Bug 1343648

Summary:	SELinux label for /etc/udev/hwdb.bin is etc_t instead of systemd_hwdb_etc_t after "#systemd-hwdb update"
Product:	Red Hat Enterprise Linux 7	Reporter:	Lukas Vrabec <lvrabec>
Component:	systemd	Assignee:	systemd-maint
Status:	CLOSED ERRATA	QA Contact:	Branislav Blaškovič <bblaskov>
Severity:	high	Docs Contact:
Priority:	urgent
Version:	7.3	CC:	bblaskov, dcallagh, jburke, jgalipea, jpazdziora, jstancek, jsynacek, lvrabec, mbanas, msekleta, pbunyan, rskvaril, systemd-maint-list, systemd-maint
Target Milestone:	rc	Keywords:	TestBlocker
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	systemd-219-23.el7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1350756 (view as bug list)		Environment:
Last Closed:	2016-11-04 00:54:42 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1257940, 1350756

Description Lukas Vrabec 2016-06-07 15:06:50 UTC

Description of problem:
systemd-hwdb update doing:
Deleting /etc/udev/hwdb.bin file, then file "/etc/udev/.#hwdb.binXXXXXX" is created and after then renamed to /etc/udev/hwdb.bin
This is problem from SELinux policy point of view. I cannot create filename transtion rule for file ".#hwdb.binXXXXXX" due to non-constant name.

Version-Release number of selected component (if applicable):
systemd-219-20.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1.# rm /etc/udev/hwdb.bin
2.# systemd-hwdb update
3.# ls -Z /etc/hwdb.bin

Actual results:
ls -Z hwdb.bin 
unconfined_u:object_r:etc_t:s0 hwdb.bin

Expected results:
ls -Z hwdb.bin 
unconfined_u:object_r:systemd_hwdb_etc_t:s0 hwdb.bin

This issue is blocking: https://bugzilla.redhat.com/show_bug.cgi?id=1257940

Additional info:
https://github.com/systemd/systemd/issues/3458

Comment 1 Lukáš Nykrýn 2016-06-08 07:49:01 UTC

Backport https://github.com/systemd/systemd/pull/3460/commits/6a0f43bc0cbbcc888128ffa0095515277aa5b26e

Comment 3 Branislav Blaškovič 2016-06-16 08:21:29 UTC

qa acking

Comment 5 Jan Synacek 2016-06-22 11:27:59 UTC

https://github.com/lnykryn/systemd-rhel/pull/29

Comment 6 Lukáš Nykrýn 2016-06-22 11:47:01 UTC

merged to staging-> https://github.com/lnykryn/systemd-rhel/commit/ca82178b166ae5fb8efe4b09aadae802534cf6e3 -> post

Comment 8 Dan Callaghan 2016-06-27 23:36:32 UTC

*** Bug 1350074 has been marked as a duplicate of this bug. ***

Comment 11 Michal Sekletar 2016-07-07 15:20:12 UTC

Seems like this also requires changes on SELinux policy side. What do you think Lukas?

Comment 12 Lukas Vrabec 2016-07-07 15:24:16 UTC

Michal, 
Agree, fixes for this issue are included in selinux-policy-3.13.1-85.el7 build.

Comment 13 Michal Sekletar 2016-07-07 16:43:39 UTC

Jan,

Can you please retest with updated version of selinux-policy? From beaker logs it looks like you have been testing with selinux-policy-3.13.1-84.el7.

Comment 14 Jan Pazdziora 2016-07-08 08:25:56 UTC

(In reply to Michal Sekletar from comment #13)
> Jan,
> 
> Can you please retest with updated version of selinux-policy? From beaker
> logs it looks like you have been testing with selinux-policy-3.13.1-84.el7.

With

selinux-policy-3.13.1-85.el7.noarch
systemd-219-22.el7.x86_64

the problem still seems to be present.

Comment 19 Branislav Blaškovič 2016-07-11 12:25:12 UTC

NEW:
:: [   LOG    ] :: Package versions:
:: [   LOG    ] ::   systemd-219-22.el7.x86_64
...
:: [  BEGIN   ] :: Running 'ls -lZ /etc/udev/hwdb.bin'
-r--r--r--. root root system_u:object_r:systemd_hwdb_etc_t:s0 /etc/udev/hwdb.bin
:: [   PASS   ] :: Command 'ls -lZ /etc/udev/hwdb.bin' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/tmp/tmp.Mvj3aX3VGv' should contain ':systemd_hwdb_etc_t:' 
:: [  BEGIN   ] :: Running 'rm /etc/udev/hwdb.bin'
:: [   PASS   ] :: Command 'rm /etc/udev/hwdb.bin' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'systemd-hwdb update'
:: [   PASS   ] :: Command 'systemd-hwdb update' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ls -lZ /etc/udev/hwdb.bin'
-r--r--r--. root root system_u:object_r:systemd_hwdb_etc_t:s0 /etc/udev/hwdb.bin
:: [   PASS   ] :: Command 'ls -lZ /etc/udev/hwdb.bin' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/tmp/tmp.lKZE8e0efC' should contain ':systemd_hwdb_etc_t:' 

OLD:
:: [ 08:20:39 ] :: Package versions:
:: [ 08:20:39 ] ::   systemd-219-19.el7.x86_64
...
:: [  BEGIN   ] :: Running 'ls -lZ /etc/udev/hwdb.bin'
-r--r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/udev/hwdb.bin
:: [   PASS   ] :: Command 'ls -lZ /etc/udev/hwdb.bin' (Expected 0, got 0)
:: [   FAIL   ] :: File '/var/tmp/tmp.7jsKFLjl8A' should contain ':systemd_hwdb_etc_t:' 
:: [  BEGIN   ] :: Running 'rm /etc/udev/hwdb.bin'
:: [   PASS   ] :: Command 'rm /etc/udev/hwdb.bin' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'systemd-hwdb update'
:: [   PASS   ] :: Command 'systemd-hwdb update' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ls -lZ /etc/udev/hwdb.bin'
-r--r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/udev/hwdb.bin
:: [   PASS   ] :: Command 'ls -lZ /etc/udev/hwdb.bin' (Expected 0, got 0)
:: [   FAIL   ] :: File '/var/tmp/tmp.TG1qdGfA8H' should contain ':systemd_hwdb_etc_t:' 

Setting as verified..

Comment 20 Jan Pazdziora 2016-07-11 12:31:40 UTC

I'm concerned about the state of this bugzilla. It is marked VERIFIED with systemd-219-22.el7.x86_64 but the AVC denial is still there with systemd-219-22.el7.x86_64.

Do we need the steps to reproduce amended?

Do we need a separate bugzilla for the AVC denials?

Comment 21 Michal Sekletar 2016-07-11 12:48:58 UTC

Remaining AVC denial should be fixed by changes in SELinux policy, already included in selinux-policy-3.13.1-86.el7 and by patch in systemd (already merged upstream, backport will be included in next RHEL-7.3-candidate build). Moving back to ASSIGNED.

Comment 22 Lukáš Nykrýn 2016-07-11 12:53:56 UTC

and patch for that was merged to staging -> https://github.com/lnykryn/systemd-rhel/commit/0860805a09ce6c2c2136306bdf64d58621368291 -> post

Comment 30 Branislav Blaškovič 2016-08-08 12:28:00 UTC

Works, so we depends on the newest selinux-policy.

:: [   PASS   ] :: Command 'ls -lZ /etc/udev/hwdb.bin' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/tmp/tmp.K39ZH4D8CD' should contain ':systemd_hwdb_etc_t:' 
:: [   PASS   ] :: Command 'rm /etc/udev/hwdb.bin' (Expected 0, got 0)
:: [   PASS   ] :: Command 'systemd-hwdb update' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ls -lZ /etc/udev/hwdb.bin' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/tmp/tmp.4HWjfCta1p' should contain ':systemd_hwdb_etc_t:' 
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 6 good, 0 bad
:: [   PASS   ] :: RESULT: Test

Thank you.

Comment 31 Branislav Blaškovič 2016-08-08 12:29:35 UTC

Can you run your tests as well Jan? Thank you

Comment 32 Jan Pazdziora 2016-08-08 12:52:02 UTC

(In reply to Branislav Blaškovič from comment #31)
> Can you run your tests as well Jan? Thank you

I haven't seen that AVC denial for some time on 7.3 nightly builds. Thanks.

Comment 33 Branislav Blaškovič 2016-08-08 13:35:06 UTC

That's great, thank you very much for quick response.

Comment 34 PaulB 2016-08-22 15:32:57 UTC

All,
Re: aarch64
https://bugzilla.redhat.com/show_bug.cgi?id=1257940#c22
---<-snip->---
Testing with distro RHEL-7.3-20160817.1 Server aarch64 this issue is no longer seen.

distro: RHEL-7.3-20160817.1 Server aarch64 
        (kernel-4.5.0-4.el7)
        (systemd-219-26.el7)

See here:
[] https://beaker.engineering.redhat.com/recipes/2986103#task44715839 - PASS
[] https://beaker.engineering.redhat.com/recipes/2986104#task44715865 - PASS
[] https://beaker.engineering.redhat.com/recipes/2986105#task44715891 - PASS
---<-snip->---

Best,
-pbunyan

Comment 36 errata-xmlrpc 2016-11-04 00:54:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2216.html