Red Hat Bugzilla – Bug 1343648
SELinux label for /etc/udev/hwdb.bin is etc_t instead of systemd_hwdb_etc_t after "#systemd-hwdb update"
Last modified: 2016-11-03 20:54:42 EDT
Description of problem: systemd-hwdb update doing: Deleting /etc/udev/hwdb.bin file, then file "/etc/udev/.#hwdb.binXXXXXX" is created and after then renamed to /etc/udev/hwdb.bin This is problem from SELinux policy point of view. I cannot create filename transtion rule for file ".#hwdb.binXXXXXX" due to non-constant name. Version-Release number of selected component (if applicable): systemd-219-20.el7.x86_64 How reproducible: Always Steps to Reproduce: 1.# rm /etc/udev/hwdb.bin 2.# systemd-hwdb update 3.# ls -Z /etc/hwdb.bin Actual results: ls -Z hwdb.bin unconfined_u:object_r:etc_t:s0 hwdb.bin Expected results: ls -Z hwdb.bin unconfined_u:object_r:systemd_hwdb_etc_t:s0 hwdb.bin This issue is blocking: https://bugzilla.redhat.com/show_bug.cgi?id=1257940 Additional info: https://github.com/systemd/systemd/issues/3458
Backport https://github.com/systemd/systemd/pull/3460/commits/6a0f43bc0cbbcc888128ffa0095515277aa5b26e
qa acking
https://github.com/lnykryn/systemd-rhel/pull/29
merged to staging-> https://github.com/lnykryn/systemd-rhel/commit/ca82178b166ae5fb8efe4b09aadae802534cf6e3 -> post
*** Bug 1350074 has been marked as a duplicate of this bug. ***
Seems like this also requires changes on SELinux policy side. What do you think Lukas?
Michal, Agree, fixes for this issue are included in selinux-policy-3.13.1-85.el7 build.
Jan, Can you please retest with updated version of selinux-policy? From beaker logs it looks like you have been testing with selinux-policy-3.13.1-84.el7.
(In reply to Michal Sekletar from comment #13) > Jan, > > Can you please retest with updated version of selinux-policy? From beaker > logs it looks like you have been testing with selinux-policy-3.13.1-84.el7. With selinux-policy-3.13.1-85.el7.noarch systemd-219-22.el7.x86_64 the problem still seems to be present.
NEW: :: [ LOG ] :: Package versions: :: [ LOG ] :: systemd-219-22.el7.x86_64 ... :: [ BEGIN ] :: Running 'ls -lZ /etc/udev/hwdb.bin' -r--r--r--. root root system_u:object_r:systemd_hwdb_etc_t:s0 /etc/udev/hwdb.bin :: [ PASS ] :: Command 'ls -lZ /etc/udev/hwdb.bin' (Expected 0, got 0) :: [ PASS ] :: File '/var/tmp/tmp.Mvj3aX3VGv' should contain ':systemd_hwdb_etc_t:' :: [ BEGIN ] :: Running 'rm /etc/udev/hwdb.bin' :: [ PASS ] :: Command 'rm /etc/udev/hwdb.bin' (Expected 0, got 0) :: [ BEGIN ] :: Running 'systemd-hwdb update' :: [ PASS ] :: Command 'systemd-hwdb update' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ls -lZ /etc/udev/hwdb.bin' -r--r--r--. root root system_u:object_r:systemd_hwdb_etc_t:s0 /etc/udev/hwdb.bin :: [ PASS ] :: Command 'ls -lZ /etc/udev/hwdb.bin' (Expected 0, got 0) :: [ PASS ] :: File '/var/tmp/tmp.lKZE8e0efC' should contain ':systemd_hwdb_etc_t:' OLD: :: [ 08:20:39 ] :: Package versions: :: [ 08:20:39 ] :: systemd-219-19.el7.x86_64 ... :: [ BEGIN ] :: Running 'ls -lZ /etc/udev/hwdb.bin' -r--r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/udev/hwdb.bin :: [ PASS ] :: Command 'ls -lZ /etc/udev/hwdb.bin' (Expected 0, got 0) :: [ FAIL ] :: File '/var/tmp/tmp.7jsKFLjl8A' should contain ':systemd_hwdb_etc_t:' :: [ BEGIN ] :: Running 'rm /etc/udev/hwdb.bin' :: [ PASS ] :: Command 'rm /etc/udev/hwdb.bin' (Expected 0, got 0) :: [ BEGIN ] :: Running 'systemd-hwdb update' :: [ PASS ] :: Command 'systemd-hwdb update' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ls -lZ /etc/udev/hwdb.bin' -r--r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/udev/hwdb.bin :: [ PASS ] :: Command 'ls -lZ /etc/udev/hwdb.bin' (Expected 0, got 0) :: [ FAIL ] :: File '/var/tmp/tmp.TG1qdGfA8H' should contain ':systemd_hwdb_etc_t:' Setting as verified..
I'm concerned about the state of this bugzilla. It is marked VERIFIED with systemd-219-22.el7.x86_64 but the AVC denial is still there with systemd-219-22.el7.x86_64. Do we need the steps to reproduce amended? Do we need a separate bugzilla for the AVC denials?
Remaining AVC denial should be fixed by changes in SELinux policy, already included in selinux-policy-3.13.1-86.el7 and by patch in systemd (already merged upstream, backport will be included in next RHEL-7.3-candidate build). Moving back to ASSIGNED.
and patch for that was merged to staging -> https://github.com/lnykryn/systemd-rhel/commit/0860805a09ce6c2c2136306bdf64d58621368291 -> post
Works, so we depends on the newest selinux-policy. :: [ PASS ] :: Command 'ls -lZ /etc/udev/hwdb.bin' (Expected 0, got 0) :: [ PASS ] :: File '/var/tmp/tmp.K39ZH4D8CD' should contain ':systemd_hwdb_etc_t:' :: [ PASS ] :: Command 'rm /etc/udev/hwdb.bin' (Expected 0, got 0) :: [ PASS ] :: Command 'systemd-hwdb update' (Expected 0, got 0) :: [ PASS ] :: Command 'ls -lZ /etc/udev/hwdb.bin' (Expected 0, got 0) :: [ PASS ] :: File '/var/tmp/tmp.4HWjfCta1p' should contain ':systemd_hwdb_etc_t:' :: [ LOG ] :: Duration: 1s :: [ LOG ] :: Assertions: 6 good, 0 bad :: [ PASS ] :: RESULT: Test Thank you.
Can you run your tests as well Jan? Thank you
(In reply to Branislav Blaškovič from comment #31) > Can you run your tests as well Jan? Thank you I haven't seen that AVC denial for some time on 7.3 nightly builds. Thanks.
That's great, thank you very much for quick response.
All, Re: aarch64 https://bugzilla.redhat.com/show_bug.cgi?id=1257940#c22 ---<-snip->--- Testing with distro RHEL-7.3-20160817.1 Server aarch64 this issue is no longer seen. distro: RHEL-7.3-20160817.1 Server aarch64 (kernel-4.5.0-4.el7) (systemd-219-26.el7) See here: [] https://beaker.engineering.redhat.com/recipes/2986103#task44715839 - PASS [] https://beaker.engineering.redhat.com/recipes/2986104#task44715865 - PASS [] https://beaker.engineering.redhat.com/recipes/2986105#task44715891 - PASS ---<-snip->--- Best, -pbunyan
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2216.html