Bug 923497 (mcelog)
Summary: | Generated live image has many incorrect SELinux contexts, possibly due to missing l2tp.pp file in host's selinux-policy-targeted | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | dominick.grift, dwalsh, ilmostro7, jones.peter.busi, mgrepl, robatino |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:3f481a4f369f9c5fa777a67290b68ab616699c5ed1555701a702bfe93c09fe88 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-04-19 05:53:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Adam Williamson
2013-03-20 00:19:02 UTC
Final blocker: "In most cases, there must be no SELinux 'AVC: denied' messages or abrt crash notifications on initial boot and subsequent login" Is this file being created by networkmanager? How is /etc/mcelog being labeled. ls -lZd /etc/mcelog *** Bug 923496 has been marked as a duplicate of this bug. *** *** Bug 923495 has been marked as a duplicate of this bug. *** *** Bug 923494 has been marked as a duplicate of this bug. *** *** Bug 923493 has been marked as a duplicate of this bug. *** *** Bug 923492 has been marked as a duplicate of this bug. *** *** Bug 923490 has been marked as a duplicate of this bug. *** *** Bug 923489 has been marked as a duplicate of this bug. *** *** Bug 923488 has been marked as a duplicate of this bug. *** *** Bug 923487 has been marked as a duplicate of this bug. *** *** Bug 923486 has been marked as a duplicate of this bug. *** Miroslav something is going wrong with the building of a livecd for F19, the labeling is screwed up. Adam reports seeing this in the logs. /etc/selinux/targeted/contexts/files/file_contexts: line 28 has invalid context system_u:object_r:l2tp_conf_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 285 has invalid context system_u:object_r:l2tpd_var_run_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 290 has invalid context system_u:object_r:l2tpd_var_run_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 404 has invalid context system_u:object_r:l2tpd_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 1176 has invalid context system_u:object_r:l2tp_conf_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 1547 has invalid context system_u:object_r:l2tpd_initrc_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 4007 has invalid context system_u:object_r:l2tpd_var_run_t:s0 12.0%/etc/selinux/targeted/contexts/files/file_contexts: has invalid context system_u:object_r:l2tpd_exec_t:s0 Could you investigate what is causing this. *** Bug 923483 has been marked as a duplicate of this bug. *** *** Bug 923484 has been marked as a duplicate of this bug. *** *** Bug 923485 has been marked as a duplicate of this bug. *** *** Bug 923482 has been marked as a duplicate of this bug. *** *** Bug 923480 has been marked as a duplicate of this bug. *** *** Bug 923479 has been marked as a duplicate of this bug. *** *** Bug 923477 has been marked as a duplicate of this bug. *** *** Bug 923475 has been marked as a duplicate of this bug. *** *** Bug 923473 has been marked as a duplicate of this bug. *** *** Bug 923472 has been marked as a duplicate of this bug. *** *** Bug 923471 has been marked as a duplicate of this bug. *** Further to comment #14: [root@adam liferea (master)]# rpm -V selinux-policy-targeted-3.12.1-22.fc19.noarch missing /etc/selinux/targeted/modules/active/modules/l2tp.pp [root@adam liferea (master)]# yum reinstall selinux-policy-targeted Loaded plugins: auto-update-debuginfo, langpacks, refresh-packagekit ... Installed: selinux-policy-targeted.noarch 0:3.12.1-22.fc19 Complete! [root@adam liferea (master)]# rpm -V selinux-policy-targeted-3.12.1-22.fc19.noarch missing /etc/selinux/targeted/modules/active/modules/l2tp.pp [root@adam liferea (master)]# yum downgrade http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/21.fc19/noarch/selinux-policy-3.12.1-21.fc19.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/21.fc19/noarch/selinux-policy-devel-3.12.1-21.fc19.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/21.fc19/noarch/selinux-policy-targeted-3.12.1-21.fc19.noarch.rpm ... [root@adam liferea (master)]# rpm -V selinux-policy-targeted missing /etc/selinux/targeted/modules/active/modules/l2tp.pp So that l2tp.pp file seems to be missing, and reinstalling or downgrading selinux-policy does not help. in selinux_policy.spec I see (cd /etc/selinux/%2/modules/active/modules; rm -f shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp l2tp.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \ ^^^^^^^ Looks like you are deleting it. Although on my F19 box I have the file. [root@redsox ~]# rpm -ql selinux-policy-targeted | grep l2tp /etc/selinux/targeted/modules/active/modules/l2tp.pp [root@redsox ~]# ls /etc/selinux/targeted/modules/active/modules/l2tp.pp /etc/selinux/targeted/modules/active/modules/l2tp.pp My arrows did not work... They do in a monospaced email :) I saw the same thing, but assumed the subsequent semodule -B -n -s re-created them or something. But I have no idea what the hell's going on there. So in a fresh F19 install (done from F18 netinst with F19 repos, as F19 install images are bust atm) l2tp.pp appears to be present, and 'yum reinstall selinux-policy-targeted' doesn't kill it. So it seems somehow specific to my desktop. But I have no idea why it's missing on my desktop, or even the correct way to get it back... removing blocker nomination for now. Adam, what kickstarts are you using to build a F19 livecd? mgrepl: current f19 branch of spin-kickstarts. It's almost certainly the missing l2tp.pp file that's causing this. I did another live image build in a clean VM - as described in c#30 - using exactly the same configuration, and that doesn't have the problem. So the problem is the missing l2tp.pp file on my desktop. But I've no idea why that's missing, or how to get it back. (In reply to comment #27) > in selinux_policy.spec I see > (cd /etc/selinux/%2/modules/active/modules; rm -f shutdown.pp > amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp > execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp > mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp > polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp > telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp > pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp l2tp.pp > rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \ ^^^^^^^ > > > > Looks like you are deleting it. Although on my F19 box I have the file. > > [root@redsox ~]# rpm -ql selinux-policy-targeted | grep l2tp > /etc/selinux/targeted/modules/active/modules/l2tp.pp > [root@redsox ~]# ls /etc/selinux/targeted/modules/active/modules/l2tp.pp > /etc/selinux/targeted/modules/active/modules/l2tp.pp Well I also don't have the policy file and not sure why we delete it. Should be there. Fixed in selinux-policy-3.12.1-23.fc19 selinux-policy-3.12.1-28.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19 Package selinux-policy-3.12.1-28.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-28.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19 then log in and leave karma (feedback). selinux-policy-3.12.1-28.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. I'm getting the same messages in the syslog: SELinux is preventing /usr/bin/python2.7 from open access on the file /var/log/mcelog. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed open access on the mcelog file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep abrt-action-che /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:mcelog_log_t:s0 Target Objects /var/log/mcelog [ file ] Source abrt-action-che Source Path /usr/bin/python2.7 Port <Unknown> Host FedPadSSD Source RPM Packages python-2.7.5-9.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-122.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name FedPadSSD Platform Linux FedPadSSD 3.12.10-300.fc20.x86_64 #1 SMP Thu Feb 6 22:11:48 UTC 2014 x86_64 x86_64 Alert Count 8 First Seen 2014-02-07 09:46:30 CST Last Seen 2014-02-08 18:51:20 CST Local ID 84161e23-d7bb-408c-bf4e-48042a3cc721 Raw Audit Messages type=AVC msg=audit(1391907080.588:437): avc: denied { open } for pid=2521 comm="abrt-action-che" path="/var/log/mcelog" dev="sda2" ino=130955 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mcelog_log_t:s0 tclass=file type=SYSCALL msg=audit(1391907080.588:437): arch=x86_64 syscall=open success=no exit=EACCES a0=210e630 a1=0 a2=1b6 a3=0 items=0 ppid=2510 pid=2521 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=abrt-action-che exe=/usr/bin/python2.7 subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) Hash: abrt-action-che,abrt_t,mcelog_log_t,file,open ========================================================================= I'm not sure why, abrt-action-che is denied access to /var/log/mcelog with the SELinux context label "mcelog_log_t". Kernel version 3.12.10-300, as well as previous kernel version. I only "noticed" them since the recent selinux-policy upgrades, though I'm not sure if it's related to that. This avc has nothing to do with this bugzilla, please open a new one. |