Bug 1227484 - install of packages during cloud-init boot fails with dnf selinux avc denials
Summary: install of packages during cloud-init boot fails with dnf selinux avc denials
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: https://fedoraproject.org/wiki/Common...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-06-02 19:09 UTC by Dusty Mabe
Modified: 2015-06-27 22:33 UTC (History)
16 users (show)

Fixed In Version: selinux-policy-3.13.1-128.2.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-06-27 22:33:41 UTC


Attachments (Terms of Use)

Description Dusty Mabe 2015-06-02 19:09:37 UTC
Description of problem:

Feel free to re-assign this bug to the appropriate component as I don't know what that is right now.

Basically if I try to install packages using cloud-init in the Fedora 22 cloud image then I get denials and my install scriptlets don't work:

type=AVC msg=audit(1433271374.623:169): avc:  denied  { transition } for  pid=872 comm="dnf" path="/usr/sbin/ldconfig" dev="vda1" ino=4512 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process permissive=0
type=AVC msg=audit(1433271375.095:170): avc:  denied  { transition } for  pid=873 comm="dnf" path="/usr/bin/bash" dev="vda1" ino=4844 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process permissive=0


Version-Release number of selected component (if applicable):
Fedora-Cloud-Base-22-20150521.x86_64.qcow2

How reproducible:
Always

Steps to Reproduce:
1. Start cloud image with the following user-data and observe errors in audit.log and journalctl output during boot:

#cloud-config:
packages:
 - tmux
 - firewalld
 - vim
 - nginx
 - wget
runcmd:
 - [systemctl, enable, nginx.service]
 - [systemctl, enable, firewalld.service]
 - [wget, "http://roshi.fedorapeople.org", -O, /tmp/index.html]
 - [firewall-cmd, --add--service, http]
 - [cp, /tmp/index.html, /usr/share/nginx/html/]

Comment 1 Dusty Mabe 2015-06-02 21:22:32 UTC
Workaround that enables further testing (disables selinux on boot):


#cloud-config:
bootcmd:
 - setenforce 0
packages:
 - tmux
 - firewalld
 - vim
 - nginx
 - wget
runcmd:
 - [systemctl, enable, nginx.service]
 - [systemctl, enable, firewalld.service]
 - [wget, "http://roshi.fedorapeople.org", -O, /tmp/index.html]
 - [firewall-cmd, --add-service, http]
 - [cp, /tmp/index.html, /usr/share/nginx/html/]

Comment 2 Mike Ruckman 2015-06-02 23:28:14 UTC
Added workarounds to the CommonBugs page.

Comment 3 Kamil Páral 2015-06-08 13:35:53 UTC
Adding the CommonBugs URL.

Comment 4 dac.override 2015-06-10 08:46:05 UTC
RPM insists on running scriplets with system_r:rpm_script_t role and tyoe. The policy has to facilitate that.

I never understood why the scriptlets have to fail in enforcing mode if they are not run with system_r:rpm_script_t.

Nor do i understand why this is hard-coded into RPM.

Comment 5 Dusty Mabe 2015-06-13 19:25:09 UTC
(In reply to dac.override from comment #4)
> RPM insists on running scriplets with system_r:rpm_script_t role and tyoe.
> The policy has to facilitate that.
> 

Can we get the policy to facilitate this transition? Is anyone looking to make this happen?

Comment 6 Miroslav Grepl 2015-06-16 08:44:22 UTC
commit 257ed1a2706ce8ae6d1f54f6c311c3e50d44c768
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Jun 16 10:43:31 2015 +0200

    Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484)

Comment 7 Dusty Mabe 2015-06-16 20:49:34 UTC
(In reply to Miroslav Grepl from comment #6)
> commit 257ed1a2706ce8ae6d1f54f6c311c3e50d44c768
> Author: Miroslav Grepl <mgrepl@redhat.com>
> Date:   Tue Jun 16 10:43:31 2015 +0200
> 
>     Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484)

When will this get built? I still don't see it: https://admin.fedoraproject.org/updates/selinux-policy

Comment 8 Fedora Update System 2015-06-19 07:51:19 UTC
selinux-policy-3.13.1-128.2.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-128.2.fc22

Comment 9 Fedora Update System 2015-06-21 00:34:04 UTC
Package selinux-policy-3.13.1-128.2.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-128.2.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-10299/selinux-policy-3.13.1-128.2.fc22
then log in and leave karma (feedback).

Comment 10 Dusty Mabe 2015-06-22 21:05:45 UTC
I was able to test this today.. installing rpms using cloud-init seems to work for selinux-policy-3.13.1-128.2.fc22 from updates-testing. Passed the test!

Comment 11 Fedora Update System 2015-06-27 22:33:41 UTC
selinux-policy-3.13.1-128.2.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.