Hide Forgot
In RHEL 7.3 the SELinux userspace rebase changed paths. On systems which don't run %post-lets (like atomic and RHVH) this is causing trouble, because the local polciies are not relocated to the new location. This has a strong impact on the high-level functionality. +++ This bug was initially created as a clone of Bug #1373389 +++ … Diff from getsebool ==================== # diff -ruN before-upgrade after-upgrade --- before-upgrade 2016-09-26 23:54:51.603765224 -0400 +++ after-upgrade 2016-09-26 23:54:34.891341349 -0400 @@ -36,6 +36,7 @@ deny_ptrace --> off dhcpc_exec_iptables --> off dhcpd_use_ldap --> off +docker_connect_any --> off domain_fd_use --> on domain_kernel_load_modules --> off entropyd_use_audio --> on @@ -46,7 +47,6 @@ fenced_can_network_connect --> off fenced_can_ssh --> off fips_mode --> on -ftp_home_dir --> off ftpd_anon_write --> off ftpd_connect_all_unreserved --> off ftpd_connect_db --> off @@ -129,6 +129,7 @@ logging_syslogd_run_nagios_plugins --> off logging_syslogd_use_tty --> on login_console_enabled --> on +logrotate_read_inside_containers --> off logrotate_use_nfs --> off logwatch_can_network_connect_mail --> off lsmd_plugin_connect_any --> off @@ -202,9 +203,9 @@ samba_run_unconfined --> off samba_share_fusefs --> off samba_share_nfs --> off -sanlock_use_fusefs --> on -sanlock_use_nfs --> on -sanlock_use_samba --> on +sanlock_use_fusefs --> off +sanlock_use_nfs --> off +sanlock_use_samba --> off saslauthd_read_shadow --> off secadm_exec_content --> on secure_mode --> off @@ -222,16 +223,13 @@ selinuxuser_tcp_server --> off selinuxuser_udp_server --> off selinuxuser_use_ssh_chroot --> off -sftpd_anon_write --> off -sftpd_enable_homedirs --> off -sftpd_full_access --> off -sftpd_write_ssh_home --> off sge_domain_can_network_connect --> off sge_use_nfs --> off smartmon_3ware --> off smbd_anon_write --> off spamassassin_can_network --> off spamd_enable_home_dirs --> on +spamd_update_can_network --> off squid_connect_any --> on squid_use_tproxy --> off ssh_chroot_rw_homedirs --> off @@ -245,6 +243,7 @@ telepathy_tcp_connect_generic_network_ports --> on tftp_anon_write --> off tftp_home_dir --> off +tmpreaper_use_cifs --> off tmpreaper_use_nfs --> off tmpreaper_use_samba --> off tor_bind_all_unreserved_ports --> off @@ -264,19 +263,18 @@ virt_rw_qemu_ga_data --> off virt_sandbox_use_all_caps --> on virt_sandbox_use_audit --> on +virt_sandbox_use_fusefs --> off virt_sandbox_use_mknod --> off virt_sandbox_use_netlink --> off -virt_sandbox_use_nfs --> off -virt_sandbox_use_samba --> off virt_sandbox_use_sys_admin --> off virt_transition_userdomain --> off virt_use_comm --> off virt_use_execmem --> off -virt_use_fusefs --> on -virt_use_nfs --> on +virt_use_fusefs --> off +virt_use_nfs --> off virt_use_rawip --> off -virt_use_samba --> on -virt_use_sanlock --> on +virt_use_samba --> off +virt_use_sanlock --> off virt_use_usb --> on virt_use_xserver --> off webadm_manage_user_files --> off --- Additional comment from Douglas Schilling Landgraf on 2016-09-27 07:43:37 CEST --- Worth to mention that if I upgrade the rpms via yum (non squashfs) from vdsm-4.18.11-1.el7ev to vdsm-4.18.13-1.el7ev.x86_64 I didn't see any problem. The issue seems related to the boot with the new squashfs and updated vdsm. Tested executed: # installed RHVH-4.0-20160822.8-RHVH-x86_64-dvd1.iso # registered and approved in RHVM # created a local repo with vdsm-4.18.13-1.el7ev.x86_64 # yum update -y # reboot After reboot, host is up.
Steps ot reproduce on any image based system: 1. Use the old image 2. setsebool virt_use_nfs 1 3. Update 4. getsebool -a | grep virt_use_nfs After 4 virt_use_nfs is back to 0
This also affects the upgrade of Atomic Host from 7.2.7 to 7.3
I believe, this comment (and those that follow) linked here in an upstream bug are related - https://bugzilla.redhat.com/show_bug.cgi?id=1290659#c42
It's 2 different issues. In Fedora, the store is completely removed while on RHEL-7.3 are some files in the different location then tools expects them. These files could be migrated during first boot after update. The question is if this service can be part of Atomic Host similar to /usr/lib/tpmfiles.d/ files or if they have to be shipped by selinux-policy package.
As there are at least two products affected I'd really favor a selinux based solution.
Yoana, this will need a release note for RHELAH 7.3. If a fix is provided before we release, we can drop the release note.
(In reply to Fabian Deutsch from comment #4) > Steps ot reproduce on any image based system: > > 1. Use the old image > 2. setsebool virt_use_nfs 1 > 3. Update > 4. getsebool -a | grep virt_use_nfs > > After 4 virt_use_nfs is back to 0 Is there a reboot between setsebool and getsebool? Then you need to use 'setsebool -P virt_use_nfs 1' to make the change persistent.
Ryan, Did you add "-P" parameter with setsebool before update?
I did: [root@localhost ~]# setsebool -P virt_use_nfs 1 [root@localhost ~]# getsebool -a | grep virt_use_nfs virt_use_nfs --> on [root@localhost ~]# ls anaconda-ks.cfg redhat-virtualization-host-image-update-4.0-20161010.0.el7_3.noarch.rpm [root@localhost ~]# rpm -Uvh redhat-virtualization-host-image-update-4.0-20161010.0.el7_3.noarch.rpm Preparing... ################################# [100%] Updating / installing... 1:redhat-virtualization-host-image-################################# [ 50%] Cleaning up / removing... 2:redhat-virtualization-host-image-################################# [100%] [root@localhost ~]# reboot PolicyKit daemon disconnected from the bus. We are no longer a registered authentication agent. Terminated [root@localhost ~]# Connection to 192.168.122.65 closed by remote host. Connection to 192.168.122.65 closed. [rbarry@el7 redhat-virtualization-host]$ ssh root.122.65 root.122.65's password: Last login: Mon Oct 10 08:55:37 2016 from el7.nested imgbase status: OK [root@localhost ~]# !get^C [root@localhost ~]# getsebool -a | grep virt_use virt_use_comm --> off virt_use_execmem --> off virt_use_fusefs --> off virt_use_nfs --> off virt_use_rawip --> off virt_use_samba --> off virt_use_sanlock --> off virt_use_usb --> on virt_use_xserver --> off
Note that RHV-H (similar to Atomic in this sense) is updated in an A/B format. The RPM contains a squashfs, which is delivered onto a new LVM LV. After this, /etc and /root are synced (and UID/GID/permissions drift which may have happened between the two images is corrected). Because of this, any %post scripts from selinux-policy (as an example) will not be triggered on the actual update. For RHV-H (and Atomic, presumably), the migration of changes must occur AFTER the reboot, not as part of selinux-policy-targeted %post or similar. %post will be run in that case on a brand-new system which doesn't have any policy changes to migrate...
Ryan, Understand, but we have patch which fixes this after reboot by using systemd-unit file. Patch is attached in comment#16. Could you please prepare RHV-H host without update for testing purposes? I'll try to reproduce it. Thanks.
Please provide an output of the following commands after update: # systemctl status -l selinux-policy-migrate-local-changes # ls -l /etc/selinux/targeted/modules/active/ # cat /etc/selinux/targeted/modules/active/booleans.local
[root@localhost ~]# systemctl status -l selinux-policy-migrate-local-changes ● selinux-policy-migrate-local-changes - Migrate local SELinux policy changes from the old store structure to the new structure Loaded: loaded (/usr/lib/systemd/system/basic.target.wants/../selinux-policy-migrate-local-changes@.service; static; vendor preset: disabled) Active: active (exited) since Mon 2016-10-10 10:34:30 MST; 20h ago Process: 794 ExecStart=/usr/libexec/selinux/selinux-policy-migrate-local-changes.sh %I (code=exited, status=0/SUCCESS) Main PID: 794 (code=exited, status=0/SUCCESS) Oct 10 10:34:20 localhost.localdomain systemd[1]: Starting Migrate local SELinux policy changes from the old store structure to the new structure... Oct 10 10:34:30 localhost.localdomain systemd[1]: Started Migrate local SELinux policy changes from the old store structure to the new structure. [root@localhost ~]# ls -l /etc/selinux/targeted/modules/active/ total 864 -rw-r--r--. 1 root root 58507 Oct 10 10:17 base.pp -rw-r--r--. 1 root root 85 Oct 10 10:17 booleans.local -rw-------. 1 root root 32 Oct 10 10:17 commit_num -rw-------. 1 root root 368557 Oct 10 10:17 file_contexts -rw-r--r--. 1 root root 13169 Oct 10 10:17 file_contexts.homedirs -rw-r--r--. 1 root root 127 Oct 10 10:17 file_contexts.local -rw-------. 1 root root 380333 Oct 10 10:17 file_contexts.template -rw-------. 1 root root 11776 Oct 10 10:17 homedir_template drwx------. 2 root root 12288 Oct 10 10:17 modules -rw-------. 1 root root 0 Oct 10 10:17 netfilter_contexts lrwxrwxrwx. 1 root root 38 Oct 10 10:17 policy.kern -> /etc/selinux/targeted/policy/policy.29 -rw-r--r--. 1 root root 136 Oct 10 10:17 ports.local -rw-r--r--. 1 root root 282 Oct 10 10:34 README.migrated -rw-------. 1 root root 106 Oct 10 10:17 seusers.final -rw-------. 1 root root 101 Oct 10 10:17 users_extra [root@localhost ~]# cat /etc/selinux/targeted/modules/active/booleans.local # This file is auto-generated by libsemanage # Do not edit directly. virt_use_nfs=1 [root@localhost ~]# getsebool -a | grep virt_use_nfs virt_use_nfs --> off
(In reply to Lukas Vrabec from comment #27) > Ryan, > Understand, but we have patch which fixes this after reboot by using > systemd-unit file. Patch is attached in comment#16. Could you please prepare > RHV-H host without update for testing purposes? I'll try to reproduce it. > > Thanks. I have a libvirt snapshot before the update, so testing should be easy. Are you asking for a publicly available test system here? I'm not sure of the request.
Since there's /etc/selinux/targeted/modules/active/README.migrated, the migration happened. It's not clear to me why local changes are not copied to the new store. Can you please run: # rm -f /etc/selinux/targeted/modules/active/README.migrated # bash -x /usr/libexec/selinux/selinux-policy-migrate-local-changes.sh targeted # cat /etc/selinux/targeted/modules/active/booleans.local # getsebool -a | grep virt_use_nfs # cat /etc/selinux/targeted/active/booleans.local Or provide an access to some machine or the reproducer?
The problem seems to be in the migration scripts which migrates changes but doesn't apply them: # semanage boolean -C -l SELinux boolean State Default Description cups_execmem (off , on) Allow cups to execmem virt_use_nfs (off , on) Allow virt to use nfs The system default is 'on' which is correct since it was changed before update, but the system runs with 'off' as the policy which is loaded was build with 'off' and the local changes were not applied. I'll provide another build with fixed script.
According to my testing, it's fixed in https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=11892056 Please confirm. All changes are migrated and applied in running system. Ryan, thanks for the help with setting an environment.
Confirmed, this works. Thanks!
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861