Bug 858373
| Summary: | SELinux denials when packages create users/groups during live image creation with livecd-creator | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> | ||||||
| Component: | livecd-tools | Assignee: | Brian Lane <bcl> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 18 | CC: | adam.stokes, bcl, bruno, dhuff, dominick.grift, dwalsh, ffesti, Jasper.Hartline, jnovy, john, jzeleny, katzj, mgrepl, packaging-team, pknirsch, pmatilai | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | livecd-tools-18.13-1 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-12-18 06:56:21 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
The problem is the lastlog is mislabeled. So the question is how did lastlog get created with the wrong label? Is something blowing it away and recreating it, without running restorecon? What policy was used to create this? I know unconfined domains have this rule logging_log_named_filetrans($1, lastlog_t, file, "lastlog") Which should create the last log file with the correct label. I'm guessing this is the copy of lastlog inside the filesystem destined to become the live image, not the copy on the host system. I'm not really sure how that gets created. bcl would know. Ok I think the problem here is the rpm transition stuff. Basically we want all processes run within the livecd to stay as livecd_t, but rpm attempts to do a set its scripts to rpm_script_t which then transitions to useradd_t and groupadd_t. Since we are just going to relabel the content when the command completes, we really do not care about these outputs. RPM guys isn't there a way to tell rpm do not use rpm_script_t? I remember doing something like this in mock. Yup. From rpm cli, --nocontexts disables selinux entirely within rpm, but for livecd I guess we'd be talking about python where it'd be RPMTRANS_FLAG_NOCONTEXTS transaction flag. But since livecd relies on yum... its sufficient to add 'nocontexts' to the yum instance conf.tsflags property. Thanks Panu, I could not remember what we had done. You could look at mock-1.1.21/py/mockbuild/plugins/selinux.py To see how it is done. *** Bug 804243 has been marked as a duplicate of this bug. *** Created attachment 625015 [details]
patch for nocontexts
So I tried the patch, and it makes the denials go away, but some of the user/group creations still fail: groupadd: failure while writing changes to /etc/group error: %pre(initscripts-9.40-1.fc18.x86_64) scriptlet failed, exit status 10 error: initscripts-9.40-1.fc18.x86_64: install failed for instance. I got this on several packages, and then the image creation ultimately failed because /etc/inittab (iirc) didn't exist, which is what always happens when you hit this bug. Adam if you run it in permissive mode i works? Could you run it with semodule -DB and see if there is any avc's that we are not showing. So even run after semodule -DB I see no AVCs at the time of the errors in the compose. But the compose works fine if I do 'setenforce Permissive' first. So the problem is still somehow to do with selinux, even though there are no AVCs. livecd-tools-18.13-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/livecd-tools-18.13-1.fc18 Package livecd-tools-18.13-1.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing livecd-tools-18.13-1.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19802/livecd-tools-18.13-1.fc18 then log in and leave karma (feedback). Hrmm... this does not bode well: <snip> Installing: strace ##################### [515/516] Installing: mtr ##################### [516/516] Installing: zip ##################### [517/516] Installing: ethtool ##################### [518/516] 966 blocks W: Could not find 'strip'. Not stripping the initramfs. Error creating Live CD : Unable to run ['/usr/bin/firewall-offline-cmd', '--enabled', '--service=ssh']! That isn't related to selinux. strip comes from binutils. If that isn't being included then something is probably wrong with your package set. Sorry, I should have been clearer. I was actually more worried about the last error where it was unable to run firewall-offline-cmd. That's something new I'm seeing. (I've seen the strip warning before for at least a week or so now and it never seemed to cause any actual problems; although I should probably look into that as well.) Well, then we need more info. What selinux state is the host in? Does /var/log/audit/audit.log show any denials? I did a build using the spin-kickstarts' lxde livecd kickstart and didn't see either of these problems. Please also attach your kickstart file. Selinux is enforcing the targeted policy. (Good news! I no longer see the user/group creation problems that started this BZ.) I do see quite a few AVCs, which I'll provide via an attachment. The firewall-offline-cmd error seems to be caused by not having the 'firewalld' package included. Is that now mandatory for images created by livecd-tools? My use case requires iptables and at this point would be nearly impossible to migrate over to firewalld. (My AVCs attachment is with firewalld cited in the package section, so I no longer got that particular error and indeed the spin seemed to be created to completion. I've only included the AVCs in case they're still of interest.) I'll see what I can do to reveal the kickstart. It's split up among several %includes, some of which have dynamically generated content, and of course proprietary company secrets. :-) It was originally based off some thincrust AOS-type minimal kickstarts. Is /usr/share/doc/livecd-tools-18.13/livecd-fedora-minimal.ks a better base to be starting from nowadays? Created attachment 659070 [details]
AVCs encountered while running livecd-creator from livecd-tools-18.13-1.fc18.i686
Please test it with the latest -60.fc18 policy. Using the latest -60.fc18 policy I saw not a single AVC. Looks very good here. Well I can *build* images with -60 and -62, but they don't work properly. Even with host in Permissive. See https://bugzilla.redhat.com/show_bug.cgi?id=886733 . (In reply to comment #23) > Well I can *build* images with -60 and -62, but they don't work properly. > Even with host in Permissive. See > https://bugzilla.redhat.com/show_bug.cgi?id=886733 . I just wanted to add that while I saw no problems at all during the image build or while running the build, I do only have selinux enabled on the build host. Specifically, I don't have selinux enabled for the live spins I'm building. This seems to match what you're saying in #886733. livecd-tools-18.14-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/livecd-tools-18.14-1.fc18 livecd-tools-18.14-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |
When creating a live image with livecd-creator (from livecd-tools), an F18 image created on an F18 host, I get SELinux denials every time a package being installed into the live image environment tries to create a user or group (and user/group creation actually fails). The denials are: Raw Audit Messages type=AVC msg=audit(1347997072.978:1040): avc: denied { read write } for pid=14943 comm="useradd" name="lastlog" dev="loop0" ino=15518 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file type=AVC msg=audit(1347997072.978:1040): avc: denied { open } for pid=14943 comm="useradd" path="/var/log/lastlog" dev="loop0" ino=15518 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1347997072.978:1040): arch=x86_64 syscall=open success=yes exit=EBADF a0=7fe106df4e92 a1=2 a2=fffffffffffffec0 a3=0 items=0 ppid=14936 pid=14943 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm=useradd exe=/usr/sbin/useradd subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null) IIRC, I could create F17 lives on an F17 host in Enforcing mode. This problem is fatal to image creation, it fails later on due to the lack of the users/groups. I have to set Permissive mode to successfully create a live image.