Bug 1400009 - Bad boolean declaration
Summary: Bad boolean declaration
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: docker
Version: 25
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-30 09:38 UTC by Paolo Antinori
Modified: 2016-12-01 16:49 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-01 15:01:15 UTC
Type: Bug


Attachments (Terms of Use)

Description Paolo Antinori 2016-11-30 09:38:11 UTC
Description of problem:

While following the suggestions form "SElinux Alert Browser" I get an error at `semodule` invocation step.


Version-Release number of selected component (if applicable):
```
rpm -qa | ag policycoreutils
policycoreutils-python-utils-2.5-17.fc25.x86_64
policycoreutils-devel-2.5-17.fc25.x86_64
policycoreutils-python3-2.5-17.fc25.x86_64
policycoreutils-2.5-17.fc25.x86_64
policycoreutils-python-2.5-17.fc25.x86_64
policycoreutils-gui-2.5-17.fc25.x86_64
```


How reproducible:


Steps to Reproduce:
1. SELinux is preventing gnome-shell from read access on the lnk_file /data/software/ext/idea.

2. 

```
sudo ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell
[sudo] password for pantinor: 
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-gnomeshell.pp

```
3.
```
sudo semodule -X 300 -i my-gnomeshell.pp
Re-declaration of boolean virt_sandbox_use_fusefs
Failed to create node
Bad boolean declaration at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:152
semodule:  Failed!
```

Actual results:


Expected results:


Additional info:

I can't find `/var/lib/selinux/targeted/tmp/modules/100/virt/cil` that I was hoping to attach. Is there a way to keep this temporary file to be inspected?

Comment 1 Petr Lautrbach 2016-11-30 10:52:22 UTC
The temporary file itself probably can't be inspected but you can inspect an active module in /var/lib/selinux/targeted/active/modules/ directory - /var/lib/selinux/targeted/tmp/modules/100/virt/cil

For the better understanding the problem, please provide the output of 'sudo ausearch -c 'gnome-shell' --raw'

These kind of problems are usually seen with combination of not update container-selinux, former docker-selinux package.

Comment 2 Paolo Antinori 2016-11-30 13:55:35 UTC
Hi, thanks for helping. 

```
sudo ausearch -c 'gnome-shell' --raw | tail
type=AVC msg=audit(1480496220.412:373): avc:  denied  { read } for  pid=1598 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1480496220.339:372): avc:  denied  { read } for  pid=1598 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1480496397.723:222): avc:  denied  { read } for  pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1480496759.331:318): avc:  denied  { read } for  pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1480496759.368:319): avc:  denied  { read } for  pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1480496759.468:320): avc:  denied  { read } for  pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1480496759.491:321): avc:  denied  { read } for  pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1480496773.968:326): avc:  denied  { read } for  pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1480496773.933:325): avc:  denied  { read } for  pid=6461 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1480496923.028:183): avc:  denied  { read } for  pid=1722 comm="gnome-shell" name="idea" dev="dm-2" ino=1629014 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=0
```

Regarding package update, I have currently no update available listed in `dnf` and I have performed a full filesystem relabelling just after upgrading to F25

Comment 3 Lukas Vrabec 2016-12-01 14:33:37 UTC
We faced similar issue before. It was fixed by removing duplicate boolean declaration in docker policy. Docker policy is shipped by docker. 

Guys, 
Could you check if you declare virt_sandbox_use_fusefs in docker policy? 

Thanks,
Lukas.

Comment 4 Daniel Walsh 2016-12-01 14:45:36 UTC
yum update docker-selinux or container-selinux.

Comment 5 Paolo Antinori 2016-12-01 15:00:29 UTC
Thank you Dan, that worked.

Apparently I was on

docker-engine-selinux from VirtualBox repo (http://public-yum.oracle.com/repo/OracleLinux/OL7/addons/$basearch/)

This fixed the issue:

```
sudo dnf install container-selinux --allowerasing


...
Installing:
 container-selinux                                             x86_64                                         2:1.12.3-10.git7b5044b.fc25                                           updates                                              81 k
Removing:
 docker-engine-selinux                                         noarch                                         1.12.2-1.0.1.el7                                                      @VirtualBox                                          48 k


...
```

Comment 6 Daniel Walsh 2016-12-01 16:49:45 UTC
Yes please use the distros version of docker and docker/container-selinux packages.


Note You need to log in before you can comment on or make changes to this bug.