Bug 1870493

Summary: /var/log/anaconda/hawkey.log has non-default selinux label on fresh installation.
Product: Red Hat Enterprise Linux 8 Reporter: Marek Havrila <mhavrila>
Component: anacondaAssignee: Vladimír Slávik <vslavik>
Status: CLOSED ERRATA QA Contact: Release Test Team <release-test-team-automation>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.3CC: dmach, jberan, jkonecny, jmracek, jstodola, pkotvan, pzatko, rvykydal, sbueno, vslavik
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: anaconda-33.16.4.3-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:47:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1885772    
Bug Blocks: 1812825    
Attachments:
Description Flags
anaconda.log
none
boot.log
none
hawkey.log
none
lvm.log
none
messages
none
packaging.log
none
program.log
none
storage.log
none
sys.log
none
systemd_journal.log
none
zipl.conf none

Description Marek Havrila 2020-08-20 08:57:10 UTC 
Description of problem:
Selinux labels of usr/share/restraint/plugins/task_run.d/20_unconfined and /var/log/anaconda/hawkey.log have non-default values on fresh installation of RHEL-8.3

Version-Release number of selected component (if applicable):
RHEL-8.3.0-20200811.0; anaconda-33.16.3.17-1.el8

How reproducible:
always

Steps to Reproduce:
1. Install RHEL-8
2. run restorecon -rvn / -e /sys -e /proc -e /run -e /dev

Actual results:
output of restorecon is: 
Would relabel /var/log/anaconda/hawkey.log from system_u:object_r:rpm_log_t:s0 to system_u:object_r:var_log_t:s0
Would relabel /usr/share/restraint/plugins/task_run.d/20_unconfined from system_u:object_r:usr_t:s0 to system_u:object_r:unconfined_exec_t:s0

Expected results:
there are no files to relabel on fresh installation

Additional info:
Non-default label of /usr/share/restraint/plugins/task_run.d/20_unconfined was found on all architectures, while var/log/anaconda/hawkey.log was reported only for x86_64 and s390x
Comment 1 Marek Havrila 2020-08-20 14:29:08 UTC 
Note that file /usr/share/restraint/plugins/task_run.d/20_unconfined is not from RHEL package and is installed in %post section from repository other than BaseOS or Appstream.

Attaching logs from s390x machine (Unfortunately, logs on x86_64 were not saved due to network issue).
Comment 2 Marek Havrila 2020-08-20 14:32:27 UTC 
Created attachment 1712024 [details]
anaconda.log
Comment 3 Marek Havrila 2020-08-20 14:32:31 UTC 
Created attachment 1712025 [details]
boot.log
Comment 4 Marek Havrila 2020-08-20 14:32:41 UTC 
Created attachment 1712027 [details]
hawkey.log
Comment 5 Marek Havrila 2020-08-20 14:32:59 UTC 
Created attachment 1712028 [details]
lvm.log
Comment 6 Marek Havrila 2020-08-20 14:33:08 UTC 
Created attachment 1712029 [details]
messages
Comment 7 Marek Havrila 2020-08-20 14:33:15 UTC 
Created attachment 1712030 [details]
packaging.log
Comment 8 Marek Havrila 2020-08-20 14:33:19 UTC 
Created attachment 1712031 [details]
program.log
Comment 9 Marek Havrila 2020-08-20 14:33:27 UTC 
Created attachment 1712032 [details]
storage.log
Comment 10 Marek Havrila 2020-08-20 14:33:37 UTC 
Created attachment 1712033 [details]
sys.log
Comment 11 Marek Havrila 2020-08-20 14:33:42 UTC 
Created attachment 1712034 [details]
systemd_journal.log
Comment 12 Marek Havrila 2020-08-20 14:33:45 UTC 
Created attachment 1712035 [details]
zipl.conf
Comment 13 Petr Zatko 2020-09-11 09:49:31 UTC 
Update from RHEL-8.3.0-20200909.1:
/var/log/anaconda/hawkey.log doesn't seem to be an issue any more, actual restorecon output:

Would relabel /usr/share/restraint/plugins/task_run.d/20_unconfined from system_u:object_r:usr_t:s0 to system_u:object_r:unconfined_exec_t:s0
Comment 15 Jan Stodola 2020-09-16 21:26:51 UTC 
OK, let's use this bug to track the problem with /var/log/anaconda/hawkey.log (which is not reproducible on the latest compose).
The problem with /usr/share/restraint/plugins/task_run.d/20_unconfined has been reported as bug 1879749 against restraint.
Comment 16 Vladimír Slávik 2020-09-17 10:09:45 UTC 
On Anaconda side, we handle the logs and contexts in post-scripts: First runs 80-setfilecons.ks to set the contexts, and then 90-copy-screenshots.ks and 99-copy-logs.ks. That means the screenshots and logs do *not* get relabeled. Still, that seems to work well enough. However we handle all the logs identically, while you observed problems only with the hawkey file. That means the problem is some change outside anaconda. Hawkey is used by dnf, so perhaps they would know? CCing.
Comment 20 Jan Stodola 2020-10-06 23:27:12 UTC 
hawkey.log is copied to /mnt/sysimage/var/log/anaconda/ with an incorrect SELinux label even on the other architectures, but the file is relabeled a bit later by 80-setfilecons.ks (described below):

See how the label is changed at the end of the installation, right before reboot:

[anaconda]# while true; do date; ls -lZ /tmp/hawkey.log /mnt/sysimage/var/log/anaconda/hawkey.log; sleep 0.1; done
...
Tue Oct  6 18:41:50 UTC 2020
-rw-------. 1 root root system_u:object_r:rpm_log_t:s0 102 Oct  6 18:41 /mnt/sysimage/var/log/anaconda/hawkey.log
-rw-r--r--. 1 root root system_u:object_r:tmp_t:s0     102 Oct  6 18:39 /tmp/hawkey.log
Tue Oct  6 18:41:50 UTC 2020
-rw-------. 1 root root system_u:object_r:var_log_t:s0 102 Oct  6 18:41 /mnt/sysimage/var/log/anaconda/hawkey.log
-rw-r--r--. 1 root root system_u:object_r:tmp_t:s0     102 Oct  6 18:39 /tmp/hawkey.log
...

I do not know why rpm_log_t is used on hawkey.log, hopefully it will be exaplained/fixed in a new bug 1885772 reported against selinux-policy.



But debugging this bug clarified why the test fails sometimes on some architectures and not on the others - glob.glob() [1] doesn't return an alphabetically sorted list of post-scripts [2], so the scripts are not executed in the intended order:

[1] https://github.com/rhinstaller/anaconda/blob/master/pyanaconda/kickstart.py#L540
[2] https://github.com/rhinstaller/anaconda/tree/master/data/post-scripts

See an example on x86_64, executed in the installation environment:

Python 3.6.8 (default, Aug 18 2020, 08:33:21)
[GCC 8.3.1 20191121 (Red Hat 8.3.1-5)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import glob
>>> glob.glob("/usr/share/anaconda/post-scripts/*ks")
['/usr/share/anaconda/post-scripts/90-copy-screenshots.ks', '/usr/share/anaconda/post-scripts/99-copy-logs.ks', '/usr/share/anaconda/post-scripts/80-setfilecons.ks']

And aarch64:

Python 3.6.8 (default, Aug 18 2020, 08:37:53) 
[GCC 8.3.1 20191121 (Red Hat 8.3.1-5)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import glob
>>> glob.glob("/usr/share/anaconda/post-scripts/*ks")
['/usr/share/anaconda/post-scripts/80-setfilecons.ks', '/usr/share/anaconda/post-scripts/90-copy-screenshots.ks', '/usr/share/anaconda/post-scripts/99-copy-logs.ks']
Comment 21 Jan Stodola 2020-10-06 23:27:47 UTC 
PR: https://github.com/rhinstaller/anaconda/pull/2902
Comment 22 Vladimír Slávik 2020-10-19 10:49:12 UTC 
Taking the bug so that somebody owns it.

Meanwhile, a port of the PR to master has been merged.
Comment 23 Vladimír Slávik 2020-11-24 16:43:56 UTC 
PR merged.
Comment 29 errata-xmlrpc 2021-05-18 15:47:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (anaconda bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1844