Bug 648591
Summary: | SELinux is preventing /usr/sbin/NetworkManager from read access on the file network. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | satellitgo |
Component: | livecd-tools | Assignee: | Brian Lane <bcl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | adam.stokes, awilliam, bcl, bruno, cristian.ciupitu, dennis, dhuff, dwalsh, icj, Jasper.Hartline, jsmith.fedora, katzj, mgrepl, oliver.henshaw, sandro |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:d94ae0dd097cb87ebad31cf2ed55dbd9986aed04c513a30213b670e07b960ad9 | ||
Fixed In Version: | livecd-tools-15.5-1.fc15 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-03-12 04:39:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
satellitgo
2010-11-01 17:28:01 UTC
*** This bug has been marked as a duplicate of bug 648588 *** I just hit a case of this. The bug it was marked as a dupe of is itself marked as a dupe of a CANTFIX indicating pilot error. However, the case I hit happens on boot of an F15 Alpha TC2 image; no user interaction required, you just boot up, login, and there's an SELinux denial 'SELinux is preventing /usr/sbin/NetworkManager from 'read' access on the file network'. I'm guessing the file in question is /etc/sysconfig/network , which appears to have type system_u:object_r:file_t:s0 . Is this a bug in whatever package owns/creates /etc/sysconfig/network ? on my 'dirty' rawhide system /etc/sysconfig/network has type system_u:object_r:etc_t:s0 , so there's clearly something different in the cleanly-composed live image. [root@adam Download]# rpm -qf /etc/sysconfig/network file /etc/sysconfig/network is not owned by any package doesn't help. I'm not sure what actually creates it. the bug this was marked as a dupe of is about macros.imgcreate , and sure enough, I have a second abrt report about that file, on clean boot of the F15 Alpha TC2 image. huh. er, selinux report, rather. Marking as an F15 Final blocker, per criterion "In most cases, there must be no SELinux 'AVC: denied' messages or abrt crash notifications on initial boot and subsequent login (see Blocker_Bug_FAQ) ". matchpathcon /etc/sysconfig/network /etc/sysconfig/network system_u:object_r:etc_t:s0 So "etc_t" label is the correct. Looks like a bug in the tool livecd-tools which did not put the correct labels on this livecd. file_t means no label got assigned. So the installation process of the livecd creator is broken. livecd-tools does this: self.call(["/sbin/setfiles", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/etc/selinux/targeted/contexts/files/file_contexts", "/"]) It also writes the /etc/sysconfig/network file, after setfiles is run. On the TC2 image there are 3 other files that have the file_t label: iptables.old ip6tables.old system-config-firewall.old All the files in sysconfig have the same timestamp. It also uses lokkit to setup selinux and the firewall. The 2/14 nightly works fine, with the correct context and livecd-tools hasn't changed this code recently. This looks like a selinux bug. build system is a F14 box with selinux=disabled, when I build a minimal livecd in a rawhide mock the context on the /etc/sysconfig/network file is incorrect as indicated in comment 2 and 3. When I switch my system over to selinux=permissive and redo the build with no other changes the created image has the correct context set on /etc/sysconfig/network livecd-creator processes the kickstart in the following order: language keyboard timezone auth selinux firewall rootpw services xconfig network rpmmacros The selinux step executes the setfiles command in comment 10 and in the kickstart it is set to selinux --enforcing /etc/sysconfig/network is written by the network step. The iptables files mentioned in step 10 may be written in the firewall step, which uses lokkit to change the firewall settings. Ah. I think it's generally known that you should run live builds with selinux in permissive mode, but I don't know if we've ever considered a bug to be fixed or just worked with it... The info I have is that nightly livecd's are on a machine with it set permissive (which didn't work very well for me locally, the root password wasn't cleared for one) and that TC2 being built on machines with it disabled. Ok, so F15 Alpha TC2 images were created with disabled SELinux which is a reason why we see these issue. I build images in enforcing mode. I am pretty sure I have seen changes in the past to make building live images in disabled mode work. I am less sure about enforcing mode where the policy of the live image doesn't match that of the build system, but I vaguely remember changes to make that work as well. I think that it is a bug for them to not be built properly in any particular selinux mode. Note, I think the reason this is broke in disabled mode is that the default labels applied when not in disabled mode hide the bug of not running setfiles after all files have been created. This would also apply to files created in post processing, so ks files that do that may need to run setfiles on files created in that step, since I think that is too late for the normal setfiles command to catch them. I am changing the component back to livecd-tools, as I think the bug is really in that component, not selinux tools or policy. I build all of mine on a host with it disabled, and don't plan on changing that so I'll see what I can do to make it work. I was thinking about this as I fell asleep last night and maybe it would be as simple as re-running setfiles after we run the post scripts. I'll give it a try today and see what happens, since I am able to reproduce the problem. That would probably be a reasonable approach, but you'd want to limit the directories that get checked to save on running time. based on what get's done after the first run, it should be possible to figure out a limited set of places where files might be created after the first setfiles run. Ends up its even simpler, just move it to after the post scripts are run. *** Bug 639066 has been marked as a duplicate of this bug. *** livecd-tools-15.5-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/livecd-tools-15.5-1.fc15 livecd-tools-14.2-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/livecd-tools-14.2-1.fc14 livecd-tools-15.5-1.fc15 has been pushed to the Fedora 15 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update livecd-tools'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/livecd-tools-15.5-1.fc15 livecd-tools-14.2-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. livecd-tools-15.5-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. This seems to have fixed bug #663935 too. |