1211721 – SELinux is preventing restorecon from 'associate' accesses on the filesystem debug.

Bug 1211721 - SELinux is preventing restorecon from 'associate' accesses on the filesystem debug.

Summary: SELinux is preventing restorecon from 'associate' accesses on the filesystem ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	policycoreutils
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Petr Lautrbach
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:75260e83ba3b5986ce52c99a677...
Depends On:	1211010
Blocks:
TreeView+	depends on / blocked

Reported:	2015-04-14 17:54 UTC by Miroslav Grepl
Modified:	2015-07-14 15:41 UTC (History)
CC List:	8 users (show)
Fixed In Version:	policycoreutils-2.3-8.fc21
Clone Of:	1211010
Environment:
Last Closed:	2015-07-03 18:42:51 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Miroslav Grepl 2015-04-14 17:54:24 UTC

+++ This bug was initially created as a clone of Bug #1211010 +++

Description of problem:
was trying to create a rawhide workstation livecd
SELinux is preventing restorecon from 'associate' accesses on the filesystem debug.

*****  Plugin filesystem_associate (99.5 confidence) suggests   **************

If you believe restorecon should be allowed to create debug files
Then you need to use a different command. You are not allowed to preserve the SELinux context on the target file system.
Do
use a command like "cp -p" to preserve all permissions except SELinux context.

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that restorecon should be allowed associate access on the debug filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep restorecon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:object_r:debugfs_t:s0
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                debug [ filesystem ]
Source                        restorecon
Source Path                   restorecon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-105.9.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.19.2-201.fc21.x86_64 #1 SMP Tue
                              Mar 24 03:08:23 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-04-11 20:44:44 PDT
Last Seen                     2015-04-11 20:44:44 PDT
Local ID                      9c829e4e-b46e-4637-aa76-05ef76e97f9d

Raw Audit Messages
type=AVC msg=audit(1428810284.346:548): avc:  denied  { associate } for  pid=30291 comm="restorecon" name="debug" dev="sysfs" ino=744 scontext=system_u:object_r:debugfs_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0


Hash: restorecon,debugfs_t,sysfs_t,filesystem,associate

Version-Release number of selected component:
selinux-policy-3.13.1-105.9.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.2-201.fc21.x86_64
type:           libreport

--- Additional comment from Miroslav Grepl on 2015-04-13 08:51:46 EDT ---

(In reply to Moez Roy from comment #0)
> Description of problem:
> was trying to create a rawhide workstation livecd

Could you paste your steps?

--- Additional comment from Moez Roy on 2015-04-13 10:23:15 EDT ---

(In reply to Miroslav Grepl from comment #1)
> (In reply to Moez Roy from comment #0)
> > Description of problem:
> > was trying to create a rawhide workstation livecd
> 
> Could you paste your steps?

yum install livecd-tools wget

wget https://kojipkgs.fedoraproject.org//work/tasks/8354/9468354/fedora-live-workstation-1564226.ks

mkdir cacheDir tmpDir

livecd-creator --config=fedora-live-workstation-1564226.ks --cache=cacheDir --tmpdir=tmpDir --verbose


Note: you should also see warnings like "/sbin/setfiles: tmpDir/something is not located in /etc/selinux/targeted/contexts/files/file_contexts"

--- Additional comment from Miroslav Grepl on 2015-04-14 08:59:49 EDT ---

Added to rawhide

commit a0bf28db6a603defbc8ec2ee4c9b72c834edfe61
Author: Miroslav Grepl <mgrepl>
Date:   Tue Apr 14 14:58:59 2015 +0200

    Allow debugfs associate to a sysfs filesystem.

Comment 1 Miroslav Grepl 2015-04-14 17:55:13 UTC

>Note: you should also see warnings like "/sbin/setfiles: tmpDir/something is >not located in /etc/selinux/targeted/contexts/files/file_contexts"

There is broken 

"setfiles -r"

functionality.

Comment 2 Moez Roy 2015-04-14 21:22:11 UTC

(In reply to Miroslav Grepl from comment #1)
> >Note: you should also see warnings like "/sbin/setfiles: tmpDir/something is >not located in /etc/selinux/targeted/contexts/files/file_contexts"
> 
> There is broken 
> 
> "setfiles -r"
> 
> functionality.

I don't understand. Is this the problem with LiveCD-Tools using "setfiles" instead of using "setfiles -r"?

Comment 3 Petr Lautrbach 2015-04-16 10:47:46 UTC

(In reply to Moez Roy from comment #2)
> I don't understand. Is this the problem with LiveCD-Tools using "setfiles"
> instead of using "setfiles -r"?

No, there's a bug in setfiles code. The following patch fixes it:

--- a/policycoreutils-2.3/setfiles/setfiles.c
+++ b/policycoreutils-2.3/setfiles/setfiles.c
@@ -334,7 +334,7 @@ int main(int argc, char **argv)
                                        argv[0]);
                                exit(-1);
                        }
-                       set_rootpath(argv[optind]);
+                       set_rootpath(optarg);
                        break;
                case 's':
                        use_input_file = 1;

Comment 4 Miroslav Grepl 2015-04-16 12:59:06 UTC

Yes, this bug has two parts - policy bug + setfiles bug.

Petr,
thanks for the patch. It works for me as expected.

Comment 5 Adam Williamson 2015-05-07 16:09:04 UTC

I believe this may be causing https://bugzilla.redhat.com/show_bug.cgi?id=1190377 . Investigating.

Comment 6 Fedora Update System 2015-06-26 13:21:26 UTC

policycoreutils-2.3-17.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/policycoreutils-2.3-17.fc22

Comment 7 Fedora Update System 2015-06-26 13:32:59 UTC

policycoreutils-2.3-8.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/policycoreutils-2.3-8.fc21

Comment 8 Fedora Update System 2015-06-27 12:40:24 UTC

Package policycoreutils-2.3-8.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing policycoreutils-2.3-8.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-10818/policycoreutils-2.3-8.fc21
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2015-07-03 18:42:51 UTC

policycoreutils-2.3-17.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2015-07-14 15:41:11 UTC

policycoreutils-2.3-8.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.