Bug 2070729
Summary: | SELinux is preventing dnf from using the 'mac_admin' capabilities. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | lray+redhatbugzilla |
Component: | snapd | Assignee: | Zygmunt Krynicki <me> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 36 | CC: | amessina, dwalsh, go-sig, grepl.miroslav, lvrabec, maciek.borzecki, me, mmalik, ngompa13, omosnace, pkoncity, vmojzis, zpytela |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:af406c01e613a5ffcdad7f813a3e80916b688c0f6ccdf30f87cf7254b223b8a8;VARIANT_ID=workstation; | ||
Fixed In Version: | snapd-2.55.3-2.fc35 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-04-26 07:30:17 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2056303 |
Description
lray+redhatbugzilla
2022-03-31 19:14:22 UTC
Seems the container and flatpak selinux modules are not properly installed and the types they provide are not active. Please show: # rpm -qa "*-selinux" # semodule -lfull | grep -v ^100 Hi, please find the information below: > rpm -qa "*-selinux" rpm-plugin-selinux-4.17.0-10.fc36.x86_64 snapd-selinux-2.54.4-1.fc36.noarch tpm2-abrmd-selinux-2.3.1-5.fc36.noarch container-selinux-2.181.0-1.fc36.noarch flatpak-selinux-1.12.7-1.fc36.noarch > sudo semodule -lfull | grep -v ^100 300 my-chronyd pp 300 my-restorecon pp 300 my-runc pp 200 container pp 200 flatpak pp 200 snappy pp 200 swtpm pp 200 swtpm_svirt pp 200 tabrmd pp This is related to the file context problem. dnf reinstall container-selinux And see if it blows up. Hi Daniel,
yes, when reinstalling it, the same selinux alert is thrown
>sudo dnf reinstall container-selinux
Letzte Prüfung auf abgelaufene Metadaten: vor 1:30:58 am Mo 04 Apr 2022 17:42:32 CEST.
Abhängigkeiten sind aufgelöst.
================================================================================
Paket Arch. Version Paketquelle Größe
================================================================================
Neuinstallieren:
container-selinux noarch 2:2.181.0-1.fc36 updates-testing 49 k
Transaktionszusammenfassung
================================================================================
Gesamte Downloadgröße: 49 k
Installationsgröße: 54 k
Ist dies in Ordnung? [j/N]: j
Pakete werden heruntergeladen:
container-selinux-2.181.0-1.fc36.noarch.rpm 56 kB/s | 49 kB 00:00
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Gesamt 24 kB/s | 49 kB 00:02
Transaktionsüberprüfung wird ausgeführt
Transaktionsüberprüfung war erfolgreich.
Transaktion wird getestet
Transaktionstest war erfolgreich.
Transaktion wird ausgeführt
Vorbereitung läuft : 1/1
Ausgeführtes Scriptlet: container-selinux-2:2.181.0-1.fc36.noarch 1/2
Neuinstallieren : container-selinux-2:2.181.0-1.fc36.noarch 1/2
Ausgeführtes Scriptlet: container-selinux-2:2.181.0-1.fc36.noarch 1/2
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/snappy/cil:305
Failed to resolve AST
/usr/sbin/semodule: Failed!
/etc/selinux/targeted/contexts/files/file_contexts: invalid context system_u:object_r:container_var_lib_t:s0
Aufräumen : container-selinux-2:2.181.0-1.fc36.noarch 2/2
Ausgeführtes Scriptlet: container-selinux-2:2.181.0-1.fc36.noarch 2/2
Überprüfung läuft : container-selinux-2:2.181.0-1.fc36.noarch 1/2
Überprüfung läuft : container-selinux-2:2.181.0-1.fc36.noarch 2/2
Erneut installiert:
container-selinux-2:2.181.0-1.fc36.noarch
Fertig!
Could you remove snappy and container-selinux and then reinstall container-selinux and see if it works? Then you should be able to re-add snappy. It still throws the error messages during the install Ausgeführtes Scriptlet: selinux-policy-36.5-1.fc36.noarch 2/8 Failed to resolve typealiasactual statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:6 Failed to resolve AST /usr/sbin/semodule: Failed! Ausgeführtes Scriptlet: selinux-policy-targeted-36.5-1.fc36.noarch 3/8 Installieren : selinux-policy-targeted-36.5-1.fc36.noarch 3/8 Ausgeführtes Scriptlet: selinux-policy-targeted-36.5-1.fc36.noarch 3/8 Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1263 Failed to resolve AST /usr/sbin/semodule: Failed! Installieren : flatpak-selinux-1.12.7-1.fc36.noarch 4/8 Ausgeführtes Scriptlet: flatpak-selinux-1.12.7-1.fc36.noarch 4/8 Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1263 Failed to resolve AST /usr/sbin/semodule: Failed! Ausgeführtes Scriptlet: flatpak-1.12.7-1.fc36.x86_64 5/8 Aktualisieren : flatpak-1.12.7-1.fc36.x86_64 5/8 Ausgeführtes Scriptlet: flatpak-1.12.7-1.fc36.x86_64 5/8 Ausgeführtes Scriptlet: container-selinux-2:2.181.0-1.fc36.noarch 6/8 Installieren : container-selinux-2:2.181.0-1.fc36.noarch 6/8 Ausgeführtes Scriptlet: container-selinux-2:2.181.0-1.fc36.noarch 6/8 Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1263 Failed to resolve AST Failed to commit changes to booleans: Success Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/snappy/cil:305 Failed to resolve AST /usr/sbin/semodule: Failed! Ausgeführtes Scriptlet: tpm2-abrmd-selinux-2.3.1-5.fc36.noarch 7/8 Installieren : tpm2-abrmd-selinux-2.3.1-5.fc36.noarch 7/8 Ausgeführtes Scriptlet: tpm2-abrmd-selinux-2.3.1-5.fc36.noarch 7/8 Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1263 Failed to resolve AST /usr/sbin/semodule: Failed! Ausgeführtes Scriptlet: flatpak-1.12.7-1.fc35.x86_64 8/8 Aufräumen : flatpak-1.12.7-1.fc35.x86_64 However, the selinux alert for mac_admin is not thrown again. :+1: semodule -r container snappy flatpak And then try. > sudo semodule -r container snappy flatpak 1 ↵ 17:10:48
libsemanage.semanage_direct_remove_key: Unable to remove module container at priority 400. (No such file or directory).
libsemanage.semanage_direct_remove_key: Unable to remove module snappy at priority 400. (No such file or directory).
libsemanage.semanage_direct_remove_key: Unable to remove module flatpak at priority 400. (No such file or directory).
semodule: Failed!
Daniel,
thanks for your support. Will stop investigating here - looks like this is not a common but a specific issue to me. As of this, no worries investing too much time into it IMO.
Have a good time and cheers,
Lennart
Hi snapd folks, Every custom selinux module using directly or indirectly socket_class_set need to be rebuilt with selinux-policy-35.17-1.fc35 https://bodhi.fedoraproject.org/updates/FEDORA-2022-c5bee6b70f selinux-policy-34.27-1.fc34 https://bodhi.fedoraproject.org/updates/FEDORA-2022-eaef082697 to ensure these classes are not in use: - bridge_socket - ib_socket - mpls_socket Please do so before F36 GA. FEDORA-2022-c5bee6b70f has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-c5bee6b70f FEDORA-2022-c5bee6b70f has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-c5bee6b70f` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-c5bee6b70f See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-c5bee6b70f has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report. |