Bug 1484566

Summary: Multiple 'map' denials prevent Cockpit from working
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 27CC: dwalsh, kparal, mpitt, robatino, sgallagh, stefw
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: AcceptedBlocker
Fixed In Version: selinux-policy-3.13.1-279.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-09 04:11:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1396702    

Description Adam Williamson 2017-08-23 21:08:46 UTC 
In the most recent Rawhide compose, the openQA Cockpit test fails; trying to access Cockpit in the browser shows an 'Internal Server Error' message:

https://openqa.fedoraproject.org/tests/133144#step/server_cockpit_default/21

Looking at the logs, this appears to be caused by multiple 'map' denials:

Aug 22 14:03:08 localhost.localdomain systemd[1]: Started Cockpit Web Service.
Aug 22 14:03:08 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=cockpit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 22 14:03:08 localhost.localdomain cockpit-ws[1794]: Using certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert
Aug 22 14:03:08 localhost.localdomain audit[1794]: AVC avc:  denied  { map } for  pid=1794 comm="cockpit-ws" path="/usr/share/cockpit/static/login.po.html" dev="dm-0" ino=8839810 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Aug 22 14:03:08 localhost.localdomain audit[1794]: AVC avc:  denied  { map } for  pid=1794 comm="cockpit-ws" path="/usr/share/cockpit/static/login.min.html" dev="dm-0" ino=8839801 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Aug 22 14:03:08 localhost.localdomain cockpit-ws[1794]: Failed to map /usr/share/cockpit/static/login.po.html' /usr/share/cockpit/static/login.po.html': mmap() failed: Permission denied
Aug 22 14:03:08 localhost.localdomain cockpit-ws[1794]: Failed to map /usr/share/cockpit/static/login.min.html' /usr/share/cockpit/static/login.min.html': mmap() failed: Permission denied
Aug 22 14:03:08 localhost.localdomain audit[1794]: AVC avc:  denied  { map } for  pid=1794 comm="cockpit-ws" path="/usr/share/cockpit/static/fonts/OpenSans-Regular-webfont.woff" dev="dm-0" ino=12724528 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Aug 22 14:03:08 localhost.localdomain audit[1794]: AVC avc:  denied  { map } for  pid=1794 comm="cockpit-ws" path="/usr/share/cockpit/static/fonts/OpenSans-Light-webfont.woff" dev="dm-0" ino=12724526 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Aug 22 14:03:08 localhost.localdomain audit[1794]: AVC avc:  denied  { map } for  pid=1794 comm="cockpit-ws" path="/usr/share/icons/hicolor/16x16/apps/fedora-logo-icon.png" dev="dm-0" ino=12971895 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Aug 22 14:03:08 localhost.localdomain audit[1794]: AVC avc:  denied  { map } for  pid=1794 comm="cockpit-ws" path="/usr/share/icons/hicolor/16x16/apps/fedora-logo-icon.png" dev="dm-0" ino=12971895 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0

This is a clear Fedora 27 Beta blocker (I'm 99.9% sure the same bug will affect F27, just F27 composes are failing at present so we don't have any test results from recent F27), per Alpha criterion "Unless explicitly specified otherwise, after system installation the Cockpit web management interface must be running and accessible on its default port (9090)." - https://fedoraproject.org/wiki/Fedora_27_Alpha_Release_Criteria#Cockpit_management_interface
Comment 1 Adam Williamson 2017-08-23 21:12:38 UTC 
Note for Cockpit folks: just CCing you on this for information. SELinux has added a new 'map' permission recently, and we're getting tons of denials for it, breaking all kinds of stuff.
Comment 2 Kamil Páral 2017-09-04 17:02:43 UTC 
Discussed during blocker review [1]:

 AcceptedBlocker (Beta) - clear violation of Alpha criterion "Unless explicitly specified otherwise, after system installation the Cockpit web management interface must be running and accessible on its default port (9090)"

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-09-04/
Comment 3 Adam Williamson 2017-09-04 17:07:43 UTC 
Cockpit still fails to start with selinux-policy-3.13.1-277.fc27 , with these denials:

Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc:  denied  { map } for  pid=1715 comm="cockpit-ws" path="/usr/share/cockpit/static/login.po.html" dev="dm-0" ino=4573538 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc:  denied  { map } for  pid=1715 comm="cockpit-ws" path="/usr/share/cockpit/static/login.min.html" dev="dm-0" ino=4573529 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc:  denied  { map } for  pid=1715 comm="cockpit-ws" path="/usr/share/cockpit/static/fonts/OpenSans-Regular-webfont.woff" dev="dm-0" ino=8560638 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc:  denied  { map } for  pid=1715 comm="cockpit-ws" path="/usr/share/cockpit/static/fonts/OpenSans-Light-webfont.woff" dev="dm-0" ino=8560636 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc:  denied  { map } for  pid=1715 comm="cockpit-ws" path="/usr/share/icons/hicolor/16x16/apps/fedora-logo-icon.png" dev="dm-0" ino=4558008 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc:  denied  { map } for  pid=1715 comm="cockpit-ws" path="/usr/share/icons/hicolor/16x16/apps/fedora-logo-icon.png" dev="dm-0" ino=4558008 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Comment 4 Fedora Update System 2017-09-05 21:10:19 UTC 
selinux-policy-3.13.1-279.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-bf736ee273
Comment 5 Fedora Update System 2017-09-07 12:12:59 UTC 
selinux-policy-3.13.1-280.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-edf1be580e
Comment 6 Fedora Update System 2017-09-07 14:34:12 UTC 
selinux-policy-3.13.1-280.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-edf1be580e
Comment 7 Fedora Update System 2017-09-09 04:11:30 UTC 
selinux-policy-3.13.1-280.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.