Bug 1343648
Summary: | SELinux label for /etc/udev/hwdb.bin is etc_t instead of systemd_hwdb_etc_t after "#systemd-hwdb update" | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Lukas Vrabec <lvrabec> | |
Component: | systemd | Assignee: | systemd-maint | |
Status: | CLOSED ERRATA | QA Contact: | Branislav Blaškovič <bblaskov> | |
Severity: | high | Docs Contact: | ||
Priority: | urgent | |||
Version: | 7.3 | CC: | bblaskov, dcallagh, jburke, jgalipea, jpazdziora, jstancek, jsynacek, lvrabec, mbanas, msekleta, pbunyan, rskvaril, systemd-maint-list, systemd-maint | |
Target Milestone: | rc | Keywords: | TestBlocker | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | systemd-219-23.el7 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1350756 (view as bug list) | Environment: | ||
Last Closed: | 2016-11-04 00:54:42 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1257940, 1350756 |
Description
Lukas Vrabec
2016-06-07 15:06:50 UTC
Backport https://github.com/systemd/systemd/pull/3460/commits/6a0f43bc0cbbcc888128ffa0095515277aa5b26e qa acking merged to staging-> https://github.com/lnykryn/systemd-rhel/commit/ca82178b166ae5fb8efe4b09aadae802534cf6e3 -> post *** Bug 1350074 has been marked as a duplicate of this bug. *** Seems like this also requires changes on SELinux policy side. What do you think Lukas? Michal, Agree, fixes for this issue are included in selinux-policy-3.13.1-85.el7 build. Jan, Can you please retest with updated version of selinux-policy? From beaker logs it looks like you have been testing with selinux-policy-3.13.1-84.el7. (In reply to Michal Sekletar from comment #13) > Jan, > > Can you please retest with updated version of selinux-policy? From beaker > logs it looks like you have been testing with selinux-policy-3.13.1-84.el7. With selinux-policy-3.13.1-85.el7.noarch systemd-219-22.el7.x86_64 the problem still seems to be present. NEW: :: [ LOG ] :: Package versions: :: [ LOG ] :: systemd-219-22.el7.x86_64 ... :: [ BEGIN ] :: Running 'ls -lZ /etc/udev/hwdb.bin' -r--r--r--. root root system_u:object_r:systemd_hwdb_etc_t:s0 /etc/udev/hwdb.bin :: [ PASS ] :: Command 'ls -lZ /etc/udev/hwdb.bin' (Expected 0, got 0) :: [ PASS ] :: File '/var/tmp/tmp.Mvj3aX3VGv' should contain ':systemd_hwdb_etc_t:' :: [ BEGIN ] :: Running 'rm /etc/udev/hwdb.bin' :: [ PASS ] :: Command 'rm /etc/udev/hwdb.bin' (Expected 0, got 0) :: [ BEGIN ] :: Running 'systemd-hwdb update' :: [ PASS ] :: Command 'systemd-hwdb update' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ls -lZ /etc/udev/hwdb.bin' -r--r--r--. root root system_u:object_r:systemd_hwdb_etc_t:s0 /etc/udev/hwdb.bin :: [ PASS ] :: Command 'ls -lZ /etc/udev/hwdb.bin' (Expected 0, got 0) :: [ PASS ] :: File '/var/tmp/tmp.lKZE8e0efC' should contain ':systemd_hwdb_etc_t:' OLD: :: [ 08:20:39 ] :: Package versions: :: [ 08:20:39 ] :: systemd-219-19.el7.x86_64 ... :: [ BEGIN ] :: Running 'ls -lZ /etc/udev/hwdb.bin' -r--r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/udev/hwdb.bin :: [ PASS ] :: Command 'ls -lZ /etc/udev/hwdb.bin' (Expected 0, got 0) :: [ FAIL ] :: File '/var/tmp/tmp.7jsKFLjl8A' should contain ':systemd_hwdb_etc_t:' :: [ BEGIN ] :: Running 'rm /etc/udev/hwdb.bin' :: [ PASS ] :: Command 'rm /etc/udev/hwdb.bin' (Expected 0, got 0) :: [ BEGIN ] :: Running 'systemd-hwdb update' :: [ PASS ] :: Command 'systemd-hwdb update' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ls -lZ /etc/udev/hwdb.bin' -r--r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/udev/hwdb.bin :: [ PASS ] :: Command 'ls -lZ /etc/udev/hwdb.bin' (Expected 0, got 0) :: [ FAIL ] :: File '/var/tmp/tmp.TG1qdGfA8H' should contain ':systemd_hwdb_etc_t:' Setting as verified.. I'm concerned about the state of this bugzilla. It is marked VERIFIED with systemd-219-22.el7.x86_64 but the AVC denial is still there with systemd-219-22.el7.x86_64. Do we need the steps to reproduce amended? Do we need a separate bugzilla for the AVC denials? Remaining AVC denial should be fixed by changes in SELinux policy, already included in selinux-policy-3.13.1-86.el7 and by patch in systemd (already merged upstream, backport will be included in next RHEL-7.3-candidate build). Moving back to ASSIGNED. and patch for that was merged to staging -> https://github.com/lnykryn/systemd-rhel/commit/0860805a09ce6c2c2136306bdf64d58621368291 -> post Works, so we depends on the newest selinux-policy. :: [ PASS ] :: Command 'ls -lZ /etc/udev/hwdb.bin' (Expected 0, got 0) :: [ PASS ] :: File '/var/tmp/tmp.K39ZH4D8CD' should contain ':systemd_hwdb_etc_t:' :: [ PASS ] :: Command 'rm /etc/udev/hwdb.bin' (Expected 0, got 0) :: [ PASS ] :: Command 'systemd-hwdb update' (Expected 0, got 0) :: [ PASS ] :: Command 'ls -lZ /etc/udev/hwdb.bin' (Expected 0, got 0) :: [ PASS ] :: File '/var/tmp/tmp.4HWjfCta1p' should contain ':systemd_hwdb_etc_t:' :: [ LOG ] :: Duration: 1s :: [ LOG ] :: Assertions: 6 good, 0 bad :: [ PASS ] :: RESULT: Test Thank you. Can you run your tests as well Jan? Thank you (In reply to Branislav Blaškovič from comment #31) > Can you run your tests as well Jan? Thank you I haven't seen that AVC denial for some time on 7.3 nightly builds. Thanks. That's great, thank you very much for quick response. All, Re: aarch64 https://bugzilla.redhat.com/show_bug.cgi?id=1257940#c22 ---<-snip->--- Testing with distro RHEL-7.3-20160817.1 Server aarch64 this issue is no longer seen. distro: RHEL-7.3-20160817.1 Server aarch64 (kernel-4.5.0-4.el7) (systemd-219-26.el7) See here: [] https://beaker.engineering.redhat.com/recipes/2986103#task44715839 - PASS [] https://beaker.engineering.redhat.com/recipes/2986104#task44715865 - PASS [] https://beaker.engineering.redhat.com/recipes/2986105#task44715891 - PASS ---<-snip->--- Best, -pbunyan Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2216.html |