05/04/2016 20:53:23.013:206) : avc: denied { execute } for pid=1738 comm=(-ostreed) name=rpm-ostreed dev="dm-0" ino=5296258 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(05/04/2016 20:53:23.035:207) : proctitle=/usr/libexec/rpm-ostreed
type=SYSCALL msg=audit(05/04/2016 20:53:23.035:207) : arch=x86_64 syscall=faccessat success=yes exit=0 a0=0xd a1=0x7f29924f37ca a2=W_OK a3=0x0 items=0 ppid=1 pid=1738 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpm-ostreed exe=/usr/libexec/rpm-ostreed subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(05/04/2016 20:53:23.035:207) : avc: denied { write } for pid=1738 comm=rpm-ostreed name=objects dev="dm-0" ino=102 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=dir permissive=1
There are also many AVCs in permissive mode after calling rolllback
-bash-4.3# > /var/log/audit/audit.log
-bash-4.3# rpm-ostree rollback
-bash-4.3# ausearch -m avc -i | audit2allow
#============= init_t ==============
#!!!! WARNING: 'boot_t' is a base type.
allow init_t boot_t:dir { create rmdir };
allow init_t boot_t:file { create rename unlink write };
allow init_t boot_t:lnk_file { create rename unlink };
allow init_t bootloader_exec_t:file { execute execute_no_trans getattr ioctl open read };
#!!!! WARNING: 'system_conf_t' is a base type.
allow init_t system_conf_t:dir { add_name create remove_name rmdir write };
allow init_t system_conf_t:file { create rename unlink write };
#!!!! WARNING: 'usr_t' is a base type.
allow init_t usr_t:dir { create rmdir };
#!!!! WARNING: 'usr_t' is a base type.
allow init_t usr_t:file { create unlink write };
allow init_t usr_t:lnk_file { create rename unlink };
*** This bug has been marked as a duplicate of bug 1330318 *** I think that the main problem is that service rpm-ostreed is running with init_t type -bash-4.3# rpm -q selinux-policy rpm-ostree selinux-policy-3.13.1-182.fc24.noarch rpm-ostree-2015.11-2.fc24.x86_64 -bash-4.3# ps auxZ | grep tre[e] system_u:system_r:init_t:s0 root 1738 0.2 2.0 478452 41264 ? Ssl 20:53 0:01 /usr/libexec/rpm-ostreed But it works with the same selinux type on fedora 23 atomic and enforcing mode -bash-4.3# rpm -q selinux-policy rpm-ostree selinux-policy-3.13.1-158.14.fc23.noarch rpm-ostree-2015.11-1.fc23.x86_64 -bash-4.3# ps auxZ | grep tre[e] system_u:system_r:init_t:s0 root 1180 0.0 0.6 396904 13216 ? Ssl 21:08 0:00 /usr/libexec/rpm-ostreed |