Bug 1609806
| Summary: | Running dnf upgrade in container (build) which updates elfutils-default-yama-scope causes AVC denial | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jan Pazdziora (Red Hat) <jpazdziora> |
| Component: | systemd | Assignee: | systemd-maint |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 30 | CC: | amurdaca, dwalsh, extras-qa, fche, jakub, jchaloup, jpazdziora, lnykryn, lsm5, lvrabec, me, mgrepl, mjw, msekleta, plautrba, ssahani, s, systemd-maint, zbyszek, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | systemd-243.6-1.fc31 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1602914 | Environment: | |
| Last Closed: | 2020-02-05 19:27:39 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1602914 | ||
| Bug Blocks: | |||
|
Description
Jan Pazdziora (Red Hat)
2018-07-30 14:05:03 UTC
Based on Frank's suggestion in bug 1602914 comment 8, filing also against elfutils for consideration. It looks like this issue is already resolved in container-selinux. If there still is an issue I think this is an issue for systemd. All elfutils does is run the normal %sysctl_apply macro in %post, which uses systemd-sysctl. So if that should do something different to activate the sysctl setting inside a container then it probably should be change/fixed in systemd. I think Frank's point way: should elfutils-default-yama-scope run that systemd-sysctl in runtime, rather than letting it on reboot? (In reply to Jan Pazdziora from comment #3) > I think Frank's point way: should elfutils-default-yama-scope run that > systemd-sysctl in runtime, rather than letting it on reboot? Yes it should. That is the way to activate the new sysctl setting. so that no reboot is necessary: https://fedoraproject.org/wiki/Packaging:Guidelines#binfmt.d.2C_sysctl.d_and_tmpfiles.d That is why I think this really is a systemd issue. If something else is necessary in an container install then systemd-sysctl should do the right thing. Let's reassign to systemd for their consideration, since that sysctl_apply rpm macro comes from systemd, and runs /usr/lib/systemd/systemd-sysctl. ISTM that the intent of this fedora guideline is not appropriate when an installation is done in the context of a container image construction, since sysctl's are moot / disabled / error-generating in that context. This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. It'd be good to get some opinion from systemd maintainers. It seems we should probably make the macro do nothing when run in a container. Let me discuss this with other maintainers. This message is a reminder that Fedora 29 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '29'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 29 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. (In reply to Zbigniew Jędrzejewski-Szmek from comment #8) > It seems we should probably make the macro do nothing when run in a > container. > Let me discuss this with other maintainers. Was there some result from that discussion? We discussed this upstream. A PR [1] was submitted to "downgrade" the log message when we cannot write a sysctl from log_notice to log_debug. This means that it will not be shown by default (the default log level is info). sysctl should still be run in containers, because some settings might be writable in containers, in particular for network-related settings this is pretty common. As for any spurious selinux warnings, selinux should just not emit them. Please talk to the policy maintainers about this. [1] https://github.com/systemd/systemd/pull/14585 I thought the SELinux part was addressed in bug 1602914 quite some time ago and this bugzilla was about the sysctl_apply rpm macro. In container image build time when the majority of the rpm operations in containers happen, you never want the sysctl run or propagated. > I thought the SELinux part was addressed in bug 1602914 quite some time ago Oh, right. > In container image build time when the majority of the rpm operations in containers happen, you never want the sysctl run or propagated. /proc/sys should be protected in the container so that the container does not have access to settings it shouldn't have. systemd-sysctl ignores the access failure. The only change with the linked PR is to avoid a warning. OK, so this should be all OK once the PR goes in. This is fixed in F31 now, but the patch has a lot of conflicts, so I don't want to backport it to F30. Sorry. |