Bug 1777001
| Summary: | cockpit-ws should require(post) semanage somehow | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Yanko Kaneti <yaneti> |
| Component: | cockpit | Assignee: | Martin Pitt <mpitt> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 31 | CC: | dperpeet, ichavero, silvacraig, stefw |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | cockpit-208-1.fc31 cockpit-208-1.fc30 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-12-06 05:43:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Thanks Yanko for figuring this out! I already got a similar report upstream, but couldn't make sense of it. So apparently https://github.com/fedora-selinux/selinux-policy-contrib/pull/161 still didn't make it into Fedora 31. Thanks. selinux-policy in f31 might have the fix, but this was a dnf upgrade from 30 -> 31 and package upgrade ordering might have had a part in the problem. Yanko: No, I checked, selinux-policy really doesn't have the fix yet (https://bodhi.fedoraproject.org/updates/?packages=selinux-policy). My policy update landed upstream 22 days ago, and the current policy version 3.14.4-40 (https://bodhi.fedoraproject.org/updates/FEDORA-2019-aec8f7ab50) got packaged 23 days ago. So it's not an upgrade issue at all, just the missing dependencies. Fedora 29 changed to end-of-life (EOL) status on 2019-11-26. Fedora 29 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. Closed bu accident: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/V3GOSPZLJMO4L4YZ6W4B2CYAV2522MZ7/ Reopening FEDORA-2019-d3b55c4594 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d3b55c4594 FEDORA-2019-b29e09a8d4 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-b29e09a8d4 cockpit-208-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b29e09a8d4 cockpit-208-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d3b55c4594 Last metadata expiration check: 0:00:20 ago on Sun 01 Dec 2019 07:00:12 AEDT
Attempted sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2019-b29e09a8d4
ouput:
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: cockpit-bridge-208-1.fc31.x86_64 1/1
Upgrading : cockpit-bridge-208-1.fc31.x86_64 1/23
Upgrading : cockpit-dashboard-208-1.fc31.noarch 2/23
Upgrading : cockpit-packagekit-208-1.fc31.noarch 3/23
Running scriptlet: cockpit-ws-208-1.fc31.x86_64 4/23
Upgrading : cockpit-ws-208-1.fc31.x86_64 4/23
Running scriptlet: cockpit-ws-208-1.fc31.x86_64 4/23
Applying SELinux policy change for cockpit-wsinstance-factory...
Traceback (most recent call last):
File "/sbin/semanage", line 970, in <module>
do_parser()
File "/sbin/semanage", line 947, in do_parser
commandParser = createCommandParser()
File "/sbin/semanage", line 877, in createCommandParser
import seobject
File "/usr/lib/python3.7/site-packages/seobject.py", line 33, in <module>
import sepolicy
File "/usr/lib/python3.7/site-packages/sepolicy/__init__.py", line 7, in <module>
import setools
File "/usr/lib64/python3.7/site-packages/setools/__init__.py", line 79, in <module>
from .diff import PolicyDifference
File "/usr/lib64/python3.7/site-packages/setools/diff/__init__.py", line 20, in <module>
from .bounds import BoundsDifference
File "/usr/lib64/python3.7/site-packages/setools/diff/bounds.py", line 25, in <module>
from .types import type_wrapper_factory
File "/usr/lib64/python3.7/site-packages/setools/diff/types.py", line 26, in <module>
from ..policyrep import Type
ImportError: cannot import name 'Type' from 'setools.policyrep' (/usr/lib64/python3.7/site-packages/setools/policyrep/__init__.py)
cockpit still failing:
Dec 01 07:05:15 c21home audit[1105]: AVC avc: denied { connectto } for pid=1105 comm="cockpit-tls" path="/run/cockpit/wsinstance/https-factory.sock" scontext=system_u:system_r:cockpit_ws_t:s0 tcontex>
Dec 01 07:05:15 c21home cockpit-tls[1105]: cockpit-tls: connect(/run/cockpit/wsinstance/https-factory.sock) failed: Permission denied
Dec 01 07:05:19 c21home audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.6-org.fedoraproject.Setroubleshootd@0 comm="systemd" exe="/u>
Dec 01 07:05:20 c21home python3[1117]: detected unhandled Python exception in '/usr/sbin/setroubleshootd'
Dec 01 07:05:20 c21home setroubleshootd[1117]: Traceback (most recent call last):
Dec 01 07:05:20 c21home setroubleshootd[1117]: File "/usr/sbin/setroubleshootd", line 35, in <module>
Dec 01 07:05:20 c21home setroubleshootd[1117]: from setroubleshoot.util import log_debug
Dec 01 07:05:20 c21home setroubleshootd[1117]: File "/usr/lib/python3.7/site-packages/setroubleshoot/util.py", line 357, in <module>
Dec 01 07:05:20 c21home setroubleshootd[1117]: from sepolicy import get_all_file_types
Dec 01 07:05:20 c21home setroubleshootd[1117]: File "/usr/lib/python3.7/site-packages/sepolicy/__init__.py", line 7, in <module>
Dec 01 07:05:20 c21home setroubleshootd[1117]: import setools
Dec 01 07:05:20 c21home setroubleshootd[1117]: File "/usr/lib64/python3.7/site-packages/setools/__init__.py", line 79, in <module>
Dec 01 07:05:20 c21home setroubleshootd[1117]: from .diff import PolicyDifference
Dec 01 07:05:20 c21home setroubleshootd[1117]: File "/usr/lib64/python3.7/site-packages/setools/diff/__init__.py", line 20, in <module>
Dec 01 07:05:20 c21home setroubleshootd[1117]: from .bounds import BoundsDifference
Dec 01 07:05:20 c21home setroubleshootd[1117]: File "/usr/lib64/python3.7/site-packages/setools/diff/bounds.py", line 25, in <module>
Dec 01 07:05:20 c21home setroubleshootd[1117]: from .types import type_wrapper_factory
Dec 01 07:05:20 c21home setroubleshootd[1117]: File "/usr/lib64/python3.7/site-packages/setools/diff/types.py", line 26, in <module>
Dec 01 07:05:20 c21home setroubleshootd[1117]: from ..policyrep import Type
Dec 01 07:05:20 c21home setroubleshootd[1117]: ImportError: cannot import name 'Type' from 'setools.policyrep' (/usr/lib64/python3.7/site-packages/setools/policyrep/__init__.py)
Dec 01 07:05:20 c21home systemd[1]: dbus-:1.6-org.fedoraproject.Setroubleshootd: Succeeded.
-- The unit cockpit-wsinstance-http.socket has successfully entered the 'dead' state.
Dec 01 07:06:45 c21home systemd[1]: Closed Socket for Cockpit Web Service http instance.
-- Subject: A stop job for unit cockpit-wsinstance-http.socket has finished
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- A stop job for unit cockpit-wsinstance-http.socket has finished.
@Craigsilva: that setroubleshoot crash is tracked in bug 1761143. At this point I just have to give up, I'm afraid -- the real solution is to land an updated selinux-policy that applies the cockpit adjustments properly, instead of our %post hack. That should hopefully happen soon. cockpit-208-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. cockpit-208-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Nov 26 18:58:10 cafe1 cockpit-tls[989]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received. Nov 26 18:58:10 cafe1 audit[989]: AVC avc: denied { connectto } for pid=989 comm="cockpit-tls" path="/run/cockpit/wsinstance/https-factory.sock" scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0 Nov 26 18:58:10 cafe1 cockpit-tls[989]: cockpit-tls: connect(/run/cockpit/wsinstance/https-factory.sock) failed: Permission denied Version-Release number of selected component (if applicable): cockpit-207-1.fc31 Steps to reproduce: Have cockpit-ws installed and enabled without having semanage (policycoreutils-python-utils) Fixed by installing explicitly policycoreutils-python-utils and reinstalling cockpit-ws