Bug 886733

Summary: live images built with livecd-creator 18.13 have major SELinux problems (SELinux is preventing /usr/libexec/colord from 'write' accesses on the directory colord.)
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: adam.stokes, bcl, bruno, dhuff, dominick.grift, dwalsh, Jasper.Hartline, katzj, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:8893822a75eca2eba8109db7627235175e3036f59bd29c76bcb19bbac070835c AcceptedNTH
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-18 06:53:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 752665    

Description Adam Williamson 2012-12-13 02:29:54 UTC
Description of problem:
Created a live image with enforcing enabled on an F18 host, using selinux-policy -60 for guest and host (current stable). Using livecd-tools 18.13. Tried to boot the live image; boots to a black screen. Booting with enforcing=0 boots fine and gives me this single AVC.
SELinux is preventing /usr/libexec/colord from 'write' accesses on the directory colord.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow colord to have write access on the colord directory
Then you need to change the label on colord
Do
# semanage fcontext -a -t FILE_TYPE 'colord'
where FILE_TYPE is one of the following: tmpfs_t, tmp_t, colord_tmpfs_t, colord_var_lib_t, var_lib_t, colord_tmp_t. 
Then execute: 
restorecon -v 'colord'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that colord should be allowed write access on the colord directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep colord /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:colord_t:s0
Target Context                unconfined_u:object_r:var_t:s0
Target Objects                colord [ dir ]
Source                        colord
Source Path                   /usr/libexec/colord
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           colord-0.1.25-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-60.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec
                              4 14:12:51 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2012-12-12 21:23:07 EST
Last Seen                     2012-12-12 21:23:07 EST
Local ID                      4ac14a97-4749-4b5e-8c8a-dc81ff78a7c6

Raw Audit Messages
type=AVC msg=audit(1355365387.703:397): avc:  denied  { write } for  pid=1646 comm="colord" name="colord" dev="dm-0" ino=9172 scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir


type=AVC msg=audit(1355365387.703:397): avc:  denied  { add_name } for  pid=1646 comm="colord" name="mapping.db" scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir


type=AVC msg=audit(1355365387.703:397): avc:  denied  { create } for  pid=1646 comm="colord" name="mapping.db" scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file


type=AVC msg=audit(1355365387.703:397): avc:  denied  { read write open } for  pid=1646 comm="colord" path="/var/lib/colord/mapping.db" dev="dm-0" ino=42686 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file


type=SYSCALL msg=audit(1355365387.703:397): arch=x86_64 syscall=open success=yes exit=ENXIO a0=17e9720 a1=80042 a2=1a4 a3=7fff5e6aae20 items=0 ppid=1 pid=1646 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0 key=(null)

Hash: colord,colord_t,var_t,dir,write

audit2allow
audit2allow -R

Additional info:
hashmarkername: setroubleshoot
kernel:         3.6.9-4.fc18.x86_64
type:           libreport

Comment 1 Adam Williamson 2012-12-13 02:40:32 UTC
CCing bcl as this is likely livecd-creator not selinux-policy...

Comment 2 Adam Williamson 2012-12-13 03:09:29 UTC
If I build an image with -62 on the host and -62 in the package set for the live image, the resulting image boots, but only to gdm: if I click on 'live user' it cycles right back to gdm. If I boot with enforcing=0 and login I see a whole *pile* of AVCs, 52+ from pulseaudio, gnome-settings-daemon, gnome-keyring-daemon, gnome-session, pactl, dconf-service...it's obviously borked. And more AVCs show up just leaving the VM sitting there. This seems to happen whether I set Enforcing or Permissive on the host.

Re-assigning to livecd-creator as I'm fairly sure that's where the problem is.

Comment 3 Adam Williamson 2012-12-13 03:25:40 UTC
system installed from a 62/62 image has the same problem - gdm loops if booted with selinux in enforcing. works if booted with enforcing=off . giant pile of AVCs. If I do 'restorecon -nvr /' , it seems like the system is completely mislabelled - everything seems to be unconfined_u:object_r:root_t:s0 .

Comment 4 Adam Williamson 2012-12-13 03:29:18 UTC
I see these errors/warnings during live image generation:

/etc/selinux/targeted/contexts/files/file_contexts: line 3259 has invalid context system_u:object_r:consoletype_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts: line 3835 has invalid context system_u:object_r:consoletype_exec_t:s0
1.0%/etc/selinux/targeted/contexts/files/file_contexts: has invalid context system_u:object_r:consoletype_exec_t:s0

not sure if that's related.

Comment 5 Brian Lane 2012-12-13 15:31:28 UTC
I think this is a selinux-policy problem.

I built multiple successful livecds using -50 on the host and -60 and -62 on the image. When I upgraded my system (various package upgrades including selinux-policy-3.11.1-62) and built a new livecd it will no longer boot. checking the audit.log on the host doesn't show any unusual denials during the build.

I *do* see the output from comment 4, but I also so it on all of the successful builds so I think that is unrelated.

Comment 6 Miroslav Grepl 2012-12-13 18:00:49 UTC
what does

# grep consoletype_exec_t /etc/selinux/targeted



I need to test it on my machine.

Comment 7 Adam Williamson 2012-12-13 18:30:29 UTC
[root@adam tmp]# grep -r consoletype_exec_t /etc/selinux/targeted
[root@adam tmp]#

Comment 8 Adam Williamson 2012-12-13 18:45:30 UTC
[root@adam tmp]# rpm -V selinux-policy-targeted
missing     /etc/selinux/targeted/modules/active/modules/consoletype.pp

Comment 9 Brian Lane 2012-12-13 18:54:42 UTC
On my desktop I was able to build bootable livecd's using policy -50 (and -62 on the image). When I upgraded to -62 the would not boot.

I am missing the same file as comment 8 on the desktop.


On my laptop I can build bootable images. It isn't missing the file, and the upgrade path for selinux-policy has been:

-46 to -50 to -60 (on 12/8) to -62 today.

Comment 10 Brian Lane 2012-12-13 21:48:30 UTC
Note, running yum reinstall selinux-policy-targeted doesn't reinstall the missing file.

Comment 11 Miroslav Grepl 2012-12-14 08:14:50 UTC
I am fixing it.

Fixed in selinux-policy-3.11.1-63.fc18.noarch

Comment 12 Adam Williamson 2012-12-14 21:08:54 UTC
Proposing as at least NTH because we may be pulling a newer selinux so we should ensure we get one that fixes this, if we do.

Comment 13 Adam Williamson 2012-12-15 02:29:55 UTC
mgrepl: can you please submit -63 as an update so we can pull it into builds? thanks.

Comment 14 Miroslav Grepl 2012-12-17 11:19:07 UTC
I am going to submit a newer build today. There were more issues to fix.

Comment 15 Fedora Update System 2012-12-17 17:39:15 UTC
selinux-policy-3.11.1-66.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-66.fc18

Comment 16 Adam Williamson 2012-12-17 19:41:01 UTC
Discussed at 2012-12-17 NTH review meeting: http://meetbot.fedoraproject.org/fedora-bugzappers/2012-12-17/f18final-blocker-review-5.2012-12-17-16.40.log.txt . Accepted as NTH - selinux-policy -60 went stable, so we could possibly run into issues building live images with it, we should ensure that doesn't happen.

Comment 17 Adam Williamson 2012-12-17 20:59:51 UTC
Looks fixed with -66. Thanks.

Comment 18 Fedora Update System 2012-12-18 06:53:53 UTC
selinux-policy-3.11.1-66.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.