Bug 1178208 - [f21] wrong selinux contexts after atomic upgrade
Summary: [f21] wrong selinux contexts after atomic upgrade
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: ostree
Version: 21
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Colin Walters
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-02 21:30 UTC by Dusty Mabe
Modified: 2015-01-14 14:14 UTC (History)
3 users (show)

Fixed In Version: ostree-2014.13-2.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of: 1164058
Environment:
Last Closed: 2015-01-13 00:05:18 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
GNOME Bugzilla 742289 0 None None None 2019-06-19 13:13:06 UTC

Description Dusty Mabe 2015-01-02 21:30:29 UTC
Description of problem:

selinux contexts on files like /etc/passwd are incorrect after upgrade. 


Version-Release number of selected component (if applicable):

Started with the fedora 21 atomic image from 20141203 and upgraded to:

-bash-4.3# atomic status
  TIMESTAMP (UTC)         ID             OSNAME            REFSPEC                                                
* 2015-01-02 03:42:21     3a4a44bc82     fedora-atomic     fedora-atomic:fedora-atomic/f21/x86_64/docker-host     
  2014-12-03 01:30:09     ba7ee9475c     fedora-atomic     fedora-atomic:fedora-atomic/f21/x86_64/docker-host

How reproducible:
Always


Steps to Reproduce:
1. Download image and boot and follow output below:

-bash-4.3# atomic status
  TIMESTAMP (UTC)         ID             OSNAME            REFSPEC                                                
* 2014-12-03 01:30:09     ba7ee9475c     fedora-atomic     fedora-atomic:fedora-atomic/f21/x86_64/docker-host     
-bash-4.3# rpm -q rpm-ostree
rpm-ostree-2014.104-3.fc21.x86_64
-bash-4.3# ls  -Z /etc/passwd
-rw-rw-r--. root root system_u:object_r:passwd_file_t:s0 /etc/passwd
-bash-4.3# 
-bash-4.3# atomic upgrade
Updating from: fedora-atomic:fedora-atomic/f21/x86_64/docker-host

695 metadata, 3205 content objects fetched; 140527 KiB transferred in 157 seconds
Copying /etc changes: 26 modified, 4 removed, 39 added
Transaction complete; bootconfig swap: yes deployment count change: 1
Changed:
  NetworkManager-1:0.9.10.0-14.git20140704.fc21.x86_64
  NetworkManager-glib-1:0.9.10.0-14.git20140704.fc21.x86_64
  ....<snip>....
  util-linux-2.25.2-2.fc21.x86_64
Added:
  flannel-0.1.0-8.gita7b435a.fc21.x86_64
Updates prepared for next boot; run "systemctl reboot" to start a reboot
-bash-4.3#reboot

AFTER REBOOT
-bash-4.3# atomic status
  TIMESTAMP (UTC)         ID             OSNAME            REFSPEC                                                
* 2015-01-02 03:42:21     3a4a44bc82     fedora-atomic     fedora-atomic:fedora-atomic/f21/x86_64/docker-host     
  2014-12-03 01:30:09     ba7ee9475c     fedora-atomic     fedora-atomic:fedora-atomic/f21/x86_64/docker-host
-bash-4.3# ls -Z /etc/shadow
----------. root root unconfined_u:object_r:etc_t:s0   /etc/shadow
-bash-4.3# 
-bash-4.3# echo foopass | passwd --stdin root
Changing password for user root.
passwd: Authentication token manipulation error
-bash-4.3#
-bash-4.3# restorecon -Rv /etc/
restorecon reset /etc/locale.conf context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:locale_t:s0
restorecon reset /etc/shadow- context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:shadow_t:s0
restorecon reset /etc/localtime context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:locale_t:s0
restorecon reset /etc/.updated context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:etc_runtime_t:s0
restorecon reset /etc/hostname context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:hostname_etc_t:s0
restorecon reset /etc/ssh/ssh_host_rsa_key context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:sshd_key_t:s0
restorecon reset /etc/ssh/ssh_host_rsa_key.pub context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:sshd_key_t:s0
restorecon reset /etc/ssh/ssh_host_ecdsa_key context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:sshd_key_t:s0
restorecon reset /etc/ssh/ssh_host_ecdsa_key.pub context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:sshd_key_t:s0
restorecon reset /etc/ssh/ssh_host_ed25519_key context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:sshd_key_t:s0
restorecon reset /etc/ssh/ssh_host_ed25519_key.pub context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:sshd_key_t:s0
restorecon reset /etc/group context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:passwd_file_t:s0
restorecon reset /etc/adjtime context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:adjtime_t:s0
restorecon reset /etc/gshadow- context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:shadow_t:s0
restorecon reset /etc/group- context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:passwd_file_t:s0
restorecon reset /etc/gshadow context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:shadow_t:s0
restorecon reset /etc/hosts context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:net_conf_t:s0
restorecon reset /etc/passwd context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:passwd_file_t:s0
restorecon reset /etc/passwd- context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:passwd_file_t:s0
restorecon reset /etc/shadow context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:shadow_t:s0
restorecon reset /etc/resolv.conf context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:net_conf_t:s0
restorecon reset /etc/vconsole.conf context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:locale_t:s0

Comment 1 Colin Walters 2015-01-04 01:15:51 UTC
Should be fixed by https://bugzilla.gnome.org/show_bug.cgi?id=742289

This regression has been sitting around a while.  There were two factors conspiring to hide it:

1) Modern SELinux (RHEL7 era) supports kernel filename-based labeling defaults, so if e.g. you create "sysctl.conf" in a directory of type etc_t, it's labeled system_conf_t.  So many of the labels were right due to that.
2) All of *my* Atomic usage is ssh pubkey based, I don't use passwords, so the permissions on /etc/shadow didn't matter.

Comment 2 Colin Walters 2015-01-04 01:53:32 UTC
Building for rawhide in http://koji.fedoraproject.org/koji/taskinfo?taskID=8520347

I'd like to wait until the patch has review upstream before submitting to F21 updates.

Comment 3 Fedora Update System 2015-01-06 16:37:10 UTC
ostree-2014.13-2.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/ostree-2014.13-2.fc21

Comment 4 Dusty Mabe 2015-01-06 16:44:40 UTC
I accidentally cloned 11178208 from 164058. This was a mistake.

Comment 5 Fedora Update System 2015-01-07 01:26:51 UTC
Package ostree-2014.13-2.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ostree-2014.13-2.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-0285/ostree-2014.13-2.fc21
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2015-01-13 00:05:18 UTC
ostree-2014.13-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Colin Walters 2015-01-14 14:14:39 UTC
To correctly clean up from this issue:

1) "atomic upgrade" to the latest (2015-01-14 or newer)
2) reboot
3) restorecon -R -v /etc/


Note You need to log in before you can comment on or make changes to this bug.