Bug 1461978

Summary: SELinux denies 'execute' for /usr/libexec/nm-dispatcher on boot after install from Atomic Host installer image
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: ostreeAssignee: Colin Walters <walters>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: dominick.grift, dustymabe, dwalsh, jlebon, lvrabec, mgrepl, miabbott, plautrba, pmoore, ssekidde, walters
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ostree-2017.7-2.fc26 ostree-2017.7-2.fc25 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1462976 (view as bug list) Environment:
Last Closed: 2017-06-22 13:36:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1462976    
Attachments:
Description Flags
more selinux denials none

Description Adam Williamson 2017-06-15 19:18:59 UTC 
The openQA default-install-and-boot test for the Atomic Host installer image is showing several instances of one SELinux denial immediately after boot:

type=AVC msg=audit(1497548408.952:169): avc: denied { execute } for pid=998 comm="nm-dispatcher" name="10-ifcfg-rh-routes.sh" dev="dm-0" ino=28911 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=file permissive=0

with each occurrence the pid of the nm-dispatcher process changes, so it seems like perhaps this denial causes the operation (whatever exactly nm-dispatcher is doing, I'm not sure) to fail and then it is immediately retried, hits the denial, and fails again. This doesn't seem to prevent networking from working.

This seems to have started happening between Fedora-26-20170605.n.0 (which would have been effectively identical to Beta) and Fedora-26-20170611.n.1 (which was the first successful post-Beta-freeze compose, with all the packages queued for stable during the Beta freeze included).
Comment 1 Dusty Mabe 2017-06-15 19:40:30 UTC 
Created attachment 1288165 [details]
more selinux denials
Comment 2 Dusty Mabe 2017-06-15 19:50:38 UTC 
The denials in that attachment are from an atomic host vagrant box (i.e. not just the installer, but the installed system).
Comment 3 Dusty Mabe 2017-06-15 20:11:25 UTC 
[root@vanilla-f26atomic ~]# rpm-ostree status
State: idle
Deployments:
● fedora-atomic:fedora/26/x86_64/atomic-host
             Version: 26.59 (2017-06-12 02:00:29)
              Commit: 95283eba36118de8b065ca29c079760cc82394e0128aadf8f32bb867454b64fb
[root@vanilla-f26atomic ~]# 
[root@vanilla-f26atomic ~]# 
[root@vanilla-f26atomic ~]# rpm -q selinux-policy 
selinux-policy-3.13.1-254.fc26.noarch
[root@vanilla-f26atomic ~]# rpm -q kernel
kernel-4.11.0-2.fc26.x86_64
[root@vanilla-f26atomic ~]# rpm -q NetworkManager
NetworkManager-1.8.0-4.fc26.x86_64
Comment 4 Dusty Mabe 2017-06-15 20:14:10 UTC 
also seeing on a host with newer versions:

```
[root@f26-updates-testing ~]# rpm -q selinux-policy NetworkManager kernel
selinux-policy-3.13.1-257.fc26.noarch
NetworkManager-1.8.0-5.fc26.x86_64
kernel-4.11.4-300.fc26.x86_64
```
Comment 5 Daniel Walsh 2017-06-15 21:40:23 UTC 
Looks like 10-ifcfg-rh-routes.sh has the wrong type on it, it is labeled as a netoworkmanager config file instead of an executable.
Comment 6 Daniel Walsh 2017-06-16 09:52:48 UTC 
What is the path to 10-ifcfg-rh-routes.sh

matchpathcon /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh
/etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh	system_u:object_r:NetworkManager_initrc_exec_t:s0

restorecon -R -v /etc/NetworkManager

Should fix the label.
Comment 7 Dusty Mabe 2017-06-16 13:18:09 UTC 



```
[root@vanilla-f26atomic ~]# ls -lZ /etc/NetworkManager/dispatcher.d/*
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  175 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/00-netreport
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  100 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/04-iscsi
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0 1056 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  933 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/11-dhclient
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  436 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/20-chrony
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  719 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/hook-network-manager

/etc/NetworkManager/dispatcher.d/no-wait.d:
total 0
lrwxrwxrwx. 1 root root system_u:object_r:NetworkManager_etc_t:s0 24 Jun 12 02:37 10-ifcfg-rh-routes.sh -> ../10-ifcfg-rh-routes.sh

/etc/NetworkManager/dispatcher.d/pre-down.d:
total 0

/etc/NetworkManager/dispatcher.d/pre-up.d:
total 0
lrwxrwxrwx. 1 root root system_u:object_r:NetworkManager_etc_t:s0 34 Jun 12 02:37 10-ifcfg-rh-routes.sh -> ../no-wait.d/10-ifcfg-rh-routes.sh

[root@vanilla-f26atomic ~]# ls -lZ /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh 
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0 1056 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh
```
Comment 8 Daniel Walsh 2017-06-16 13:22:29 UTC 
Did restorecon fix the labels?
Comment 9 Dusty Mabe 2017-06-16 13:28:22 UTC 

```
[root@vanilla-f26atomic ~]# restorecon -R -v /etc/NetworkManager 
Relabeled /etc/NetworkManager/dispatcher.d from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/00-netreport from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/04-iscsi from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/11-dhclient from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/20-chrony from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/hook-network-manager from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/no-wait.d from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/no-wait.d/10-ifcfg-rh-routes.sh from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/pre-down.d from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/pre-up.d from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/pre-up.d/10-ifcfg-rh-routes.sh from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/system-connections from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_etc_rw_t:s0
```
Comment 10 Colin Walters 2017-06-16 13:39:37 UTC 
This might be a regression from https://github.com/ostreedev/ostree/pull/797

`restorecon -nvR /etc/`

shows a lot of diffs.
Comment 11 Colin Walters 2017-06-16 13:48:01 UTC 
This reproduces in F25AH too, starting from:

```
  fedora-atomic:fedora-atomic/25/x86_64/docker-host
             Version: 25.137 (2017-06-04 23:31:40)
              Commit: 0ed61d7441eddf96e6a98de4f10f4675268c7888b6d2b8a405b8c21fe6c92d23
```

Then

```
$ rpm-ostree deploy 25.136
$ systemctl reboot
...
$ restorecon -nvR /etc
```
Comment 12 Dusty Mabe 2017-06-16 13:51:45 UTC 
is there a specific test we can add for this to the atomic-host-tests suite?
Comment 13 Colin Walters 2017-06-16 15:03:58 UTC 
https://github.com/ostreedev/ostree/pull/936

There's an installed test case there - which gets back to https://github.com/projectatomic/atomic-host-tests/issues/74
Comment 14 Fedora Update System 2017-06-19 18:21:27 UTC 
ostree-2017.7-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7b464a11e7
Comment 15 Fedora Update System 2017-06-19 20:03:27 UTC 
ostree-2017.7-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d194990d45
Comment 16 Dusty Mabe 2017-06-20 17:17:11 UTC 
I don't think this actually affects F25AH. The commit [1] from the #797 PR you linked to #797 only made it into 2017.6, which wasn't in F25.

```
$ koji latest-build f25-updates ostree
Build                                     Tag                   Built by
----------------------------------------  --------------------  ----------------
ostree-2017.6-2.fc25                      f25-updates           walters
```


Also here is what I see from today's the cloud image [2]

```
[root@cloudhost ~]# restorecon -vnR /etc/
restorecon reset /etc/sysconfig/anaconda context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
``` 

[1] https://github.com/ostreedev/ostree/commit/e8efd1c8dcaad8fbd3b05c400972d237406263e7
[2] https://kojipkgs.fedoraproject.org/compose/twoweek/Fedora-Atomic-25-20170620.1/compose/CloudImages/x86_64/images/Fedora-Atomic-25-20170620.1.x86_64.qcow2
Comment 17 Dusty Mabe 2017-06-20 17:21:02 UTC 
(In reply to Dusty Mabe from comment #16)
> I don't think this actually affects F25AH. The commit [1] from the #797 PR
> you linked to #797 only made it into 2017.6, which wasn't in F25.
> 
> ```
> $ koji latest-build f25-updates ostree
> Build                                     Tag                   Built by
> ----------------------------------------  -------------------- 
> ----------------
> ostree-2017.6-2.fc25                      f25-updates           walters

correction - that is 2017.6 in f25, but i still don't know why we don't see the problem as shown by the restorecon output.
Comment 18 Dusty Mabe 2017-06-20 17:44:57 UTC 
ok - more info now - the qcow images we create most likely are built with an older ostree (from the installer), which means they won't show the problem, but if we do an upgrade/deploy the files will get relabeled with an incorrect label.

I verified this behavior and that it is fixed with the new RPM in testing.
Comment 19 Fedora Update System 2017-06-21 04:27:28 UTC 
ostree-2017.7-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d194990d45
Comment 20 Fedora Update System 2017-06-21 06:21:20 UTC 
ostree-2017.7-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7b464a11e7
Comment 21 Fedora Update System 2017-06-22 13:36:50 UTC 
ostree-2017.7-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2017-06-23 01:56:49 UTC 
ostree-2017.7-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.