This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1258921 - selinux-policy package update ends up with a semodule crash
selinux-policy package update ends up with a semodule crash
Status: CLOSED CANTFIX
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.7
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks: 1271982
  Show dependency treegraph
 
Reported: 2015-09-01 10:22 EDT by Deepu K S
Modified: 2016-03-09 16:37 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-27 03:42:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
PBIS software SELinux policy (340.00 KB, application/x-tar)
2015-09-01 10:25 EDT, Deepu K S
no flags Details

  None (edit)
Description Deepu K S 2015-09-01 10:22:26 EDT
Description of problem:
Updating the Selinux-policy and Selinux-policy-targeted packages throws below semodule crash error.

semodule: link.c:840: alias_copy_callback: Assertion `base_type->primary == target_type->s.value' failed.

Further investigation found that the crash happens in postscripts under,
# semodule -n -r oracle-port -b base.pp.bz2 -i $packages -s targeted 2>&1 | grep -v "oracle-port";

A custom PBIS software's SELinux policy is installed on system. 
If we manually remove the pbis module before running the "semodule -n -s targeted ... -r clamav" command, then both semodule commands succeed.
The PBIS policy files is attached for reference.


Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 6.7
selinux-policy-3.7.19-279.el6_7.4.noarch
selinux-policy-targeted-3.7.19-279.el6_7.4.noarch
policycoreutils-2.0.83-19.47.el6_6.1.x86_64


How reproducible:
Always.


Steps to Reproduce:
1. # yum update selinux-policy selinux-policy-targeted 
OR
# rpm -Uvh selinux-policy-3.7.19-279.el6_7.4.noarch.rpm selinux-policy-targeted-3.7.19-279.el6_7.4.noarch.rpm

2. Check for messages or if ABRT is configured, it will notify of crash.


Actual results:
===YUM=============================
$ sudo yum --enablerepo=cwc-latest update selinux-policy-targeted
Downloading Packages:
(1/2): selinux-policy-3.7.19-279.el6.noarch.rpm                                                           | 881 kB     00:00
(2/2): selinux-policy-targeted-3.7.19-279.el6.noarch.rpm                                         | 3.1 MB     00:00
--------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                  13 MB/s | 3.9 MB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : selinux-policy-3.7.19-279.el6.noarch                                                                               1/4
  Updating   : selinux-policy-targeted-3.7.19-279.el6.noarch                                                               2/4
semodule: link.c:840: alias_copy_callback: Assertion `base_type->primary == target_type->s.value' failed.
  Cleanup    : selinux-policy-targeted-3.7.19-260.el6_6.3.noarch                                                         3/4
  Cleanup    : selinux-policy-3.7.19-260.el6_6.3.noarch                                                                          4/4
cwc-latest/productid                                                                                           | 1.6 kB     00:00
cwc-rhel6-previous/productid                                                                           | 1.6 kB     00:00
  Verifying  : selinux-policy-3.7.19-279.el6.noarch                                                                                1/4
  Verifying  : selinux-policy-targeted-3.7.19-279.el6.noarch                                                              2/4
  Verifying  : selinux-policy-3.7.19-260.el6_6.3.noarch                                                                       3/4
  Verifying  : selinux-policy-targeted-3.7.19-260.el6_6.3.noarch                                                      4/4

Updated:
  selinux-policy-targeted.noarch 0:3.7.19-279.el6

Dependency Updated:
  selinux-policy.noarch 0:3.7.19-279.el6

$ echo $?
0

===RPM===
$ sudo rpm -Uvh selinux-policy-3.7.19-279.el6.noarch.rpm selinux-policy-targeted-3.7.19-279.el6.noarch.rpm
Preparing...                ########################################### [100%]
   1:selinux-policy         ########################################### [ 50%]
   2:selinux-policy-targeted########################################### [100%]
semodule: link.c:840: alias_copy_callback: Assertion `base_type->primary == target_type->s.value' failed.
$ echo $?
0
=====================================

This has been happening on latest RHEL 6.7 and older RHEL 6 versions. The error is thrown using both yum/rpm update, however both updates return an exit value 0.

Expected results:
No crashes.

Additional info:
ABRT detects the crash and reports it to user. If ABRT isn't running, the user isn't aware that a crash has been happened.
Comment 1 Deepu K S 2015-09-01 10:25:50 EDT
Created attachment 1069038 [details]
PBIS software SELinux policy
Comment 2 Milos Malik 2015-09-01 10:48:34 EDT
Does semodule crash when you update selinux-policy packages in permissive mode?
Comment 3 Deepu K S 2015-09-02 10:10:25 EDT
(In reply to Milos Malik from comment #2)
> Does semodule crash when you update selinux-policy packages in permissive
> mode?

Hi Milos,

Thanks for looking into this.
SELinux is already in Permissive mode.

SELINUX=permissive

The crash does happen still.

Thanks
Comment 4 Deepu K S 2015-09-11 09:05:56 EDT
Created attachment 1072552 [details]
ABRT captured problem directory
Comment 5 Deepu K S 2015-09-11 09:08:17 EDT
Created attachment 1072553 [details]
selinux command output from sosreport
Comment 6 Daniel Walsh 2015-09-11 15:18:50 EDT
Is this machine a limited memory VM?
Comment 7 Christina Plummer 2015-09-11 20:02:41 EDT
Hi, I'm the customer who reported this.  We've seen the issue on a few servers of different memory sizes (1.8GB - 16GB).  

I can induce the crash every time if the PBIS module (which depends on clamd_t from clamav) is installed on a server running an earlier version of selinux-policy-targeted (prior to 3.7.19-195, I believe) that contained that type, and then I try to update to a later version that removes it. 

I can also induce the crash just by manually walking through the commands in the postinstall script.

This command, prior to the one that was causing the segfault: 
# semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit_auth -r polkit -r rtkit_daemon -r ModemManager -r telepathysofiasip -r passanger -r rgmanager -r aisexec -r corosync -r pacemaker -r amavis -r clamav -r glusterfs 2>/dev/null

When I didn't redirect the output, I got this error:

libsepol.print_missing_requirements: pbis's global requirements were not met: type/attribute clamd_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

If I then try to run the next command in the post script, I get the segfault:
# semodule -n -r oracle-port -b base.pp.bz2 -i $packages -s targeted 2>&1 | grep -v "oracle-port";

I should also note that since these commands failed, the above modules do NOT get removed, and the new policies do not get loaded.  Since the above error is redirected to /dev/null, the failures are silent.

To summarize:
1. The postinstall script in the selinux-policy-targeted package attempts to remove a bunch of deprecated modules.  However, if one of the modules cannot be removed due to a failed dependency, none of the modules end of getting removed.  Furthermore, the failure is silent due to the stderr output being redirected to /dev/null.  I would expect:
  A. Modules that don't have failed dependencies should be removed
  B. Failures should be at least reported, and preferably handled

2. The postinstall script in the selinux-policy-targeted package also proceeds to re-install the policies included in the package.  However, due to the earlier failure to remove the clamav module, this command generates a segfault, and the updated versions of the modules don't get loaded.  I would expect:
  A. No segmentation faults
  B. That all modules included in selinux-policy-targeted would get loaded following an update on the package.

Thanks to Deepu for filing the bug.
Comment 10 Miroslav Grepl 2015-10-27 03:42:01 EDT
Yes, the policy handling is not optimal here and we have some changes in RHEL-7. 

But pbis policy should be updated to use optional_policy() for types which are not a part of the base.pp policy module.

For example

---

optional_policy(`
 requre{
  type clamd_t;
 }
 pbis_client(clamd_t)
')

----

which would prevent this problem. All non-base types should be called with optional_policy() statement because the policy is a modular policy and some of modules can be disabled/removed for example.
Comment 11 Christina Plummer 2015-11-03 15:34:14 EST
So semodule segfaulting is the desired behavior?

And yum neither loading the new policy nor reporting a failure to do so is also the desired behavior?

I agree that the pbis policy should be rewritten and am working with the vendor on that.  But I am surprised that you are not interested in fixing the issues I mentioned.
Comment 12 Miroslav Grepl 2015-12-11 04:42:54 EST
I don't see segfaulting semodule. It reports the failure which is expected.
Comment 13 Christina Plummer 2016-01-25 10:09:26 EST
The crash_dump should have been in the Comment 4 attachment (collected files from abrt).

Note You need to log in before you can comment on or make changes to this bug.