Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1054515

Summary: denials while running anaconda in Enforcing mode
Product: Red Hat Enterprise Linux 7 Reporter: Brian Lane <bcl>
Component: filesystemAssignee: Ondrej Vasik <ovasik>
Status: CLOSED WORKSFORME QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.0CC: bcl, degts, dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-01 09:10:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
log of denials while running anaconda with Enforcing mode none

Description Brian Lane 2014-01-17 00:22:24 UTC 
Description of problem:
I'm trying to see if it is possible for anaconda to run with Enforcing instead of Permissive to create bootable disk images. I'm do a minimal install of RHEL7.


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-112.el7.noarch
anaconda-19.31.41-2.el7.x86_64
kernel is 3.10.0-65.el7.x86_64


Anaconda has the ability to be run from the cmdline to install to a disk image or subdirectory. This feature is also used by livemedia-creator but for these experiments I am running anaconda directly.

Anaconda installs use 2 executables. The UI is /usr/sbin/anaconda and the actual yum transaction is run via /usr/libexec/anaconda/anaconda-yum

When installed from the repo their labels look like this:

[root@atlas ~]# ls -Z /usr/sbin/anaconda 
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/anaconda
[root@atlas ~]# ls -Z /usr/libexec/anaconda/anaconda-yum 
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/libexec/anaconda/anaconda-yum

When I do the following:
dd if=/dev/null of=/var/tmp/disk1.img bs=1M seek=20k
anaconda --image=/var/tmp/disk1.img --repo=http://path.to.repo/rhel7.0/Server/os/

I end up with a large number of denied messages in audit.log, mostly from useradd and groupadd. The install does appear to finish successfully, but the resulting image isn't bootable unless you pass selinux=0, there may be other more subtle issues with the image.

If I change the labels on anaconda and anaconda-yum to use livecd_exec_t it actually works worse. I get a single denial from NetworkManager and the anaconda install times out and throws a traceback.

type=USER_AVC msg=audit(1389913771.158:10823): pid=1359 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.DBus.Error.Un
knownMethod dest=:1.4005 spid=1596 tpid=13961 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

I change the labels with chcon:

[root@atlas ~]# chcon -v --type=livecd_exec_t /usr/libexec/anaconda/anaconda-yum 
changing security context of ‘/usr/libexec/anaconda/anaconda-yum’
[root@atlas ~]# chcon -v --type=livecd_exec_t /usr/sbin/anaconda 
changing security context of ‘/usr/sbin/anaconda’
[root@atlas ~]# ls -Z /usr/libexec/anaconda/anaconda-yum 
-rwxr-xr-x. root root system_u:object_r:livecd_exec_t:s0 /usr/libexec/anaconda/anaconda-yum
[root@atlas ~]# ls -Z /usr/sbin/anaconda 
-rwxr-xr-x. root root system_u:object_r:livecd_exec_t:s0 /usr/sbin/anaconda

If I run the same tests with selinux in Permissive mode the image boots without problems.
Comment 1 Brian Lane 2014-01-17 00:23:17 UTC 
Created attachment 851360 [details]
log of denials while running anaconda with Enforcing mode
Comment 3 Miroslav Grepl 2014-01-17 15:12:43 UTC 
(In reply to Brian C. Lane from comment #1)
> Created attachment 851360 [details]
> log of denials while running anaconda with Enforcing mode

Are these with the default anaconda labeling?
Comment 4 Brian Lane 2014-01-17 16:03:42 UTC 
(In reply to Miroslav Grepl from comment #3)
> (In reply to Brian C. Lane from comment #1)
> > Created attachment 851360 [details]
> > log of denials while running anaconda with Enforcing mode
> 
> Are these with the default anaconda labeling?

Yes. When I relabel them with livecd_exec_t the only one I get is the NetworkManager one in comment #1 and then a timeout traceback.
Comment 5 Daniel Walsh 2014-03-12 18:04:39 UTC 
We seem to have dropped the ball on this one. Miroslav lets change the label and allow networkmanager to communicate with livecd_t.
Comment 6 Miroslav Grepl 2014-03-14 06:09:22 UTC 
Could you please re-test it with the latest el7 policy build which is available from brew.
Comment 7 Brian Lane 2014-03-14 23:05:18 UTC 
selinux-policy-3.12.1-137.el7 is a big improvement.

anaconda and anaconda-yum now have system_u:object_r:install_exec_t and I don't have any problems running the installation.

But I am still seeing a pile of errors from passwd, useradd, and groupadd.

eg.

Mar 14 14:23:24 localhost.localdomain setroubleshoot[27019]: dbus avc(node=localhost.localdomain type=AVC msg=audit(1394832202.307:831): avc:  denied  { read } for  pid=27017 comm="passwd" name="run" dev="dm-1" ino=72 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file
                                                             node=localhost.localdomain type=SYSCALL msg=audit(1394832202.307:831): arch=c000003e syscall=42 success=no exit=-13 a0=18 a1=7fff607dfc80 a2=6e a3=7faababd57b8 items=0 ppid=27016 pid=27017 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)                                                             node=localhost.localdomain type=EOE msg=audit(1394832202.307:831):) called: 1 Connections

A minimal install disk image boots fine as far as I can tell, but a desktop install gets stuck.
Comment 8 Daniel Walsh 2014-03-16 20:55:57 UTC 
This looks like you have a lnk file run that is labeled default_t?  ls -lZ /run
Comment 9 Brian Lane 2014-03-17 17:24:15 UTC 
Not on the host, but when the install starts it has the wrong labels on /mnt/sysimage/var/run and /mnt/sysimage/var/lock

lrwxrwxrwx. root root unconfined_u:object_r:default_t:s0 lock -> ../run/lock
lrwxrwxrwx. root root unconfined_u:object_r:default_t:s0 run -> ../run

The actual directories look ok:

drwxr-xr-x. root root system_u:object_r:var_run_t:s0   run
drwxr-xr-x. root root system_u:object_r:var_lock_t:s0  lock

These are created very early in the install, by the filesystem package.

The host system has selinux-policy-3.12.1-137.el7.noarch installed, but at the time filesystem is installed the chroot hasn't installed selinux yet.
Comment 10 Miroslav Grepl 2014-03-17 17:34:03 UTC 
AFAIK there is a bug for this issue.
Comment 11 Miroslav Grepl 2014-03-24 10:17:20 UTC 
(In reply to Miroslav Grepl from comment #10)
> AFAIK there is a bug for this issue.

And it should be already fixed in the filesystem pkg.
Comment 12 Brian Lane 2014-03-31 20:30:39 UTC 
(In reply to Miroslav Grepl from comment #11)
> (In reply to Miroslav Grepl from comment #10)
> > AFAIK there is a bug for this issue.
> 
> And it should be already fixed in the filesystem pkg.

With filesystem-3.2-18.el7 I am still seeing the symlinks with the wrong labels as described in comment 9.

The host is using selinux-policy-3.12.1-147.el7.noarch
Comment 15 Ondrej Vasik 2014-10-06 12:40:43 UTC 
Mirek/Milos, what do you expect to be done in filesystem? I already run restorecon in posttrans in 7.0GA package. Is this supposed to be TestOnly bugzilla? Should I move it to ON_QA?
Comment 16 Milos Malik 2014-10-07 12:42:51 UTC 
It seems that everything under /mnt/sysimage is not labeled correctly. Would it be possible to assign correct labels to the file-system mounted in /mnt/sysimage before anaconda starts to install things into the file-system? For example using file context equivalences: semanage fcontext -e ...
Comment 17 Brian Lane 2014-10-07 18:48:49 UTC 
No, as I pointed out in comment 12 almost all of it is working correctly, it's just those symlinks that are an issue.

I just reran my test with:
anaconda-19.31.98-2
selinux-policy-targeted-3.13.1-2.el7.noarch

And everything looks like it is labeled correctly now. Thanks!
Comment 18 Daniel Walsh 2015-01-03 13:55:27 UTC 
So can we close this bug?
Comment 19 Ondrej Vasik 2015-02-01 09:10:39 UTC 
Let's close it worksforme, unless there is clear what should be done in filesystem package. I don't see anything - restorecon on the symlinked directories is called in filesystem package (as posttrans, otherwise restorecon is not installed yet at the time of filesystem installation).