1332119 – selinux errors for rpm-ostreed

Bug 1332119 - selinux errors for rpm-ostreed

Summary: selinux errors for rpm-ostreed

Keywords:
Status:	CLOSED DUPLICATE of bug 1330318
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rpm-ostree
Sub Component:
Version:	24
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Colin Walters
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-05-02 09:23 UTC by Dusty Mabe
Modified:	2016-05-02 16:29 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-05-02 16:29:48 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dusty Mabe 2016-05-02 09:23:41 UTC

Description of problem:

selinux errors for rpm-ostreed - see below: 


```
-bash-4.3# rpm-ostree status
error: Error calling StartServiceByName for org.projectatomic.rpmostree1: Timeout was reached
-bash-4.3# 
-bash-4.3# systemctl status rpm-ostreed
● rpm-ostreed.service - RPM OSTree Manager
   Loaded: loaded (/usr/lib/systemd/system/rpm-ostreed.service; static; vendor preset: disabled)
   Active: failed (Result: exit-code) since Mon 2016-05-02 08:16:21 UTC; 37s ago
  Process: 1204 ExecStart=/usr/libexec/rpm-ostreed (code=exited, status=203/EXEC)
 Main PID: 1204 (code=exited, status=203/EXEC)

May 02 08:16:21 vanilla-f23atomic systemd[1]: Starting RPM OSTree Manager...
May 02 08:16:21 vanilla-f23atomic systemd[1]: rpm-ostreed.service: Main process exited, code=exited, status=203/EXEC
May 02 08:16:21 vanilla-f23atomic systemd[1]: Failed to start RPM OSTree Manager.
May 02 08:16:21 vanilla-f23atomic systemd[1]: rpm-ostreed.service: Unit entered failed state.
May 02 08:16:21 vanilla-f23atomic systemd[1]: rpm-ostreed.service: Failed with result 'exit-code'.
-bash-4.3# 
-bash-4.3# ausearch -m avc | tail -n 10 
----
time->Mon May  2 08:13:47 2016
type=PROCTITLE msg=audit(1462176827.989:240): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D757365722D73657373696F6E730073746F70
type=SYSCALL msg=audit(1462176827.989:240): arch=c000003e syscall=2 success=no exit=-13 a0=560896198240 a1=800c2 a2=180 a3=0 items=0 ppid=1 pid=2233 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-user-se" exe="/usr/lib/systemd/systemd-user-sessions" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1462176827.989:240): avc:  denied  { create } for  pid=2233 comm="systemd-user-se" name=".#nologinGfgc45" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=0
----
time->Mon May  2 08:16:21 2016
type=PROCTITLE msg=audit(1462176981.808:176): proctitle="(-ostreed)"
type=SYSCALL msg=audit(1462176981.808:176): arch=c000003e syscall=59 success=no exit=-13 a0=558f2e45ea60 a1=558f2e48a000 a2=558f2e4005c0 a3=558f2e4895e0 items=0 ppid=1 pid=1204 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(-ostreed)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1462176981.808:176): avc:  denied  { execute } for  pid=1204 comm="(-ostreed)" name="rpm-ostreed" dev="dm-0" ino=5238905 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=0
```



Version-Release number of selected component (if applicable):
-bash-4.3# rpm -qf /usr/lib/systemd/system/rpm-ostreed.service
rpm-ostree-2015.11-2.fc24.x86_64
-bash-4.3# setenforce 0
-bash-4.3# 
-bash-4.3# rpm-ostree status
  TIMESTAMP (UTC)         VERSION    ID             OSNAME            REFSPEC                                                
* 2016-04-26 09:50:11     24.19      76d6ea28b2     fedora-atomic     fedora-atomic:fedora-atomic/24/x86_64/docker-host      
  2016-04-19 19:04:34     23.106     05052ae3bb     fedora-atomic     fedora-atomic:fedora-atomic/f23/x86_64/docker-host


How reproducible:
Always

Steps to Reproduce:
1. Start on F23
2. setenforce 0
3. Rebase to F24: `rpm-ostree rebase fedora-atomic:fedora-atomic/24/x86_64/docker-host`
4. reboot
5. run `rpm-ostree status` -> see error

Comment 1 Giuseppe Scrivano 2016-05-02 10:16:26 UTC

is this a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1309075?

Comment 2 Dusty Mabe 2016-05-02 11:16:40 UTC

(In reply to Giuseppe Scrivano from comment #1)
> is this a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1309075?

Maybe.. Did the fix not propagate to F24? here are the differences between the latest rpms in 23 and 24 right now:  

!selinux-policy-3.13.1-158.14.fc23.noarch
=selinux-policy-3.13.1-182.fc24.noarch

!rpm-ostree-2015.11-1.fc23.x86_64
=rpm-ostree-2015.11-2.fc24.x86_64

Comment 3 Dusty Mabe 2016-05-02 11:19:19 UTC

Giuseppe, Can you follow my reproducer steps and observe the issue?

Comment 4 Dusty Mabe 2016-05-02 16:26:13 UTC

Now that we have an image building for F24 you can just boot the following image and reproduce the issue:

https://kojipkgs.fedoraproject.org//work/tasks/5745/13885745/Fedora-Atomic-24-20160502.n.0.x86_64.qcow2

Comment 5 Colin Walters 2016-05-02 16:29:48 UTC


*** This bug has been marked as a duplicate of bug 1330318 ***

Note You need to log in before you can comment on or make changes to this bug.