Description of problem: I upgraded my fedora 23 atomic host to the latest fedora 24 atomic host and I'm not able to start service rpm-ostreed. I know it's caused by SELinux policy but I would like to have a confirmation from maintainer whether it's expected and selinux-policy should be updated. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Boot fedora 23 atomic image (https://getfedora.org/en/cloud/download/atomic.html) 2. rebase to fedora 24 atomic -bash-4.3# ostree remote add --no-gpg-verify fedora24-atomic \ https://dl.fedoraproject.org/pub/fedora/linux/atomic/24/ -bash-4.3# ostree pull fedora24-atomic:fedora-atomic/24/x86_64/docker-host -bash-4.3# rpm-ostree rebase fedora24-atomic:fedora-atomic/24/x86_64/docker-host 3. systemctl reboot 4. start service rpm-ostreed (directly using systemctl or indirectly via rpm-ostree) -bash-4.3# systemctl start rpm-ostreed Actual results: Job for rpm-ostreed.service failed because the control process exited with error code. See "systemctl status rpm-ostreed.service" and "journalctl -xe" for details. + avcs -bash-4.3# ausearch -m avc -i ---- type=PROCTITLE msg=audit(05/04/2016 20:51:37.914:199) : proctitle=(-ostreed) type=SYSCALL msg=audit(05/04/2016 20:51:37.914:199) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x555f6f4f4e60 a1=0x555f6f470100 a2=0x555f6f4bbbc0 a3=0x555f6f4f5090 items=0 ppid=1 pid=1721 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(-ostreed) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(05/04/2016 20:51:37.914:199) : avc: denied { execute } for pid=1721 comm=(-ostreed) name=rpm-ostreed dev="dm-0" ino=5296258 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=0 Expected results: service is successfully started and therefore command rpm-ostree is usable. Additional info:
AVC in permissive mode -bash-4.3# > /var/log/audit/audit.log -bash-4.3# setenforce 0 -bash-4.3# systemctl start rpm-ostreed -bash-4.3# ausearch -m avc -i ---- type=PROCTITLE msg=audit(05/04/2016 20:53:23.013:206) : proctitle=/usr/libexec/rpm-ostreed type=SYSCALL msg=audit(05/04/2016 20:53:23.013:206) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x555f6f4f4e60 a1=0x555f6f4bbaa0 a2=0x555f6f4bd5f0 a3=0x555f6f4dede0 items=0 ppid=1 pid=1738 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpm-ostreed exe=/usr/libexec/rpm-ostreed subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(05/04/2016 20:53:23.013:206) : avc: denied { execute_no_trans } for pid=1738 comm=(-ostreed) path=/usr/libexec/rpm-ostreed dev="dm-0" ino=5296258 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(05/04/2016 20:53:23.013:206) : avc: denied { read open } for pid=1738 comm=(-ostreed) path=/usr/libexec/rpm-ostreed dev="dm-0" ino=5296258 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(05/04/2016 20:53:23.013:206) : avc: denied { execute } for pid=1738 comm=(-ostreed) name=rpm-ostreed dev="dm-0" ino=5296258 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(05/04/2016 20:53:23.035:207) : proctitle=/usr/libexec/rpm-ostreed type=SYSCALL msg=audit(05/04/2016 20:53:23.035:207) : arch=x86_64 syscall=faccessat success=yes exit=0 a0=0xd a1=0x7f29924f37ca a2=W_OK a3=0x0 items=0 ppid=1 pid=1738 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpm-ostreed exe=/usr/libexec/rpm-ostreed subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(05/04/2016 20:53:23.035:207) : avc: denied { write } for pid=1738 comm=rpm-ostreed name=objects dev="dm-0" ino=102 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=dir permissive=1
There are also many AVCs in permissive mode after calling rolllback -bash-4.3# > /var/log/audit/audit.log -bash-4.3# rpm-ostree rollback -bash-4.3# ausearch -m avc -i | audit2allow #============= init_t ============== #!!!! WARNING: 'boot_t' is a base type. allow init_t boot_t:dir { create rmdir }; allow init_t boot_t:file { create rename unlink write }; allow init_t boot_t:lnk_file { create rename unlink }; allow init_t bootloader_exec_t:file { execute execute_no_trans getattr ioctl open read }; #!!!! WARNING: 'system_conf_t' is a base type. allow init_t system_conf_t:dir { add_name create remove_name rmdir write }; allow init_t system_conf_t:file { create rename unlink write }; #!!!! WARNING: 'usr_t' is a base type. allow init_t usr_t:dir { create rmdir }; #!!!! WARNING: 'usr_t' is a base type. allow init_t usr_t:file { create unlink write }; allow init_t usr_t:lnk_file { create rename unlink };
*** This bug has been marked as a duplicate of bug 1330318 ***
I think that the main problem is that service rpm-ostreed is running with init_t type -bash-4.3# rpm -q selinux-policy rpm-ostree selinux-policy-3.13.1-182.fc24.noarch rpm-ostree-2015.11-2.fc24.x86_64 -bash-4.3# ps auxZ | grep tre[e] system_u:system_r:init_t:s0 root 1738 0.2 2.0 478452 41264 ? Ssl 20:53 0:01 /usr/libexec/rpm-ostreed But it works with the same selinux type on fedora 23 atomic and enforcing mode -bash-4.3# rpm -q selinux-policy rpm-ostree selinux-policy-3.13.1-158.14.fc23.noarch rpm-ostree-2015.11-1.fc23.x86_64 -bash-4.3# ps auxZ | grep tre[e] system_u:system_r:init_t:s0 root 1180 0.0 0.6 396904 13216 ? Ssl 21:08 0:00 /usr/libexec/rpm-ostreed