Description of problem: The following AVC's show up when trying to use Cockpit on Fedora Rawhide. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-58.fc21.noarch Steps to Reproduce: 1. yum install cockpit 2. yum start cockpit 3. http://localhost:1001 and login
type=USER_AVC msg=audit(1403091302.776:91): pid=375 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.12 spid=366 tpid=572 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=AVC msg=audit(1403091327.803:95): avc: denied { transition } for pid=579 comm="cockpit-session" path="/usr/libexec/cockpit-agent" dev="vda3" ino=413131 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1 type=USER_AVC msg=audit(1403091341.716:102): pid=375 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.14 spid=366 tpid=586 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=AVC msg=audit(1403091341.729:105): avc: denied { transition } for pid=590 comm="cockpit-session" path="/usr/libexec/cockpit-agent" dev="vda3" ino=413131 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1 type=AVC msg=audit(1403091341.932:106): avc: denied { connectto } for pid=375 comm="dbus-daemon" path="/run/systemd/journal/stdout" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1 type=USER_AVC msg=audit(1403091342.008:107): pid=375 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.16 spid=340 tpid=598 scontext=system_u:system_r:accountsd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=AVC msg=audit(1403091342.091:109): avc: denied { read } for pid=607 comm="systemd-hostnam" name="urandom" dev="tmpfs" ino=41134 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1403091342.091:109): avc: denied { open } for pid=607 comm="systemd-hostnam" path="/dev/urandom" dev="tmpfs" ino=41134 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=1 type=USER_AVC msg=audit(1403091342.241:113): pid=375 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.16 spid=607 tpid=598 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Note that we have an unconfined *user/session* dbus-daemon which runs an unconfined cockpitd, which in turn connects out to system dbus services.
*** Bug 1121761 has been marked as a duplicate of this bug. ***
It looks like the cockpit selinux policy in the rawhide-contrib branch of selinux-policy-targeted is very old: https://git.fedorahosted.org/cgit/selinux-policy.git/tree/cockpit.fc?h=rawhide-contrib In addition the policy is very liberal, and runs public system services (ie: cockpit-ws) as unconfined.
Created attachment 919929 [details] Initial try at updating cockpit rawhide selinux policy Here's an update of the cockpit selinux policy to what it should look like. I haven't been able to test this because of bug #1122052 ... but I figured I'd post the patch here anyway.
Stef, are these policy changes the same on which we were working together? Also we can leave cockpit policy from the Fedora policy and you can ship it as cockpit-selinux.rpm but we will keep policy files in our repo where you make pull requests. https://github.com/selinux-policy/selinux-policy
Yes the same ones. I'm fine with making a new rpm with the cockpit selinux policy. Do I have to wait for you to remove the broken one from selinux-policy-targeted first? Will it conflict? I think just the 'cockpit' module name is the same.
Lets first to get it working again and then I am going to make all changes to github repo.
Here's a build of cockpit which includes a cockpit-selinux-policy subpackage containing the policy: http://koji.fedoraproject.org/koji/taskinfo?taskID=7184809 I guess I'll push to f21 and master in a few hours unless you tell me not to.
Ok but what source files do you use?
Also I don't think we want to do it in F21 in this phase.
(In reply to Miroslav Grepl from comment #11) > Also I don't think we want to do it in F21 in this phase. Well in F21 (and rawhide) cockpit is completely broken due to selinux, and that will likely make it a blocker issue. How do you think we should solve the blocker? These are the source files: https://github.com/cockpit-project/cockpit/tree/master/src/selinux I really don't care at all whether cockpit distributes the policy, or whether it comes with selinux-policy-targeted ... as long as it's, correct, doesn't break cockpit, and we have a reliable policy update mechanism for when we make changes.
Discussed at 2014-07-23 Alpha blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2014-07-23/f21-blocker-review.2014-07-23-15.59.log.txt . Accepted as a blocker per criterion "Unless explicitly specified otherwise, after system installation the Cockpit web management interface must be running and accessible on its default port (XX).", https://fedoraproject.org/wiki/Fedora_21_Alpha_Release_Criteria#Cockpit_management_interface .
Having a separate package on rawhide but a not separate package on F21 feels quite odd to me. It's (theoretically) easier to change policy in rawhide than F21. I'd vote for not having a separate package personally; very few other userspace bits do it.
FWIW I pushed http://pkgs.fedoraproject.org/cgit/cockpit.git/commit/?id=95188aea07359071f1b2c15516ee14d4d32e92b3 since it was breaking the atomic composes.
We should have the latest cockpit policy in Rawhide/F21 now.
Alright, will remove the package. Not a big deal either way. I guess I misunderstood comment #11
is an selinux-policy build scheduled soon? we like to get blocker issues fixed up ASAP. thanks!
Should be already in selinux-policy-3.13.1-67.fc21
Can someone please test and confirm whether this is fixed, then? Thanks.
As far as I can tell this is fixed. I did the following: 1. Distro sync and Reboot, make sure enforcing 2. Verify no custom selinux modules installed: # semanage module --list --locallist Modules Name Version 3. Check for rpm versions # rpm -q selinux-policy-targeted selinux-policy-targeted-3.13.1-67.fc21.noarch # rpm -q cockpit cockpit-0.17-1.fc21.x86_64 4. No AVC's when starting or logging into cockpit
let's close it then, there's no bodhi step for f21 yet. thanks!
On a netinstall, I still see AVCs: > cockpit-0.18-1.fc21.x86_64 > selinux-policy-3.13.1-68.fc21.noarch > type=USER_AVC msg=audit(1406909011.860:360): pid=578 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.14 spid=571 tpid=1031 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' > type=AVC msg=audit(1406909036.883:363): avc: denied { transition } for pid=1041 comm="cockpit-session" path="/usr/libexec/cockpit-agent" dev="dm-0" ino=534959 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0
Confirming. Setup a new system and see the same thing. It seems that the cockpit changes are completely missing from the policy: # ps -xaZ | grep cockpit system_u:system_r:unconfined_service_t:s0 547 ? Ssl 0:00 /usr/libexec/cockpit-ws unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 596 pts/1 S+ 0:00 grep --color=auto cockpit # rpm -q cockpit cockpit-0.18-1.fc21.x86_64 # rpm -q selinux-policy-targeted selinux-policy-targeted-3.13.1-68.fc21.noarch
The file system labels are all wrong: # rpm -q selinux-policy-targeted selinux-policy-targeted-3.13.1-68.fc21.noarch # ls -lZ /usr/libexec/cockpit* -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/libexec/cockpit-agent -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/libexec/cockpitd -rwsr-xr-x. root root system_u:object_r:bin_t:s0 /usr/libexec/cockpit-polkit -rwsr-x---. root cockpit-ws system_u:object_r:bin_t:s0 /usr/libexec/cockpit-session -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/libexec/cockpit-ws # restorecon -rv /usr/libexec/cockpit* # ls -lZ /usr/libexec/cockpit* -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/libexec/cockpit-agent -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/libexec/cockpitd -rwsr-xr-x. root root system_u:object_r:bin_t:s0 /usr/libexec/cockpit-polkit -rwsr-x---. root cockpit-ws system_u:object_r:bin_t:s0 /usr/libexec/cockpit-session -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/libexec/cockpit-ws
Strange. I see on my system # ls -lZ /usr/libexec/cockpit* -rwxr-xr-x. root root system_u:object_r:shell_exec_t:s0 /usr/libexec/cockpit-agent -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/libexec/cockpitd -rwsr-xr-x. root root system_u:object_r:bin_t:s0 /usr/libexec/cockpit-polkit -rwsr-x---. root cockpit-ws system_u:object_r:cockpit_session_exec_t:s0 /usr/libexec/cockpit-session -rwxr-xr-x. root root system_u:object_r:cockpit_ws_exec_t:s0 /usr/libexec/cockpit-ws
(In reply to Miloslav Trmač from comment #23) > On a netinstall, I still see AVCs: > > > cockpit-0.18-1.fc21.x86_64 > > selinux-policy-3.13.1-68.fc21.noarch > > > type=USER_AVC msg=audit(1406909011.860:360): pid=578 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.14 spid=571 tpid=1031 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' > > type=AVC msg=audit(1406909036.883:363): avc: denied { transition } for pid=1041 comm="cockpit-session" path="/usr/libexec/cockpit-agent" dev="dm-0" ino=534959 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 The problem we have system_u:system_r:unconfined_service_t:s0 1013 ? 00:00:00 cockpit-ws
# ls -lZ /usr/libexec/cockpit-ws -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/libexec/cockpit-ws # matchpathcon /usr/libexec/cockpit-ws /usr/libexec/cockpit-ws system_u:object_r:cockpit_ws_exec_t:s0 so we have again a labeling issue here.
Ok I have just installed a fresh f21 and updated selinux-policy-targeted pkg and see the correct labels. I am not sure how it could happen. We might want to re-test with newer images.
(In reply to Miroslav Grepl from comment #29) > Ok I have just installed a fresh f21 and updated selinux-policy-targeted pkg > and see the correct labels. > > I am not sure how it could happen. We might want to re-test with newer > images. Could you post the exact commands you used to configure your f21 fresh install? Meanwhile, I'm uploading an image that exhibits the bug.
Discussed at the 2014-08-13 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2014-08-13/ <danofsatx-work> this one is being actively worked. I haven't test it lately, though due to my "other" issues :( <pschindl> #info There is an active work on bug 1110758
Using the netinst f21 iso here, I managed to make this work: ISO: http://alt.fedoraproject.org/pub/alt/stage/21-Alpha-T2/Server/x86_64/iso/Server-21-Alpha-T2-x86_64-netinst.iso Network Source: http://alt.fedoraproject.org/pub/alt/stage/21-Alpha-T2/Server/x86_64/os Processes and files both have correct labels. Can log in via cockpit without issue, and no 'denied' audit events.
However... The other path, upgrading from f20 -> f21 results in broken selinux labels. It seems there are some serious selinux issues upgrading from f20 to f21. After an upgrade I can't log in: Warning: Permanently added '192.168.12.236' (ECDSA) to the list of known hosts. root.12.236's password: Last login: Thu Aug 14 13:06:25 2014 ... hang ... /bin/bash: Permission denied Connection to 192.168.12.236 closed. On an f20 -> f21 system. I have to first 'restorecon -Rv /' and reboot, after which i can again log in via ssh. This is likely related to what I experienced, perhaps due to having cockpit installed during the upgrade.
so if this was fixed in TC2 I think we can close it by now, but can you verify if issues remain with the upgrade path and if so file them separately, possible as Beta release blockers? Thanks!