Bug 1156378 - SELinux denies package install for rolekit
Summary: SELinux denies package install for rolekit
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: AcceptedBlocker
Depends On:
Blocks: F21BetaBlocker
TreeView+ depends on / blocked
Reported: 2014-10-24 10:52 UTC by Stephen Gallagher
Modified: 2014-11-03 09:41 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-91.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-10-31 07:40:56 UTC
Type: Bug

Attachments (Terms of Use)

Description Stephen Gallagher 2014-10-24 10:52:29 UTC
Description of problem:
rolekit (actually roled) forks and exec()s 'yum install' to ensure that all of the packages it needs for a role deployment are in place.

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Install a completely pristine Fedora Server 21 Beta system with all defaults.
2. run 'rolectl deploy --settings-file=/root/settings.json domaincontroller' with an appropriate settings.json (see https://fedorahosted.org/rolekit/wiki/DomainController)

Actual results:
The deployment fails during package installation, throwing script errors in the logs.

Expected results:
The deployment should succeed.

Additional info:

found 1 alerts in /var/log/audit/audit.log

SELinux is preventing yum from using the transition access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that yum should be allowed transition access on processes labeled rpm_script_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep yum /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:rolekit_t:s0
Target Context                system_u:system_r:rpm_script_t:s0
Target Objects                /usr/bin/bash [ process ]
Source                        yum
Source Path                   yum
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           bash-4.3.30-2.fc21.x86_64
Policy RPM                    selinux-policy-3.13.1-90.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     freeipa.rc1.beta.validation
Platform                      Linux freeipa.rc1.beta.validation
                              3.17.1-302.fc21.x86_64 #1 SMP Fri Oct 17 20:05:46
                              UTC 2014 x86_64 x86_64
Alert Count                   70
First Seen                    2014-10-24 06:29:11 EDT
Last Seen                     2014-10-24 06:30:51 EDT
Local ID                      74efb75d-0eeb-4ac6-917f-3319c5955648

Raw Audit Messages
type=AVC msg=audit(1414146651.343:464): avc:  denied  { transition } for  pid=1213 comm="yum" path="/usr/bin/bash" dev="dm-0" ino=267821 scontext=system_u:system_r:rolekit_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process permissive=0

Hash: yum,rolekit_t,rpm_script_t,process,transition

Comment 1 Fedora Blocker Bugs Application 2014-10-24 10:55:04 UTC
Proposed as a Blocker for 21-beta by Fedora user sgallagh using the blocker tracking app because:

 "Unless explicitly specified otherwise, after system installation SELinux must be enabled and in enforcing mode." and "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully started, stopped, brought to a working configuration, and queried."

Comment 2 Adam Williamson 2014-10-24 11:00:23 UTC
in case I don't wake up in time for the meeting tomorrow, I'm +1 blocker.

Comment 3 Miroslav Grepl 2014-10-24 13:49:52 UTC
We need to add

    rpm_transition_script(rolekit_t, system_r)

Comment 4 Miroslav Grepl 2014-10-24 13:50:42 UTC
commit cf74a399b86a6244a4927446a72aad7f955db03d
Author: Miroslav Grepl <mgrepl>
Date:   Fri Oct 24 15:50:24 2014 +0200

    Allow rolekit transition to rpm_script_t.

Comment 5 Adam Williamson 2014-10-24 17:46:30 UTC
Discussed at 2014-10-24 Go/No-Go meeting: http://meetbot.fedoraproject.org/fedora-meeting-2/2014-10-24/f21_beta_gono-go_meeting.2014-10-24-17.01.log.txt . Accepted as a blocker per criterion cited in c#1.

Comment 6 Adam Williamson 2014-10-27 18:13:34 UTC
sgallagh reports that the -91 build resolves the issue, so setting  VERIFIED for blocker tracking purposes. We need an update submitted with that build in it.

Comment 8 Adam Williamson 2014-10-30 19:12:34 UTC
Lukas, for future reference, we really need you to submit the *exact build that was pulled through the freeze*, not a later one. It's usually not critical for Beta, but it absolutely is for Final, because the frozen tree *has* to match what's on the ISOs.

Comment 9 Adam Williamson 2014-10-31 07:40:56 UTC
Actually it turns out it is critical for Beta, as we wanted to provide a frozen Beta tree for secondary arches to base their Beta build on.

dgilmore has tagged -91 for stable manually, so this should be OK now, but we really need to have the correct build submitted to Bodhi in future, thanks.

Comment 10 Lukas Vrabec 2014-11-03 09:41:05 UTC
Sorry, my mistake, I'll avoid this.

Note You need to log in before you can comment on or make changes to this bug.