Bug 1381331
| Summary: | New cockpit binary needs policy changes | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Peter <pvolpe> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 26 | CC: | dac.override, dominick.grift, dwalsh, igeorgex, lantw44, lvrabec, mgrepl, mikhail.v.gavrilov, mpitt, plautrba, pmoore, riehecky, sbonazzo, stefw | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1381914 (view as bug list) | Environment: | ||
| Last Closed: | 2018-03-16 09:26:41 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1381914 | |||
|
Description
Peter
2016-10-03 17:52:05 UTC
# rpm -q --scripts cockpit-ws-120-1.fc25.x86_64 <snip> # HACK: Until policy changes make it downstream # https://bugzilla.redhat.com/show_bug.cgi?id=1381331 test -f /usr/bin/chcon && chcon -t cockpit_ws_exec_t /usr/libexec/cockpit-ssh <snip> Please do not do this. It does not help. cockpit-ws is, most likely, not allowed to execute cockpit_ws_exec_t type files (just like it is probably not allowed to execute /usr/libexec/cockpit-ssh if you do nothing). So it would probably fail anyway. Besides, here on my system the package failed to install due to this hack because type cockpit_ws_exec_t does not exist here. time->Sun Oct 23 10:53:19 2016
type=AVC msg=audit(1477212799.825:2344): avc: denied { mac_admin } for pid=16597 comm="chcon" capability=33 scontext=sysadm.id:sysadm.role:setfiles.subj:s0-s0:c0.c1023 tcontext=sysadm.id:sysadm.role:setfiles.subj:s0-s0:c0.c1023 tclass=capability2 permissive=0
----
time->Sun Oct 23 10:53:19 2016
type=SELINUX_ERR msg=audit(1477212799.825:2345): op=setxattr invalid_context="sys.id:sys.role:cockpit_ws_exec_t:s0"
Also is f25 not supposed to be frozen? How did this "feature" make it in? This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'. The cockpit packages still have this workaround, and it works well enough in Fedora 25. But in Fedora 26 it's not sufficient any more. I get this denial:
audit[1348]: AVC avc: denied { execute_no_trans } for pid=1348 comm="cockpit-ws" path="/usr/libexec/cockpit-ssh" dev="dm-0" ino=4888910 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:cockpit_ws_exec_t:s0 tclass=file permissive=0
# journalctl -b | grep AVC > /tmp/log
# audit2allow -i /tmp/log -e
#============= cockpit_ws_t ==============
#
# scontext="system_u:system_r:cockpit_ws_t:s0" tcontext="system_u:object_r:cockpit_ws_exec_t:s0"
# class="file" perms="execute_no_trans"
# comm="cockpit-ws" exe="" path=""
# message="Apr 11 05:04:07 localhost.localdomain audit[1321]: AVC avc: denied
# { execute_no_trans } for pid=1321 comm="cockpit-ws"
# path="/usr/libexec/cockpit-ssh" dev="dm-0" ino=4888910
# scontext=system_u:system_r:cockpit_ws_t:s0
# tcontext=system_u:object_r:cockpit_ws_exec_t:s0 tclass=file permissive=0 "
allow cockpit_ws_t cockpit_ws_exec_t:file execute_no_trans;
At this point I'm afraid I don't know any more what that means. The labels on /usr/libexec/cockpit-ssh are the same in F25 and F26: `system_u:object_r:cockpit_ws_exec_t:s0`
The label got changed recently in Fedora 26]: http://pkgs.fedoraproject.org/cgit/rpms/selinux-policy.git/commit/?id=96feeb5 but it just seems that applied the cockpit_ws_exec_t label, not the "execute_no_trans" bit?
With `audit2allow -i /tmp/log -M local && semodule -i local.pp` it then works.
What happens here: Upgrading : cockpit-dashboard-150-1.fc26.x86_64 243/558 Running scriptlet: cockpit-dashboard-150-1.fc26.x86_64 243/558 Applying workaround for broken SELinux policy: https://bugzilla.redhat.com/show_bug.cgi?id=1381331 SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.30, searching for an older version. SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.30: No such file or directory /sbin/load_policy: Can't load policy: No such file or directory libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory). SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.30, searching for an older version. SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.30: No such file or directory /sbin/load_policy: Can't load policy: No such file or directory libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory). FileNotFoundError: [Errno 2] No such file or directory checkmodule: loading policy configuration from /tmp/tmp.scSHWdP1FV/local.te checkmodule: policy configuration loaded checkmodule: writing binary representation (version 17) to /tmp/tmp.scSHWdP1FV/local.mod It's normal? No but it shouldn't block the install. Also that seems to be pretty generic selinux error. Are you able to run other restorecon or semange commands on this system. Any update? I see bug #1381914 which depends on this one is in VERIFIED state, not sure how it's possible if this one is still in NEW. Indeed this got fixed in Fedora 26 and 27, it only affected Fedora 25. Thanks! |