Bug 1984740

Summary: Use of inst.selinux=0 fails to set root password
Product: Red Hat Enterprise Linux 8 Reporter: Parikshit Khedekar <pkhedeka>
Component: shadow-utilsAssignee: Iker Pedrosa <ipedrosa>
Status: CLOSED ERRATA QA Contact: Anuj Borah <aborah>
Severity: medium Docs Contact:
Priority: high    
Version: 8.4CC: aboscatt, derli, dwalsh, ipedrosa, jkonecny, jstodola, lopresti, lvrabec, mmalik, paygupta, pbrezina, plautrba, tscherf, vmojzis
Target Milestone: betaKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: shadow-utils-4.6-18.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-14 15:49:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Parikshit Khedekar 2021-07-22 05:49:15 UTC 
Description of problem:
When we use "inst.selinux=0" to install any 8.X it fails with the traceback as,

------------

...
Configuring installed system
...............
An unknown error has occured, look at the /tmp/anaconda-tb* file(s) for more details


    sync_run_task(self._task_proxy)
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 490, in start
    self.run_task()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation.py", line 403, in run_installation
    queue.start()
  File "/usr/lib64/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/lib64/python3.6/site-packages/pyanaconda/threading.py", line 280, in run
    threading.Thread.run(self)
dasbus.error.DBusError: Unable to set password for new user: status=-6
------------

Checking it deep I see the command fails as,

[anaconda root@localhost ~]# chpasswd -R /mnt/sysimage/ -e
chpasswd: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
Aborted (core dumped)
[anaconda root@localhost ~]# 

Gathered the dumps as well, but not able to make solid conclusion from it as
I'm not that expert to selinux yet but I fee the patch
shadow-4.3.1-selinux-perms.patch introduces the changes in RHEL 8 whereas it
works fine on RHEL7


Version-Release number of selected component (if applicable):

RHEL 8.X


How reproducible:

Use inst.selinux=0 to boot line as,

BOOT_IMAGE=images/8.1/vmlinuz initrd=images/8.1/initrd.img inst.stage2=hd:LABEL=RHEL-8-1-0-BaseOS-x86_64  inst.ks=ftp://192.168.122.1/pub/rhel8.4.ks inst.selinux=0

Actual results:

Fails to set a root password and results to traceback

Expected results:

Installation shall work fine.

Additional info:

The current workaround is to set the selinux=0 as well, I don't see
inst.selinux=0 turning off selinux as it still marks it permissive.

There were confusion in RH doc and Upstream doc so based on theory I
have asked for a change to upstream doc as,

https://github.com/rhinstaller/anaconda/pull/3530

I'm not sure if this needs shadow-utils as well, but as this is install
time I'm marking it to anaconda
Comment 11 Jiri Konecny 2022-09-21 10:25:05 UTC 
I was looking into this and attaching log.

The interesting part:

10:07:49,944 NOTICE kernel:audit: type=1107 audit(1663754869.943:1525): pid=53923 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  could not determine enforcing mode: No such file or directory#012 exe="/usr/sbin/chpasswd" sauid=0 hostname=? addr=? terminal=?'
10:07:49,944 NOTICE kernel:audit: type=1701 audit(1663754869.943:1526): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:kernel_t:s0 pid=53923 comm="chpasswd" exe="/usr/sbin/chpasswd" sig=6 res=1
10:07:49,983 INFO systemd:Created slice system-systemd\x2dcoredump.slice.
10:07:49,986 INFO systemd:Started Process Core Dump (PID 53924/UID 0).
10:07:49,987 NOTICE kernel:audit: type=1130 audit(1663754869.985:1527): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=systemd-coredump@0-53924-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
10:07:50,169 INFO systemd-coredump:Resource limits disable core dumping for process 53923 (chpasswd).
10:07:50,176 CRIT systemd-coredump:Process 53923 (chpasswd) of user 0 dumped core.

Seems like the chpasswd call will crash which could be potential SELinux issue even though the SELinux should be set to permissive. Based on the first line it seems that it has an issue to determine the enforcing mode.
Comment 13 Jiri Konecny 2022-09-21 10:31:02 UTC 
Based on the above I would like to know SELinux team opinion on why avc can't determine enforcing mode and if that could be the root cause of the crash.

Could this be an issue that chpasswd is started with chroot -R option for chroot where the SELinux is not completely set. However, installation environment is set to Permissive.

chpasswd call:
chpasswd -R /mnt/sysroot -e 


$ getenforce
Permissive


Switching to SELinux team for further investigation.
Comment 14 Petr Lautrbach 2022-09-30 09:33:51 UTC 
It looks like a problem similar to https://bugzilla.redhat.com/show_bug.cgi?id=1993081 which seems to be  already fixed in shadow-utils rhel9.

The problem with `chpasswd -R ...` is that libselinux is initialized before `chroot()` as enabled. But when the process `chroot()`s there's no /sys/fs/selinux in the chroot and libselinux is confused. IIRC the solution was to call `selabel_close()` in order to reset libselinux state, or something.

CC @ipedrosa
Comment 15 Iker Pedrosa 2022-09-30 11:33:53 UTC 
The (In reply to Petr Lautrbach from comment #14)
> It looks like a problem similar to
> https://bugzilla.redhat.com/show_bug.cgi?id=1993081 which seems to be 
> already fixed in shadow-utils rhel9.

The selinux labeling code in shadow-utils changed before RHEL9 and that's why the regression happened. You can take a look at the code before:
https://github.com/shadow-maint/shadow/blob/e6416fd81bff205f9daac3da02cb3392d3d75e58/lib/selinux.c#L54

And after those changes:
https://github.com/shadow-maint/shadow/blob/master/lib/selinux.c#L47

I don't think those changes are affecting RHEL8 because I didn't port them.

> The problem with `chpasswd -R ...` is that libselinux is initialized before
> `chroot()` as enabled. But when the process `chroot()`s there's no
> /sys/fs/selinux in the chroot and libselinux is confused. IIRC the solution
> was to call `selabel_close()` in order to reset libselinux state, or
> something.
> 
> CC @ipedrosa

I don't see any question and I'm not an expert in selinux. So, how can I help you?
Comment 16 Petr Lautrbach 2022-09-30 13:23:36 UTC 
It wasn't a question. I used a wrong CC technology to let you know about this issue releated to chpasswd.


Setup:

# dnf --instalroot=/tmp/root group install 'Minimal Install'
# mount -t proc proc /tmp/root/proc
# setenforce 0

RHEL8 version:

[root@rhel8 ~]# echo 'root:e' | chpasswd -R /tmp/root
chpasswd: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
Aborted (core dumped)

RHEL9 version:

[root@rhel9 ~]# echo 'root:e' | chpasswd -R /tmp/root
[root@rhel9 ~]#
Comment 25 errata-xmlrpc 2023-11-14 15:49:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: shadow-utils security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:7112