Bug 1574649
| Summary: | Creation of cgroup in /etc/cgconfig.cfg failing at boot; AVC denial | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | rhbzla | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 28 | CC: | dwalsh, lvrabec, mgrepl, plautrba, pmoore | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.14.1-29.fc28 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-05-26 20:45:31 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
selinux-policy-3.14.1-29.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364 selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364 selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. Removing the aliases since they are apparently misused here. For example, adding alias 'selinux' means the bug is accessible via 'https://bugzilla.redhat.com/show_bug.cgi?id=selinux'. Also when you search for 'selinux', you get redirected directly to this bug, which is confusing. |
Created attachment 1430852 [details] /etc/cgconfig.conf settings Description of problem: After upgrading from Fedora 27 to 28, the cgroup set up in /etc/cgconfig.conf is failing to be created on boot (cgconfig.service error status 87). sudo systemctl status -n40 cgconfig.service shows the following output: ● cgconfig.service - Control Group configuration service Loaded: loaded (/usr/lib/systemd/system/cgconfig.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Thu 2018-05-03 13:43:15 EDT; 4min 25s ago Process: 815 ExecStart=/usr/sbin/cgconfigparser -l /etc/cgconfig.conf -s 1664 (code=exited, status=87) Main PID: 815 (code=exited, status=87) May 03 13:43:25 fedora cgconfigparser[735]: /usr/sbin/cgconfigparser; error loading /etc/cgconfig.conf: Cgroup, operation not allowed May 03 13:43:03 fedora systemd[1]: cgconfig.service: Main process exited, code=exited, status=87/n/a May 03 13:43:03 fedora systemd[1]: cgconfig.service: Failed with result 'exit-code'. May 03 13:43:03 fedora systemd[1]: Failed to start Control Group configuration service. May 03 13:43:25 fedora cgconfigparser[812]: /usr/sbin/cgconfigparser; error loading /etc/cgconfig.conf: Cgroup, operation not allowed May 03 13:43:25 fedora cgconfigparser[815]: /usr/sbin/cgconfigparser; error loading /etc/cgconfig.conf: Cgroup, operation not allowed May 03 13:43:15 fedora systemd[1]: Starting Control Group configuration service... May 03 13:43:15 fedora systemd[1]: cgconfig.service: Main process exited, code=exited, status=87/n/a May 03 13:43:15 fedora systemd[1]: cgconfig.service: Failed with result 'exit-code'. May 03 13:43:15 fedora systemd[1]: Failed to start Control Group configuration service. May 03 13:43:15 fedora systemd[1]: Starting Control Group configuration service... May 03 13:43:15 fedora systemd[1]: cgconfig.service: Main process exited, code=exited, status=87/n/a May 03 13:43:15 fedora systemd[1]: cgconfig.service: Failed with result 'exit-code'. May 03 13:43:15 fedora systemd[1]: Failed to start Control Group configuration service. I also notice the following AVC denial errors at around the same time: May 03 13:43:15 fedora audit[815]: AVC avc: denied { dac_override } for pid=815 comm="cgconfigparser" capability=1 scontext=system_u:system_r:cgconfig_t:s0 tcontext=system_u:system_r:cgconfig_t:s0 tclass=capability permissive=0 How reproducible: Every boot Steps to Reproduce: 1. Create a cgroup that is owned by non root in /etc/cgconfig.conf (see attached cgconfig.conf) 2. Reboot 3. Appears to fail due to SELinux Actual results: Cgroup not being created Expected results: Cgroup to be created Additional info: I found that if I run the process mentioned in cgconfig.service manually (/usr/sbin/cgconfigparser -l /etc/cgconfig.conf -s 1664) in a terminal as the normal user (not root), I get the same "Cgroup, operation not allowed) error. However, if I run it as root (sudo /usr/sbin/cgconfigparser -l /etc/cgconfig.conf -s 1664), the cgroup gets created with no errors.