Bug 1381588
Summary: | sebooleans get reset on image based systems / RHVH status is Non Responsive in RHVM side after upgrade from RHVH 4.0_7.2 to 4.0_7.3 | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Fabian Deutsch <fdeutsch> | |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | urgent | Docs Contact: | Mirek Jahoda <mjahoda> | |
Priority: | urgent | |||
Version: | 7.3 | CC: | bugs, cshao, dguo, dougsland, fdeutsch, huzhao, jiawu, jneedle, leiwang, lmiksik, lvrabec, mgoldboi, mgrepl, miabbott, mjahoda, mkolaja, mmalik, msivak, plautrba, pvrabec, rbarry, sherold, snagar, ssekidde, walters, weiwang, yaniwang, ybronhei, ycui, yruseva, yzhao | |
Target Milestone: | rc | Keywords: | TestBlocker, ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: |
In Red Hat Enterprise Linux 7.3, the SELinux user space uses the different location for some files, compared to the previous versions of Red Hat Enterprise Linux 7. Consequently, Red Hat Virtualization Host (RHVH) or Red Hat Atomic Host (RHAH) had non-responsive status, in some cases. The migrate script to perform the change from the old modules store structure to the new one is now provided.
|
Story Points: | --- | |
Clone Of: | 1373389 | |||
: | 1383450 (view as bug list) | Environment: | ||
Last Closed: | 2017-08-01 15:15:11 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1372376, 1373389, 1375561, 1383450 |
Description
Fabian Deutsch
2016-10-04 13:34:55 UTC
Steps ot reproduce on any image based system: 1. Use the old image 2. setsebool virt_use_nfs 1 3. Update 4. getsebool -a | grep virt_use_nfs After 4 virt_use_nfs is back to 0 This also affects the upgrade of Atomic Host from 7.2.7 to 7.3 I believe, this comment (and those that follow) linked here in an upstream bug are related - https://bugzilla.redhat.com/show_bug.cgi?id=1290659#c42 It's 2 different issues. In Fedora, the store is completely removed while on RHEL-7.3 are some files in the different location then tools expects them. These files could be migrated during first boot after update. The question is if this service can be part of Atomic Host similar to /usr/lib/tpmfiles.d/ files or if they have to be shipped by selinux-policy package. As there are at least two products affected I'd really favor a selinux based solution. Yoana, this will need a release note for RHELAH 7.3. If a fix is provided before we release, we can drop the release note. (In reply to Fabian Deutsch from comment #4) > Steps ot reproduce on any image based system: > > 1. Use the old image > 2. setsebool virt_use_nfs 1 > 3. Update > 4. getsebool -a | grep virt_use_nfs > > After 4 virt_use_nfs is back to 0 Is there a reboot between setsebool and getsebool? Then you need to use 'setsebool -P virt_use_nfs 1' to make the change persistent. Ryan, Did you add "-P" parameter with setsebool before update? I did: [root@localhost ~]# setsebool -P virt_use_nfs 1 [root@localhost ~]# getsebool -a | grep virt_use_nfs virt_use_nfs --> on [root@localhost ~]# ls anaconda-ks.cfg redhat-virtualization-host-image-update-4.0-20161010.0.el7_3.noarch.rpm [root@localhost ~]# rpm -Uvh redhat-virtualization-host-image-update-4.0-20161010.0.el7_3.noarch.rpm Preparing... ################################# [100%] Updating / installing... 1:redhat-virtualization-host-image-################################# [ 50%] Cleaning up / removing... 2:redhat-virtualization-host-image-################################# [100%] [root@localhost ~]# reboot PolicyKit daemon disconnected from the bus. We are no longer a registered authentication agent. Terminated [root@localhost ~]# Connection to 192.168.122.65 closed by remote host. Connection to 192.168.122.65 closed. [rbarry@el7 redhat-virtualization-host]$ ssh root.122.65 root.122.65's password: Last login: Mon Oct 10 08:55:37 2016 from el7.nested imgbase status: OK [root@localhost ~]# !get^C [root@localhost ~]# getsebool -a | grep virt_use virt_use_comm --> off virt_use_execmem --> off virt_use_fusefs --> off virt_use_nfs --> off virt_use_rawip --> off virt_use_samba --> off virt_use_sanlock --> off virt_use_usb --> on virt_use_xserver --> off Note that RHV-H (similar to Atomic in this sense) is updated in an A/B format. The RPM contains a squashfs, which is delivered onto a new LVM LV. After this, /etc and /root are synced (and UID/GID/permissions drift which may have happened between the two images is corrected). Because of this, any %post scripts from selinux-policy (as an example) will not be triggered on the actual update. For RHV-H (and Atomic, presumably), the migration of changes must occur AFTER the reboot, not as part of selinux-policy-targeted %post or similar. %post will be run in that case on a brand-new system which doesn't have any policy changes to migrate... Ryan, Understand, but we have patch which fixes this after reboot by using systemd-unit file. Patch is attached in comment#16. Could you please prepare RHV-H host without update for testing purposes? I'll try to reproduce it. Thanks. Please provide an output of the following commands after update: # systemctl status -l selinux-policy-migrate-local-changes # ls -l /etc/selinux/targeted/modules/active/ # cat /etc/selinux/targeted/modules/active/booleans.local [root@localhost ~]# systemctl status -l selinux-policy-migrate-local-changes ● selinux-policy-migrate-local-changes - Migrate local SELinux policy changes from the old store structure to the new structure Loaded: loaded (/usr/lib/systemd/system/basic.target.wants/../selinux-policy-migrate-local-changes@.service; static; vendor preset: disabled) Active: active (exited) since Mon 2016-10-10 10:34:30 MST; 20h ago Process: 794 ExecStart=/usr/libexec/selinux/selinux-policy-migrate-local-changes.sh %I (code=exited, status=0/SUCCESS) Main PID: 794 (code=exited, status=0/SUCCESS) Oct 10 10:34:20 localhost.localdomain systemd[1]: Starting Migrate local SELinux policy changes from the old store structure to the new structure... Oct 10 10:34:30 localhost.localdomain systemd[1]: Started Migrate local SELinux policy changes from the old store structure to the new structure. [root@localhost ~]# ls -l /etc/selinux/targeted/modules/active/ total 864 -rw-r--r--. 1 root root 58507 Oct 10 10:17 base.pp -rw-r--r--. 1 root root 85 Oct 10 10:17 booleans.local -rw-------. 1 root root 32 Oct 10 10:17 commit_num -rw-------. 1 root root 368557 Oct 10 10:17 file_contexts -rw-r--r--. 1 root root 13169 Oct 10 10:17 file_contexts.homedirs -rw-r--r--. 1 root root 127 Oct 10 10:17 file_contexts.local -rw-------. 1 root root 380333 Oct 10 10:17 file_contexts.template -rw-------. 1 root root 11776 Oct 10 10:17 homedir_template drwx------. 2 root root 12288 Oct 10 10:17 modules -rw-------. 1 root root 0 Oct 10 10:17 netfilter_contexts lrwxrwxrwx. 1 root root 38 Oct 10 10:17 policy.kern -> /etc/selinux/targeted/policy/policy.29 -rw-r--r--. 1 root root 136 Oct 10 10:17 ports.local -rw-r--r--. 1 root root 282 Oct 10 10:34 README.migrated -rw-------. 1 root root 106 Oct 10 10:17 seusers.final -rw-------. 1 root root 101 Oct 10 10:17 users_extra [root@localhost ~]# cat /etc/selinux/targeted/modules/active/booleans.local # This file is auto-generated by libsemanage # Do not edit directly. virt_use_nfs=1 [root@localhost ~]# getsebool -a | grep virt_use_nfs virt_use_nfs --> off (In reply to Lukas Vrabec from comment #27) > Ryan, > Understand, but we have patch which fixes this after reboot by using > systemd-unit file. Patch is attached in comment#16. Could you please prepare > RHV-H host without update for testing purposes? I'll try to reproduce it. > > Thanks. I have a libvirt snapshot before the update, so testing should be easy. Are you asking for a publicly available test system here? I'm not sure of the request. Since there's /etc/selinux/targeted/modules/active/README.migrated, the migration happened. It's not clear to me why local changes are not copied to the new store. Can you please run: # rm -f /etc/selinux/targeted/modules/active/README.migrated # bash -x /usr/libexec/selinux/selinux-policy-migrate-local-changes.sh targeted # cat /etc/selinux/targeted/modules/active/booleans.local # getsebool -a | grep virt_use_nfs # cat /etc/selinux/targeted/active/booleans.local Or provide an access to some machine or the reproducer? The problem seems to be in the migration scripts which migrates changes but doesn't apply them: # semanage boolean -C -l SELinux boolean State Default Description cups_execmem (off , on) Allow cups to execmem virt_use_nfs (off , on) Allow virt to use nfs The system default is 'on' which is correct since it was changed before update, but the system runs with 'off' as the policy which is loaded was build with 'off' and the local changes were not applied. I'll provide another build with fixed script. According to my testing, it's fixed in https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=11892056 Please confirm. All changes are migrated and applied in running system. Ryan, thanks for the help with setting an environment. Confirmed, this works. Thanks! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |