Bug 1412747 - fixfiles spams warnings about debugfs. (docs say it only touches "real" filesystems!)
Summary: fixfiles spams warnings about debugfs. (docs say it only touches "real" files...
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: policycoreutils
Version: 25
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Lautrbach
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-12 16:53 UTC by Alan Jenkins
Modified: 2017-12-12 10:06 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-12 10:06:32 UTC
Type: Bug


Attachments (Terms of Use)

Description Alan Jenkins 2017-01-12 16:53:16 UTC
Description of problem:

`fixfiles check` or `fixfiles -v restore` generates very noisy messages, because it thinks `/sys/kernel/debug` needs to be relabelled, and it does not know what label to apply.

# fixfiles -v restore
...
/sbin/setfiles:  Warning no default label for /sys/kernel/debug/mei_wdt
...

$ man fixfiles
...
      By  default  it  will  relabel all mounted ext2, ext3, xfs and jfs file
      systems as long as they do not have a security  context  mount  option.


Version-Release number of selected component (if applicable):
policycoreutils-2.5-19.fc25.x86_64


How reproducible: always

Steps to Reproduce:
1. Run `fixfiles check` with full privileges e.g. using `sudo`.


Actual results:

Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
Checking / /boot /dev /dev/hugepages /dev/mqueue /dev/pts /dev/shm /home /run /run/user/1000 /run/user/1001 /run/user/42 /sys /sys/fs/pstore /sys/kernel/debug /tmp
...
/sbin/setfiles:  Warning no default label for /sys/kernel/debug/mei_wdt
...


Expected results:

1. "Warning no default label" should not be spammed on a clean system.

2. It is expected for debugfs to have new files chucked into it, so SELinux should not be configured to complain about files it doesn't know about.  If a default label is required, it can easily default to "access via sudo only".  debugfs is for debugging the kernel, it should *not* be used by any system service.

3. fixfiles' behaviour should not outright violate the spirit and letter of `man fixfiles`.

4. If the behaviour is actually intended, `man fixfiles` should explain WTF it wants to touch filesystems like /sys/.

Even if they are not intended to generate warnings, this behaviour is highly surprising.  The files in virtual filesystems like sysfs are created by the kernel during boot, and I can find no mechanism to tell the _kernel_ what label each individual file should be created with.  My prior assumption was that if there was any label, it would be simply blanket-applied to the whole of sysfs, and any attempt of tools like fixfiles to change labels one file at a time would fail.

Comment 1 Alan Jenkins 2017-01-12 23:56:44 UTC
Current behaviour has been explained in this thread: https://www.spinics.net/lists/selinux/msg21225.html

Comment 2 Stephen Smalley 2017-01-13 13:49:37 UTC
The warning is a bug/regression.  Will take it up on the mailing list.

Comment 3 Stephen Smalley 2017-01-13 15:31:37 UTC
Actually, the warning isn't a regression, although I think it is unhelpful and should be removed.

Comment 4 Fedora End Of Life 2017-11-16 18:39:16 UTC
This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 5 Alan Jenkins 2017-11-16 19:27:15 UTC
Co-incidentally, the just-released Fedora 27 is the first to include the version with the fix -

https://github.com/SELinuxProject/selinux/commit/1cd972fc81757d6157afa192da99473243dfce8b

It still triggers on the file /dev/mqueue/, but that's it.  (I expect it could be avoided by copying the way the two rules for /dev/hugepages/ work).  Much easier to ignore than the previous spam.

Comment 6 Fedora End Of Life 2017-12-12 10:06:32 UTC
Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.