Bug 1697667

Summary: Many services fail, network does not start on current Rawhide due to SELinux denials
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: high    
Version: rawhideCC: dwalsh, jpokorny, lvrabec, mgrepl, mikhail.v.gavrilov, mstevens, plautrba, robatino, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: openqa
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-29 18:09:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1644937    

Description Adam Williamson 2019-04-09 00:06:09 UTC
Since the Fedora-Rawhide-20190407.n.1 compose, many services fail to start on boot of a freshly-installed Rawhide system, and the network does not come up.

This seems to be clearly an SELinux issue, likely introduced by selinux-policy-3.14.4-8.fc31 : booting with 'enforcing=0' solves all the problems, all services start successfully and the network comes up.

Here are all the denials shown by ausearch from the permissive boot:

----
time->Mon Apr  8 16:57:11 2019
type=AVC msg=audit(1554767831.028:97): avc:  denied  { mounton } for  pid=662 comm="(d-logind)" path="/run/systemd/unit-root/proc/sys/kernel/domainname" dev="proc" ino=1545 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0
----
time->Mon Apr  8 16:57:11 2019
type=AVC msg=audit(1554767831.052:101): avc:  denied  { mounton } for  pid=665 comm="(d-logind)" path="/run/systemd/unit-root/proc/sys/kernel/domainname" dev="proc" ino=1545 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0
----
time->Mon Apr  8 16:57:11 2019
type=AVC msg=audit(1554767831.081:105): avc:  denied  { mounton } for  pid=668 comm="(d-logind)" path="/run/systemd/unit-root/proc/sys/kernel/domainname" dev="proc" ino=1545 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0
----
time->Mon Apr  8 16:57:11 2019
type=AVC msg=audit(1554767831.107:109): avc:  denied  { mounton } for  pid=671 comm="(d-logind)" path="/run/systemd/unit-root/proc/sys/kernel/domainname" dev="proc" ino=1545 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0
----
time->Mon Apr  8 16:57:11 2019
type=AVC msg=audit(1554767831.146:114): avc:  denied  { mounton } for  pid=677 comm="(d-logind)" path="/run/systemd/unit-root/proc/sys/kernel/domainname" dev="proc" ino=1545 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0
----
time->Mon Apr  8 16:57:58 2019
type=AVC msg=audit(1554767878.936:212): avc:  denied  { setattr } for  pid=1 comm="systemd" name="tty1" dev="devtmpfs" ino=1044 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0
----
time->Mon Apr  8 16:57:58 2019
type=AVC msg=audit(1554767878.936:213): avc:  denied  { setattr } for  pid=1 comm="systemd" name="tty1" dev="devtmpfs" ino=1044 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0
----
time->Mon Apr  8 16:58:25 2019
type=AVC msg=audit(1554767905.909:67): avc:  denied  { mounton } for  pid=682 comm="(d-logind)" path="/run/systemd/unit-root/proc/sys/kernel/domainname" dev="proc" ino=12788 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1

Proposing as an F31 Beta blocker - this violates all criteria related to network-based functions on the installed system (e.g. package install).

Comment 1 Lukas Vrabec 2019-04-09 08:22:12 UTC
Will be fixed in next version of selinux-policy rpm package.

commit 639e317c9b53a6b1f520a0e02bf489c6b173eaae (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Tue Apr 9 10:21:04 2019 +0200

    Allow systemd labeled as init_t to setattr on unallocated ttys BZ(1697667)


commit 68d5b6395399b4b4a04d2fc4fc37dd91a6b54450
Author: Lukas Vrabec <lvrabec>
Date:   Mon Apr 8 12:29:36 2019 +0200

    Allow systemd to mounton kernel sysctls BZ(1696201)

Comment 2 Jan Pokorný [poki] 2019-04-09 18:03:49 UTC
This is likely the problem behind [bug 1697548] I reported earlier,
at systemd component.

Comment 3 Jan Pokorný [poki] 2019-04-09 18:04:35 UTC
[bug 1697370], I mean.

Comment 4 Zbigniew Jędrzejewski-Szmek 2019-04-10 21:50:55 UTC
*** Bug 1697548 has been marked as a duplicate of this bug. ***

Comment 5 Adam Williamson 2019-04-11 15:03:28 UTC
The selinux-policy package build failed:

https://koji.fedoraproject.org/koji/buildinfo?buildID=1247012

can you please check and fix it? Thanks.

Comment 6 Lukas Vrabec 2019-04-13 10:37:27 UTC
https://koji.fedoraproject.org/koji/buildinfo?buildID=1248381

Fixed.

Comment 7 Adam Williamson 2019-04-29 18:09:14 UTC
This does indeed seem resolved in current Rawhide, thanks.