Bug 1384319

Summary:	vmconsole raise invalid file selinux context
Product:	[oVirt] ovirt-vmconsole	Reporter:	Sandro Bonazzola <sbonazzo>
Component:	General	Assignee:	Francesco Romani <fromani>
Status:	CLOSED WONTFIX	QA Contact:	Nikolai Sednev <nsednev>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	master	CC:	bugs, michal.skrivanek, sbonazzo, trichard
Target Milestone:	---	Flags:	sbonazzo: ovirt-4.0.z-
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Known Issue
Doc Text:	A bug in oVirt Live ISO creation causes wrong SELinux labeling. Within the ISO, some files get the wrong context upon boot. This can be avoided by running oVirt Live in permissive mode; you can still use oVirt Live, but be aware that SELinux is not enforcing.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-10-14 10:09:40 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	Virt	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Sandro Bonazzola 2016-10-13 06:21:00 UTC

While building ovirt-live, noticed the following error:

/etc/selinux/targeted/contexts/files/file_contexts: has invalid context system_u:object_r:ovirt_vmconsole_exec_t:s0

Please check vmconsole packaging since it may be causing wrong selinux labeling on the system.

See http://jenkins.ovirt.org/job/ovirt-live_4.0-create-iso/57/artifact/output/iso.log

Comment 1 Michal Skrivanek 2016-10-14 07:34:49 UTC

is it a regression?
does it run a proper rpm installation in a mock environment, including post-install script? that one registers the new policy. If it just runs a plain chroot deploy of rpms and then tries to label it it is going to fail (and it always did). ovirt-vmconsole-proxy may need to be declared as a build requirement then

Comment 2 Sandro Bonazzola 2016-10-14 08:56:08 UTC

(In reply to Michal Skrivanek from comment #1)
> is it a regression?

Probably yes, because in the 3.6 build of oVirt Live it didn't happen:
http://jenkins.ovirt.org/job/ovirt-live_3.6-create-iso/47/artifact/output/iso.log


> does it run a proper rpm installation in a mock environment, including
> post-install script? that one registers the new policy.

It's a livecd creation instance so it's a clean installation in an isolated environment previously completely empty.

> If it just runs a
> plain chroot deploy of rpms and then tries to label it it is going to fail
> (and it always did). ovirt-vmconsole-proxy may need to be declared as a
> build requirement then

Comment 3 Michal Skrivanek 2016-10-14 09:08:39 UTC

I suppose it's related to the issue during installation of that policy:
  Installing: selinux-policy               ################### [650/1303]semodule: SELinux policy is not managed or store cannot be accessed.
 

Same problem is in 3.6 but it may be that the livecd creation didn't do relabeling in 3.6. Is that possible? If so, it might be a limitation/bug of livecd tool that it can't do proper selinux labeling during creation. Then we need to do it on bootup - is that how it was working in 3.6?

Comment 4 Michal Skrivanek 2016-10-14 10:09:40 UTC

there seems to be some issue with building the iso as the policy doesn't get installed properly, but when testing final iso it was there correctly more or less (well, there were many other files with wrong context upon boot when I tried restorevcon -Rv /). But we anyway run livecd in Permissive mode, likely because of all these issues and we do not want to waste time relabeling on boot for live cd...so let's close it as a known issue