Bug 1299054 - SELinux prevents rhsmcertd-worker from accessing a lock
Summary: SELinux prevents rhsmcertd-worker from accessing a lock
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: rhel-server-atomic
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Colin Walters
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-15 20:06 UTC by Stef Walter
Modified: 2016-08-22 13:57 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-19 21:31:48 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Stef Walter 2016-01-15 20:06:03 UTC 
Description of problem:

type=1400 audit(1452883155.324:7): avc: denied { write } for pid=2704 comm="rhsmcertd-worke" name=".dbenv.lock" dev="dm-0" ino=8979114 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file

This happens intermittently on RHEL Atomic Host during the Cockpit integration tests. 

This seems to happen shortly after mounting a container:

Jan 15 18:39:14 localhost.localdomain.localdomain docker[1910]: time="2016-01-15T18:39:14.951350343Z" level=info msg="POST /v1.20/containers/create"
Jan 15 18:39:15 localhost.localdomain.localdomain systemd[1]: Device dev-disk-by\x2duuid-4d2bce40\x2d1a3e\x2d4192\x2d8ae5\x2d8d297b2cbbae.device appeared twice with different sysfs paths /sys/devices/virtual/block/dm-4 and /sys/devices/virtual/block/dm-5
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: XFS (dm-5): Mounting V4 Filesystem
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: XFS (dm-5): Ending clean mount
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: SELinux: initialized (dev dm-5, type xfs), uses xattr
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: XFS (dm-5): Unmounting Filesystem
Jan 15 18:39:15 localhost.localdomain.localdomain systemd[1]: Device dev-disk-by\x2duuid-4d2bce40\x2d1a3e\x2d4192\x2d8ae5\x2d8d297b2cbbae.device appeared twice with different sysfs paths /sys/devices/virtual/block/dm-4 and /sys/devices/virtual/block/dm-5
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: XFS (dm-5): Mounting V4 Filesystem
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: XFS (dm-5): Ending clean mount
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: SELinux: initialized (dev dm-5, type xfs), uses xattr
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: XFS (dm-5): Unmounting Filesystem
Jan 15 18:39:15 localhost.localdomain.localdomain docker[1910]: time="2016-01-15T18:39:15.301390405Z" level=info msg="POST /v1.20/containers/a79b8a26fa7f4533af6ac7b6456d032dcf02474b6003e1a2d052f716b8e43389/start"
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: type=1400 audit(1452883155.324:7): avc:  denied  { write } for  pid=2704 comm="rhsmcertd-worke" name=".dbenv.lock" dev="dm-0" ino=8979114 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
Jan 15 18:39:15 localhost.localdomain.localdomain systemd[1]: Device dev-disk-by\x2duuid-4d2bce40\x2d1a3e\x2d4192\x2d8ae5\x2d8d297b2cbbae.device appeared twice with different sysfs paths /sys/devices/virtual/block/dm-4 and /sys/devices/virtual/block/dm-5
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: XFS (dm-5): Mounting V4 Filesystem
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: XFS (dm-5): Ending clean mount
Jan 15 18:39:15 localhost.localdomain.localdomain kernel: SELinux: initialized (dev dm-5, type xfs), uses xattr


Versions:

selinux-policy-targeted-3.13.1-60.el7.noarch
subscription-manager-1.15.9-15.el7.x86_64

# atomic host status
  TIMESTAMP (UTC)         VERSION   ID             OSNAME               REFSPEC                                                        
* 2015-12-03 19:40:36     7.2.1     aaf67b91fa     rhel-atomic-host     rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard     
  2015-11-10 16:11:46     7.2       ec85fba1bf     rhel-atomic-host     rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
Comment 1 Stef Walter 2016-01-15 20:08:48 UTC 
This bug was discovered by the Cockpit integration tests.

https://fedorapeople.org/groups/cockpit/logs/pull-3456-3041953a-rhel-atomic/

Cockpit will be ignoring this message in the integration tests from here on out:

https://github.com/cockpit-project/cockpit/pull/3492
Comment 3 Miroslav Grepl 2016-01-18 08:24:16 UTC 
It looks 

/var/lib/rpm

is mislabeled on Atomic Hosts. What does

$ ls -dZ /var/lib/rpm

?
Comment 4 Stef Walter 2016-01-18 08:30:59 UTC 
# ls -dZ /var/lib/rpm
lrwxrwxrwx. root root system_u:object_r:rpm_var_lib_t:s0 /var/lib/rpm -> ../../usr/share/rpm

# ls -dZ /usr/share/rpm
drwxr-xr-x. root root system_u:object_r:usr_t:s0       /usr/share/rpm
Comment 6 Daniel Walsh 2016-08-19 21:31:48 UTC 
Hopefully this is fixed.
Comment 7 Stef Walter 2016-08-22 13:57:12 UTC 
The file contexts are still identical to those above:

-bash-4.2# ls -dZ /var/lib/rpm
lrwxrwxrwx. root root system_u:object_r:rpm_var_lib_t:s0 /var/lib/rpm -> ../../usr/share/rpm
-bash-4.2# ls -dZ /usr/share/rpm
drwxr-xr-x. root root system_u:object_r:usr_t:s0       /usr/share/rpm
-bash-4.2# atomic host status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.2.6 (2016-07-29 19:54:25)
        Commit: b672bf8a457cb28e003dee20c53749636ef5fce3e4743afe4aaad269d3aaa62a
        OSName: rhel-atomic-host

Removing the workaround in Cockpit so we can get proof either way:

https://github.com/cockpit-project/cockpit/pull/4918
Note You need to log in before you can comment on or make changes to this bug.