Bug 1110758 - SELinux prevents cockpit from working on Fedora 21
Summary: SELinux prevents cockpit from working on Fedora 21
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard: AcceptedBlocker
: 1121761 (view as bug list)
Depends On:
Blocks: F21AlphaBlocker cockpit-F21-tracker 1108258
TreeView+ depends on / blocked
 
Reported: 2014-06-18 11:39 UTC by Stef Walter
Modified: 2014-09-04 21:04 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-04 21:04:46 UTC
Type: Bug


Attachments (Terms of Use)
Initial try at updating cockpit rawhide selinux policy (9.18 KB, patch)
2014-07-22 13:24 UTC, Stef Walter
no flags Details | Diff

Description Stef Walter 2014-06-18 11:39:13 UTC
Description of problem:

The following AVC's show up when trying to use Cockpit on Fedora Rawhide.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.13.1-58.fc21.noarch


Steps to Reproduce:
1. yum install cockpit
2. yum start cockpit
3. http://localhost:1001  and login

Comment 1 Stef Walter 2014-06-18 11:40:10 UTC
type=USER_AVC msg=audit(1403091302.776:91): pid=375 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.12 spid=366 tpid=572 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1403091327.803:95): avc:  denied  { transition } for  pid=579 comm="cockpit-session" path="/usr/libexec/cockpit-agent" dev="vda3" ino=413131 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
type=USER_AVC msg=audit(1403091341.716:102): pid=375 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.14 spid=366 tpid=586 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1403091341.729:105): avc:  denied  { transition } for  pid=590 comm="cockpit-session" path="/usr/libexec/cockpit-agent" dev="vda3" ino=413131 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
type=AVC msg=audit(1403091341.932:106): avc:  denied  { connectto } for  pid=375 comm="dbus-daemon" path="/run/systemd/journal/stdout" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
type=USER_AVC msg=audit(1403091342.008:107): pid=375 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.16 spid=340 tpid=598 scontext=system_u:system_r:accountsd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1403091342.091:109): avc:  denied  { read } for  pid=607 comm="systemd-hostnam" name="urandom" dev="tmpfs" ino=41134 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1403091342.091:109): avc:  denied  { open } for  pid=607 comm="systemd-hostnam" path="/dev/urandom" dev="tmpfs" ino=41134 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=1
type=USER_AVC msg=audit(1403091342.241:113): pid=375 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.16 spid=607 tpid=598 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Comment 2 Stef Walter 2014-06-18 11:42:15 UTC
Note that we have an unconfined *user/session* dbus-daemon which runs an unconfined cockpitd, which in turn connects out to system dbus services.

Comment 3 Stef Walter 2014-07-22 08:41:21 UTC
*** Bug 1121761 has been marked as a duplicate of this bug. ***

Comment 4 Stef Walter 2014-07-22 13:04:58 UTC
It looks like the cockpit selinux policy in the rawhide-contrib branch of selinux-policy-targeted is very old:

https://git.fedorahosted.org/cgit/selinux-policy.git/tree/cockpit.fc?h=rawhide-contrib

In addition the policy is very liberal, and runs public system services (ie: cockpit-ws) as unconfined.

Comment 5 Stef Walter 2014-07-22 13:24:48 UTC
Created attachment 919929 [details]
Initial try at updating cockpit rawhide selinux policy

Here's an update of the cockpit selinux policy to what it should look like. I haven't been able to test this because of bug #1122052 ... but I figured I'd post the patch here anyway.

Comment 6 Miroslav Grepl 2014-07-23 06:35:27 UTC
Stef, 
are these policy changes the same on which we were working together?

Also we can leave cockpit policy from the Fedora policy and you can ship it as cockpit-selinux.rpm but we will keep policy files in our repo where you make pull requests.

https://github.com/selinux-policy/selinux-policy

Comment 7 Stef Walter 2014-07-23 06:44:01 UTC
Yes the same ones. I'm fine with making a new rpm with the cockpit selinux policy. Do I have to wait for you to remove the broken one from selinux-policy-targeted first? Will it conflict? I think just the 'cockpit' module name is the same.

Comment 8 Miroslav Grepl 2014-07-23 07:13:07 UTC
Lets first to get it working again and then I am going to make all changes to github repo.

Comment 9 Stef Walter 2014-07-23 12:33:40 UTC
Here's a build of cockpit which includes a cockpit-selinux-policy subpackage containing the policy:

http://koji.fedoraproject.org/koji/taskinfo?taskID=7184809

I guess I'll push to f21 and master in a few hours unless you tell me not to.

Comment 10 Miroslav Grepl 2014-07-23 13:05:33 UTC
Ok but what source files do you use?

Comment 11 Miroslav Grepl 2014-07-23 13:06:16 UTC
Also I don't think we want to do it in F21 in this phase.

Comment 12 Stef Walter 2014-07-23 13:20:13 UTC
(In reply to Miroslav Grepl from comment #11)
> Also I don't think we want to do it in F21 in this phase.

Well in F21 (and rawhide) cockpit is completely broken due to selinux, and that will likely make it a blocker issue. How do you think we should solve the blocker?

These are the source files:

https://github.com/cockpit-project/cockpit/tree/master/src/selinux

I really don't care at all whether cockpit distributes the policy, or whether it comes with selinux-policy-targeted ... as long as it's, correct, doesn't break cockpit, and we have a reliable policy update mechanism for when we make changes.

Comment 13 Adam Williamson 2014-07-23 16:22:18 UTC
Discussed at 2014-07-23 Alpha blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2014-07-23/f21-blocker-review.2014-07-23-15.59.log.txt . Accepted as a blocker per criterion "Unless explicitly specified otherwise, after system installation the Cockpit web management interface must be running and accessible on its default port (XX).", https://fedoraproject.org/wiki/Fedora_21_Alpha_Release_Criteria#Cockpit_management_interface .

Comment 14 Colin Walters 2014-07-29 01:01:38 UTC
Having a separate package on rawhide but a not separate package on F21 feels quite odd to me.  It's (theoretically) easier to change policy in rawhide than F21.

I'd vote for not having a separate package personally; very few other userspace bits do it.

Comment 15 Colin Walters 2014-07-29 01:05:03 UTC
FWIW I pushed http://pkgs.fedoraproject.org/cgit/cockpit.git/commit/?id=95188aea07359071f1b2c15516ee14d4d32e92b3 since it was breaking the atomic composes.

Comment 16 Miroslav Grepl 2014-07-29 05:20:21 UTC
We should have the latest cockpit policy in Rawhide/F21 now.

Comment 17 Stef Walter 2014-07-30 12:02:05 UTC
Alright, will remove the package. Not a big deal either way. I guess I misunderstood comment #11

Comment 18 Adam Williamson 2014-07-30 17:16:11 UTC
is an selinux-policy build scheduled soon? we like to get blocker issues fixed up ASAP. thanks!

Comment 19 Miroslav Grepl 2014-07-30 18:15:37 UTC
Should be already in selinux-policy-3.13.1-67.fc21

Comment 20 Adam Williamson 2014-07-30 18:32:55 UTC
Can someone please test and confirm whether this is fixed, then? Thanks.

Comment 21 Stef Walter 2014-07-30 20:21:48 UTC
As far as I can tell this is fixed. I did the following:

1. Distro sync and Reboot, make sure enforcing

2. Verify no custom selinux modules installed:

  # semanage module --list --locallist

  Modules Name             Version   

3. Check for rpm versions

  # rpm -q selinux-policy-targeted
  selinux-policy-targeted-3.13.1-67.fc21.noarch
  # rpm -q cockpit
  cockpit-0.17-1.fc21.x86_64

4. No AVC's when starting or logging into cockpit

Comment 22 Adam Williamson 2014-07-30 20:23:46 UTC
let's close it then, there's no bodhi step for f21 yet. thanks!

Comment 23 Miloslav Trmač 2014-08-01 16:18:30 UTC
On a netinstall, I still see AVCs:

> cockpit-0.18-1.fc21.x86_64
> selinux-policy-3.13.1-68.fc21.noarch

> type=USER_AVC msg=audit(1406909011.860:360): pid=578 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.14 spid=571 tpid=1031 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
> type=AVC msg=audit(1406909036.883:363): avc:  denied  { transition } for  pid=1041 comm="cockpit-session" path="/usr/libexec/cockpit-agent" dev="dm-0" ino=534959 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0

Comment 24 Stef Walter 2014-08-01 18:02:28 UTC
Confirming. Setup a new system and see the same thing. It seems that the cockpit changes are completely missing from the policy:

# ps -xaZ | grep cockpit
system_u:system_r:unconfined_service_t:s0 547 ? Ssl   0:00 /usr/libexec/cockpit-ws
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 596 pts/1 S+   0:00 grep --color=auto cockpit
# rpm -q cockpit
cockpit-0.18-1.fc21.x86_64
# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-68.fc21.noarch

Comment 25 Stef Walter 2014-08-01 19:47:44 UTC
The file system labels are all wrong:

# rpm -q selinux-policy-targeted 
selinux-policy-targeted-3.13.1-68.fc21.noarch
# ls -lZ /usr/libexec/cockpit*
-rwxr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpit-agent
-rwxr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpitd
-rwsr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpit-polkit
-rwsr-x---. root cockpit-ws system_u:object_r:bin_t:s0       /usr/libexec/cockpit-session
-rwxr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpit-ws
# restorecon -rv /usr/libexec/cockpit*
# ls -lZ /usr/libexec/cockpit*
-rwxr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpit-agent
-rwxr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpitd
-rwsr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpit-polkit
-rwsr-x---. root cockpit-ws system_u:object_r:bin_t:s0       /usr/libexec/cockpit-session
-rwxr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpit-ws

Comment 26 Miroslav Grepl 2014-08-04 07:26:55 UTC
Strange. I see on my system

# ls -lZ /usr/libexec/cockpit*
-rwxr-xr-x. root root       system_u:object_r:shell_exec_t:s0 /usr/libexec/cockpit-agent
-rwxr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpitd
-rwsr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpit-polkit
-rwsr-x---. root cockpit-ws system_u:object_r:cockpit_session_exec_t:s0 /usr/libexec/cockpit-session
-rwxr-xr-x. root root       system_u:object_r:cockpit_ws_exec_t:s0 /usr/libexec/cockpit-ws

Comment 27 Miroslav Grepl 2014-08-04 10:47:10 UTC
(In reply to Miloslav Trmač from comment #23)
> On a netinstall, I still see AVCs:
> 
> > cockpit-0.18-1.fc21.x86_64
> > selinux-policy-3.13.1-68.fc21.noarch
> 
> > type=USER_AVC msg=audit(1406909011.860:360): pid=578 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.14 spid=571 tpid=1031 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
> > type=AVC msg=audit(1406909036.883:363): avc:  denied  { transition } for  pid=1041 comm="cockpit-session" path="/usr/libexec/cockpit-agent" dev="dm-0" ino=534959 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0

The problem we have

system_u:system_r:unconfined_service_t:s0 1013 ? 00:00:00 cockpit-ws

Comment 28 Miroslav Grepl 2014-08-04 10:48:44 UTC
# ls -lZ /usr/libexec/cockpit-ws
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/libexec/cockpit-ws
# matchpathcon /usr/libexec/cockpit-ws
/usr/libexec/cockpit-ws	system_u:object_r:cockpit_ws_exec_t:s0


so we have again a labeling issue here.

Comment 29 Miroslav Grepl 2014-08-04 13:39:39 UTC
Ok I have just installed a fresh f21 and updated selinux-policy-targeted pkg and see the correct labels.

I am not sure how it could happen. We might want to re-test with newer images.

Comment 30 Stef Walter 2014-08-04 16:50:40 UTC
(In reply to Miroslav Grepl from comment #29)
> Ok I have just installed a fresh f21 and updated selinux-policy-targeted pkg
> and see the correct labels.
> 
> I am not sure how it could happen. We might want to re-test with newer
> images.

Could you post the exact commands you used to configure your f21 fresh install? Meanwhile, I'm uploading an image that exhibits the bug.

Comment 32 Kamil Páral 2014-08-13 17:45:19 UTC
Discussed at the 2014-08-13 blocker review meeting:
http://meetbot.fedoraproject.org/fedora-blocker-review/2014-08-13/
<danofsatx-work> this one is being actively worked. I haven't test it lately, though due to my "other" issues :(
<pschindl> #info There is an active work on bug 1110758

Comment 33 Stef Walter 2014-08-14 11:17:32 UTC
Using the netinst f21 iso here, I managed to make this work: 

ISO: http://alt.fedoraproject.org/pub/alt/stage/21-Alpha-T2/Server/x86_64/iso/Server-21-Alpha-T2-x86_64-netinst.iso
Network Source: http://alt.fedoraproject.org/pub/alt/stage/21-Alpha-T2/Server/x86_64/os

Processes and files both have correct labels. Can log in via cockpit without issue, and no 'denied' audit events.

Comment 34 Stef Walter 2014-08-14 11:19:33 UTC
However... The other path, upgrading from f20 -> f21 results in broken selinux labels.

It seems there are some serious selinux issues upgrading from f20 to f21. After an upgrade I can't log in:

Warning: Permanently added '192.168.12.236' (ECDSA) to the list of known hosts.
root@192.168.12.236's password: 
Last login: Thu Aug 14 13:06:25 2014
... hang ...
/bin/bash: Permission denied
Connection to 192.168.12.236 closed.

On an f20 -> f21 system. I have to first 'restorecon -Rv /' and reboot, after which i can again log in via ssh.

This is likely related to what I experienced, perhaps due to having cockpit installed during the upgrade.

Comment 35 Adam Williamson 2014-09-04 21:04:46 UTC
so if this was fixed in TC2 I think we can close it by now, but can you verify if issues remain with the upgrade path and if so file them separately, possible as Beta release blockers? Thanks!


Note You need to log in before you can comment on or make changes to this bug.