Bug 564272

Summary:

Disabling selinux makes chcon fail

Product:

[Fedora] Fedora

Reporter:

Christian Lupien <christian.lupien>

Component:

dracut

Assignee:

Harald Hoyer <harald>

Status:

CLOSED ERRATA

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

medium

Docs Contact:

Priority:

low

Version:

CC:

dwalsh, harald, jonathan, mgrepl, sdsmall

Target Milestone:

---

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

dracut-005-2.fc12

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Clones:

567795 (view as bug list)

Environment:

Last Closed:

2010-05-11 19:46:25 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

567795

Attachments:

Description	Flags
THis patch fixes the problem I believe.	none
This fixes the bugs in the previous patch	none

Description Christian Lupien 2010-02-12 07:50:08 UTC

Description of problem:

After disabling selinux using the GUI, attempts at changing the selinux extended attributes of files fails. This affects the selinux tools like chcon as well as general tools like setfattr. I discovered the problem using rsync (from within rsnapshot). It would produce a huge amount of errors like:
rsync: rsync_xal_set: lsetxattr("home/username/.AbiSuite","security.selinux")
failed: Operation not supported (95)


Version-Release number of selected component (if applicable):
selinux-policy-3.6.32-78.fc12.noarch
dracut-004-4.fc12.noarch
### uname -a
Linux  localhost.localdomain 2.6.31.12-174.2.3.fc12.x86_64 #1 SMP Mon Jan 18 19:52:07 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux


How reproducible:
On Fedora 12 it always produce the same results when disabling selinux only with the GUI. It is not a problem if starting the kernel with selinux=0 or with fedora 11.

Steps to Reproduce:
1-Disable selinux with the GUI. Then /etc/selinux/config contains:
SELINUX=disabled
SELINUXTYPE=targeted

2-Reboot normally. Then  "cat /var/log/dmesg|grep SELinux" produces:
SELinux:  Initializing.
SELinux:  Starting in permissive mode
SELinux:  Registering netfilter hooks

3-Type the following, as root:
### touch selinux.test
### ls -Z selinux.test
-rw-r--r-- root root unlabeled                        selinux.test
### getfattr -m - -d selinux.test
### chcon unconfined_u:object_r:user_home_t:s0 selinux.test
chcon: failed to change context of `selinux.test' to `unconfined_u:object_r:user_home_t:s0': Operation not supported
### ls -Z selinux.test
-rw-r--r-- root root unlabeled                        selinux.test
### getfattr -m - -d selinux.test
### setfattr -n security.selinux -v testit selinux.test
setfattr: selinux.test: Operation not supported
### ls -Z selinux.test
-rw-r--r-- root root unlabeled                        selinux.test
### getfattr -m - -d selinux.test
### setfattr -x security.selinux  selinux.test
setfattr: selinux.test: Permission denied
### ls -Z selinux.test
-rw-r--r-- root root unlabeled                        selinux.test
### getfattr -m - -d selinux.test
### rm selinux.test

Actual results:
Note that selinux extended attribute is unlabeled and it stays unlabeled. It is the same even for old files that were previously assigned a real security context.


Expected results:
Under Fedora 12 booted with the "selinux=0" kernel parameter, or under Fedora 11 booted normally but with selinux disabled as above (using GUI) the commands produce:
### touch selinux.test
### ls -Z selinux.test
-rw-r--r-- root root ?                                selinux.test
### getfattr -m - -d selinux.test
### chcon unconfined_u:object_r:user_home_t:s0 selinux.test
### ls -Z selinux.test
-rw-r--r--. root root unconfined_u:object_r:user_home_t:s0 selinux.test
### getfattr -m - -d selinux.test
# file: selinux.test
security.selinux="unconfined_u:object_r:user_home_t:s0

### setfattr -n security.selinux -v testit selinux.test
### ls -Z selinux.test
-rw-r--r--. root root testit                           selinux.test
### getfattr -m - -d selinux.test
# file: selinux.test
security.selinux="testit"

### setfattr -x security.selinux  selinux.test
### ls -Z selinux.test
-rw-r--r-- root root ?                                selinux.test
### getfattr -m - -d selinux.test
### rm selinux.test

Note that for Fedora 12 (with selinux=0), "cat /var/log/dmesg|grep SELinux" produces:
SELinux:  Disabled at boot.
While for Fedora 11, selinux disabled with GUI, "cat /var/log/dmesg|grep SELinux" produces:
SELinux:  Initializing.
SELinux:  Starting in permissive mode
SELinux:  Registering netfilter hooks
SELinux:  Disabled at runtime.
SELinux:  Unregistering netfilter hooks


Additional info:

I think I found the difference between Fedora 11 and Fedora 12. In F11, during boot, loadpolicy would always be executed in the initrd. In F12, dracut executes the /usr/share/dracut/modules.d/99base/selinux-loadpolicy.sh
script (called as pre-pivot/50selinux-loadpolicy.sh during boot). That script does not execute load-policy when the config file contains SELINUX=disabled.

With that knowledge I tried fixing the above problem in F12 by executing:
load-policy
After that command the errors are gone (the behavior is the same as booting with selinux=0 kernel option)

Comment 1 Daniel Walsh 2010-02-12 14:21:31 UTC

Seems like a reasonable file.  load_policy will see this disabled flag in /etc/selinux/config and turn off SELinux completely.  Without running load_policy, the kernel is in sort of a half way state waiting for policy to be loaded.

Of course, I don't understand why anyone would want to disable SELinux :^)

Comment 2 Daniel Walsh 2010-02-12 14:22:03 UTC

Created attachment 390494 [details]
THis patch fixes the problem I believe.

Comment 3 Christian Lupien 2010-02-14 23:14:37 UTC

That patch had some bugs (spaces in disabled = ...).
With the bugs fixed it worked fine (see the next patch) and fixed my problem.

However it uncovers a bug in /etc/rc.sysinit which produces the following bug during boot:

cat: /proc/self/attr/current: Invalid argument

That is on line 36 where it tries 
if [ -e "/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]
but with selinux disable the /proc/self/attr/current is not there, but /selinux/enforce is still present. In fact the /selinux filesystem seems to be mounted but it is not present in /proc/mounts or /proc/filesystems: 
#ls /selinux
booleans  commit_pending_bools  enforce  load  mls  policyvers

So that bug can be fixed by changing the above line 36 to

if [ -e "/selinux/disable ] && [ -e "/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]; then


I can add that load_policy -i produces an error message 
dracut: /sbin/load_policy: Can't load policy: No such file or directory
but it does disable selinux properly. Looking at the code in libselinux and policycoretutils it seem to produce the error on purpose but the message is meaningless. Maybe that could be fixed or the selinux-loadpolicy.sh could disable selinux directly with something like (echo 1>/selinux/disable)
which is what load_policy -i does anyway.

Comment 4 Christian Lupien 2010-02-14 23:15:52 UTC

Created attachment 394232 [details]
This fixes the bugs in the previous patch

Comment 5 Christian Lupien 2010-02-15 00:00:56 UTC

I forgot a quote in the fix to /etc/rc.sysinit. It should be

if [ -e "/selinux/disable" ] && [ -e "/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]; then

Comment 6 Harald Hoyer 2010-02-15 11:55:31 UTC

(In reply to comment #5)
> I forgot a quote in the fix to /etc/rc.sysinit. It should be
> 
> if [ -e "/selinux/disable" ] && [ -e "/selinux/enforce" ] && [ "$(cat
> /proc/self/attr/current)" != "kernel" ]; then    

wrong bug?

Comment 7 Daniel Walsh 2010-02-16 15:11:59 UTC

Christian can you open a second bug on sysinit rather then put it here.

Comment 8 Christian Lupien 2010-02-17 06:46:35 UTC

Ok, I opened bug 566085

Comment 9 Stephen Smalley 2010-02-23 19:29:07 UTC

The selinux=0 case is different from SELINUX=disabled in /etc/selinux/config.
With selinux=0, SELinux is already unhooked from the kernel code paths and you can return immediately as in the current selinux-loadpolicy.sh.
With SELINUX=disabled, you need to take action to unregister SELinux from the kernel, which can either be done by running load_policy -i or you could directly mount selinuxfs and echo 1 > /selinux/disable and then umount /selinux if you wanted to avoid a dependency on load_policy.

Comment 10 Harald Hoyer 2010-02-24 10:01:41 UTC

already fixed in dracut-004-15.el6

Comment 11 Harald Hoyer 2010-02-24 10:02:19 UTC

uh.. wrong bugzilla :)

Comment 12 Fedora Update System 2010-04-15 14:34:33 UTC

dracut-005-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/dracut-005-2.fc12

Comment 13 Fedora Update System 2010-04-16 23:43:56 UTC

dracut-005-2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update dracut'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/dracut-005-2.fc12

Comment 14 Fedora Update System 2010-05-11 19:45:46 UTC

dracut-005-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.