Bug 1400009

Summary: Bad boolean declaration
Product: [Fedora] Fedora Reporter: Paolo Antinori <pantinor>
Component: dockerAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 25CC: adimania, admiller, amurdaca, dwalsh, ichavero, jcajka, jchaloup, lsm5, lvrabec, marianne, mgrepl, miminar, nalin, plautrba, pmoore, riek, vbatts, vmojzis
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-01 15:01:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Paolo Antinori 2016-11-30 09:38:11 UTC 
Description of problem:

While following the suggestions form "SElinux Alert Browser" I get an error at `semodule` invocation step.


Version-Release number of selected component (if applicable):
```
rpm -qa | ag policycoreutils
policycoreutils-python-utils-2.5-17.fc25.x86_64
policycoreutils-devel-2.5-17.fc25.x86_64
policycoreutils-python3-2.5-17.fc25.x86_64
policycoreutils-2.5-17.fc25.x86_64
policycoreutils-python-2.5-17.fc25.x86_64
policycoreutils-gui-2.5-17.fc25.x86_64
```


How reproducible:


Steps to Reproduce:
1. SELinux is preventing gnome-shell from read access on the lnk_file /data/software/ext/idea.

2. 

```
sudo ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell
[sudo] password for pantinor: 
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-gnomeshell.pp

```
3.
```
sudo semodule -X 300 -i my-gnomeshell.pp
Re-declaration of boolean virt_sandbox_use_fusefs
Failed to create node
Bad boolean declaration at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:152
semodule:  Failed!
```

Actual results:


Expected results:


Additional info:

I can't find `/var/lib/selinux/targeted/tmp/modules/100/virt/cil` that I was hoping to attach. Is there a way to keep this temporary file to be inspected?
Comment 1 Petr Lautrbach 2016-11-30 10:52:22 UTC 
The temporary file itself probably can't be inspected but you can inspect an active module in /var/lib/selinux/targeted/active/modules/ directory - /var/lib/selinux/targeted/tmp/modules/100/virt/cil

For the better understanding the problem, please provide the output of 'sudo ausearch -c 'gnome-shell' --raw'

These kind of problems are usually seen with combination of not update container-selinux, former docker-selinux package.
Comment 2 Paolo Antinori 2016-11-30 13:55:35 UTC 
Hi, thanks for helping. 

```
sudo ausearch -c 'gnome-shell' --raw | tail
type=AVC msg=audit(1480496220.412:373): avc:  denied  { read } for  pid=1598 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1480496220.339:372): avc:  denied  { read } for  pid=1598 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1480496397.723:222): avc:  denied  { read } for  pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1480496759.331:318): avc:  denied  { read } for  pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1480496759.368:319): avc:  denied  { read } for  pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1480496759.468:320): avc:  denied  { read } for  pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1480496759.491:321): avc:  denied  { read } for  pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1480496773.968:326): avc:  denied  { read } for  pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1480496773.933:325): avc:  denied  { read } for  pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1480496923.028:183): avc:  denied  { read } for  pid=1722 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
```

Regarding package update, I have currently no update available listed in `dnf` and I have performed a full filesystem relabelling just after upgrading to F25
Comment 3 Lukas Vrabec 2016-12-01 14:33:37 UTC 
We faced similar issue before. It was fixed by removing duplicate boolean declaration in docker policy. Docker policy is shipped by docker. 

Guys, 
Could you check if you declare virt_sandbox_use_fusefs in docker policy? 

Thanks,
Lukas.
Comment 4 Daniel Walsh 2016-12-01 14:45:36 UTC 
yum update docker-selinux or container-selinux.
Comment 5 Paolo Antinori 2016-12-01 15:00:29 UTC 
Thank you Dan, that worked.

Apparently I was on

docker-engine-selinux from VirtualBox repo (http://public-yum.oracle.com/repo/OracleLinux/OL7/addons/$basearch/)

This fixed the issue:

```
sudo dnf install container-selinux --allowerasing


...
Installing:
 container-selinux                                             x86_64                                         2:1.12.3-10.git7b5044b.fc25                                           updates                                              81 k
Removing:
 docker-engine-selinux                                         noarch                                         1.12.2-1.0.1.el7                                                      @VirtualBox                                          48 k


...
```
Comment 6 Daniel Walsh 2016-12-01 16:49:45 UTC 
Yes please use the distros version of docker and docker/container-selinux packages.