Bug 2111251

Summary: rpm-plugin-fapolicyd breaks system upgrade, leaving yum in hung state
Product: Red Hat Enterprise Linux 9 Reporter: Dalibor Pospíšil <dapospis>
Component: rpmAssignee: Michal Domonkos <mdomonko>
Status: CLOSED ERRATA QA Contact: swm-qe
Severity: high Docs Contact: Mariya Pershina <mpershin>
Priority: urgent    
Version: 9.0CC: casantos, dapospis, kanderso, kwalker, lmiksik, lvrabec, mbanas, mdomonko, mpershin, rsroka
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rpm-4.16.1.3-18.el9_1 Doc Type: Bug Fix
Doc Text:
.RPM no longer hangs during a transaction involving the `fapolicyd` service restart Previously, if you tried to update a package that caused the `fapolicyd` service to be restarted, for example, `systemd`, the RPM transaction stopped responding because the `fapolicyd` plug-in failed to communicate with the `fapolicyd` daemon. With this update, the `fapolicyd` plug-in now correctly communicates with the `fapolicyd` daemon. As a result, RPM no longer hangs during a transaction which involves the `fapolicyd` service restart.
 Story Points: ---
Clone Of: 2110787
: 2124603 2136770 (view as bug list) Environment:
Last Closed: 2023-05-09 08:23:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2124603, 2136770    

Description Dalibor Pospíšil 2022-07-26 20:22:17 UTC 
+++ This bug was initially created as a clone of Bug #2110787 +++

Description of problem:

Upgrading fapolicyd along with other packages (e.g. system) leave yum in a
hung state, writing to a fifo on which no other process reads.

Version-Release number of selected component (if applicable):

fapolicyd-1.1-103.el9_0
rpm-plugin-fapolicyd-4.16.1.3-12.el9_0

How reproducible:

Always

Steps to Reproduce:

1. Install of RHEL 8.4 (server with GUI). Register the system and attach the
   required entitlement.

2. Lock the release version

   subscription-manager release --set=8.4

2. Enable fapolicyd

   # systemctl enable --now fapolicyd

3. Update the packages but leave systemd one step behind (for step 5)

   # yum upgrade -y -x fapolicyd\* -x systemd\*
   # yum upgrade -y systemd-239-45.el8_4.10
   # yum upgrade -y fapolicyd-1.0.2-6.el8_4.1
   # systemctl reboot

4. Download the attached test rpms. These are scratch builds of fapolicyd with
   this change to force an upgrade:

   diff --git a/fapolicyd.spec b/fapolicyd.spec
   index e7d2c5c..03334a0 100644
   --- a/fapolicyd.spec
   +++ b/fapolicyd.spec
   @@ -6,7 +6,7 @@
    Summary: Application Whitelisting Daemon
    Name: fapolicyd
    Version: 1.0.2
   -Release: 6%{?dist}.2_case03267178
   +Release: 6%{?dist}.1
    License: GPLv3+
    URL: http://people.redhat.com/sgrubb/fapolicyd
    Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
   @@ -57,13 +57,6 @@ to decide file access rights. Applications that are known via a reputation
    source are allowed access while unknown applications are not. The daemon
    makes use of the kernel's fanotify interface to determine file access rights.
    
   -This RPM has been provided by Red Hat for testing purposes only and is
   -NOT supported for any other use. This RPM may contain changes that are
   -necessary for debugging but that are not appropriate for other uses,
   -or that are not compatible with third-party hardware or software. This
   -RPM should NOT be deployed for purposes other than testing and
   -debugging.
   -
    %package        selinux
    Summary:        Fapolicyd selinux
    Group:          Applications/System

5. Upgrade systemd and fapolicyd in a single yum execution

   # yum upgrade systemd-239-45.el8_4.11 \
   ./fapolicyd-1.0.2-6.el8_4.2_case03267178.x86_64.rpm \
   ./fapolicyd-selinux-1.0.2-6.el8_4.2_case03267178.noarch.rpm

Actual results:

Yum gets hung.

Expected results:

Successful upgrade.

Additional info:

Yum gets hung writing on the fifo used by the fapolicyd rpm plugin to communicate with fapolicyd, as
can be seen using strace:

# pid=$(pidof -x yum)
# strace -fttTvyy -s 4096 -p $pid
strace: Process 6074 attached
18:01:56.359949 write(24</run/fapolicyd/fapolicyd.fifo (deleted)>, "/usr/lib/systemd/system/remote-cryptsetup.target 549 86d9439857b2d5e306805a4a9d83e35cf9cde9e31c5305557c321c3254cc8909\n", 118

# lsof -p $pid | fgrep /run/fapolicyd/fapolicyd.fifo
yum     6074 root   24u  FIFO               0,24       0t0    25332 /run/fapolicyd/fapolicyd.fifo (deleted)

The FIFO is deleted because fapolicyd has been restarted. The new fapolicyd daemon uses a different
fifo:

# ls -l /run/fapolicyd/fapolicyd.fifo
prw-rw----. 1 root fapolicyd 0 Jul 25 17:59 /run/fapolicyd/fapolicyd.fifo

# lsof -p $(pidof fapolicyd) | fgrep /run/fapolicyd/fapolicyd.fifo
fapolicyd 6120 fapolicyd    3u     FIFO               0,24      0t0    46280 /run/fapolicyd/fapolicyd.fifo

So the yum process becomes blocked, writing on a FIFO on which no other process reads.

This problem should have been fixed in Bug 1896875 but is still present.
Comment 37 errata-xmlrpc 2023-05-09 08:23:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rpm bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2538