Bug 1433577 - policycoreutils setfiles >= 2.6 does .. nothing
Summary: policycoreutils setfiles >= 2.6 does .. nothing
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libselinux
Version: 26
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Petr Lautrbach
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: TRACKER-bugs-affecting-libguestfs
TreeView+ depends on / blocked
 
Reported: 2017-03-18 10:43 UTC by Richard W.M. Jones
Modified: 2017-12-14 11:48 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-14 11:48:41 UTC
Type: Bug


Attachments (Terms of Use)
test-suite.log (57.21 KB, text/plain)
2017-03-18 10:43 UTC, Richard W.M. Jones
no flags Details

Description Richard W.M. Jones 2017-03-18 10:43:01 UTC
Created attachment 1264349 [details]
test-suite.log

Description of problem:

Literally, it doesn't relabel anything.

# setfiles -F -e /sysroot/dev -e /sysroot/proc -e /sysroot/selinux -e /sysroot/sys -r /sysroot -q /sysroot/etc/file_contexts /sysroot/
Can't stat exclude path "/sysroot/dev", No such file or directory - ignoring.
Can't stat exclude path "/sysroot/proc", No such file or directory - ignoring.
Can't stat exclude path "/sysroot/selinux", No such file or directory - ignoring.
Can't stat exclude path "/sysroot/sys", No such file or directory - ignoring.
# echo $?
0

But no files actually get relabelled.

libguestfs: trace: lgetxattr "/bin" "security.selinux"
guestfsd: error: getxattr: No data available

Version-Release number of selected component (if applicable):

Failing in: policycoreutils-2.6-3.fc26.x86_64
Working in: policycoreutils-2.5-19.fc25.x86_64

How reproducible:

100%

Steps to Reproduce:
1. Run this test from the libguestfs test suite:
https://github.com/libguestfs/libguestfs/blob/master/tests/relabel/test-relabel.pl

The full output from the test is attached.

Comment 1 Richard W.M. Jones 2017-03-20 10:46:02 UTC
This also affects real guests.  It appears to be the root cause
behind virt-customize firstboot functionality not working for
Fedora 25 guests.

Comment 2 Petr Lautrbach 2017-03-20 11:49:25 UTC
The command itself seems to work as expected on a regular system, see bellow. I guess the problem is in the fact that there's no "security.selinux" attribute in the filesystem:

libguestfs: trace: lgetxattr "/bin" "security.selinux"
guestfsd: error: getxattr: No data available


$ rpm -qf /usr/sbin/setfiles 
policycoreutils-2.6-3.fc26.x86_64

$ mkdir -p sysroot/bin sysroot/etc/ sysroot/tmp sysroot/var/log        

$ touch sysroot/bin/ls sysroot/tmp/test sysroot/var/log/messages 

$ cat > sysroot/etc/file_contexts <<EOF                                                                                                                                                         
/.*                system_u:object_r:default_t:s0
/bin/.*            system_u:object_r:bin_t:s0
/etc/.*            system_u:object_r:etc_t:s0
/etc/file_contexts <<none>>
/tmp/.*            <<none>>
/var/.*            system_u:object_r:var_t:s0
/var/log/.*        system_u:object_r:var_log_t:s0
EOF

$ ls -lZ sysroot/var/log/messages                                      
-rw-rw-r--. 1 plautrba plautrba unconfined_u:object_r:user_tmp_t:s0 0 Mar 20 09:16 sysroot/var/log/messages

$ setfiles -F -e `pwd`/sysroot/dev -e `pwd`/sysroot/proc -e `pwd`/sysroot/selinux -e `pwd`/sysroot/sys -r `pwd`/sysroot -q `pwd`/sysroot/etc/file_contexts `pwd`/sysroot
Can't stat exclude path "/home/plautrba/tmp/sysroot/dev", No such file or directory - ignoring.
Can't stat exclude path "/home/plautrba/tmp/sysroot/proc", No such file or directory - ignoring.
Can't stat exclude path "/home/plautrba/tmp/sysroot/selinux", No such file or directory - ignoring.
Can't stat exclude path "/home/plautrba/tmp/sysroot/sys", No such file or directory - ignoring.

$ ls -lZ sysroot/var/log/messages                                                                                                                                       
-rw-rw-r--. 1 plautrba plautrba system_u:object_r:var_log_t:s0 0 Mar 20 09:16 sysroot/var/log/messages

or with -vv

$ setfiles -vv -F -e `pwd`/sysroot/dev -e `pwd`/sysroot/proc -e `pwd`/sysroot/selinux -e `pwd`/sysroot/sys -r `pwd`/sysroot `pwd`/sysroot/etc/file_contexts `pwd`/sysroot
Can't stat exclude path "/home/plautrba/tmp/sysroot/dev", No such file or directory - ignoring.
Can't stat exclude path "/home/plautrba/tmp/sysroot/proc", No such file or directory - ignoring.
Can't stat exclude path "/home/plautrba/tmp/sysroot/selinux", No such file or directory - ignoring.
Can't stat exclude path "/home/plautrba/tmp/sysroot/sys", No such file or directory - ignoring.
Relabeled /home/plautrba/tmp/sysroot from unconfined_u:object_r:user_tmp_t:s0 to system_u:object_r:default_t:s0
Relabeled /home/plautrba/tmp/sysroot/bin from unconfined_u:object_r:user_tmp_t:s0 to system_u:object_r:default_t:s0
Relabeled /home/plautrba/tmp/sysroot/bin/ls from unconfined_u:object_r:user_tmp_t:s0 to system_u:object_r:bin_t:s0
Relabeled /home/plautrba/tmp/sysroot/etc from unconfined_u:object_r:user_tmp_t:s0 to system_u:object_r:default_t:s0
Warning no default label for /etc/file_contexts
Relabeled /home/plautrba/tmp/sysroot/tmp from unconfined_u:object_r:user_tmp_t:s0 to system_u:object_r:default_t:s0
Warning no default label for /tmp/test
Relabeled /home/plautrba/tmp/sysroot/var from unconfined_u:object_r:user_tmp_t:s0 to system_u:object_r:default_t:s0
Relabeled /home/plautrba/tmp/sysroot/var/log from unconfined_u:object_r:user_tmp_t:s0 to system_u:object_r:var_t:s0
Relabeled /home/plautrba/tmp/sysroot/var/log/messages from unconfined_u:object_r:user_tmp_t:s0 to system_u:object_r:var_log_t:s0
filespec hash table stats: 8 elements, 8/65536 buckets used, longest chain length 1

Comment 3 Richard W.M. Jones 2017-03-20 11:59:13 UTC
(In reply to Petr Lautrbach from comment #2)
> The command itself seems to work as expected on a regular system, see
> bellow. I guess the problem is in the fact that there's no
> "security.selinux" attribute in the filesystem:
> 
> libguestfs: trace: lgetxattr "/bin" "security.selinux"
> guestfsd: error: getxattr: No data available

I'm not really clear what the means.  Does it mean we have to create
the security.selinux attribute beforehand?  Or has the name of the
extended attribute changed?  Or are xattrs no longer used to store
selinux labels?  Or do we need to use some mount options?

Comment 4 Richard W.M. Jones 2017-03-20 12:00:15 UTC
I should also note the exact same set of tests work fine with
the older setfiles version.

Comment 5 Petr Lautrbach 2017-03-20 12:04:15 UTC
I'm investigating it.

The name of attribute hasn't changed, it shouldn't be needed to create it beforehand since libselinux should be able to set it even when it's not set yet.

Comment 6 Petr Lautrbach 2017-03-20 12:38:46 UTC
It's a bug in libselinux. It can be reproduced in a system with SELinux disabled:

# sestatus
SELinux status:                 disabled

# setfiles -F -e `pwd`/sysroot/dev -e `pwd`/sysroot/proc -e `pwd`/sysroot/selinux -e `pwd`/sysroot/sys -r `pwd`/sysroot -q `pwd`/sysroot/etc/file_contexts `pwd`/sysroot                        13:36:48
Can't stat exclude path "/root/sysroot/dev", No such file or directory - ignoring.
Can't stat exclude path "/root/sysroot/proc", No such file or directory - ignoring.
Can't stat exclude path "/root/sysroot/selinux", No such file or directory - ignoring.
Can't stat exclude path "/root/sysroot/sys", No such file or directory - ignoring.
[1]    18233 segmentation fault (core dumped)  setfiles -F -e `pwd`/sysroot/dev -e `pwd`/sysroot/proc -e  -e  -r  -q


The following patch should fix it:

--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -663,7 +663,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
                curcon = NULL;
        }

-       if (strcmp(curcon, newcon) != 0) {
+       if (curcon == NULL || strcmp(curcon, newcon) != 0) {
                if (!flags->set_specctx && curcon &&
                                    (is_context_customizable(curcon) > 0)) {
                        if (flags->verbose) {


A scratch build is available at https://koji.fedoraproject.org/koji/taskinfo?taskID=18488622

Comment 7 Richard W.M. Jones 2017-03-20 13:00:14 UTC
(In reply to Petr Lautrbach from comment #6)
> It's a bug in libselinux. It can be reproduced in a system with SELinux
> disabled:

Yes, I forgot to mention that the libguestfs appliance runs with SELinux
disabled (internally to the appliance, still enabled on the host of course).

> A scratch build is available at
> https://koji.fedoraproject.org/koji/taskinfo?taskID=18488622

I'm afraid that I don't think this fixes the problem.  It seems to fail
in the same way as before.

I don't think that setfiles was dumping core before.

Comment 8 Richard W.M. Jones 2017-03-20 16:43:53 UTC
What with everything being in a VM and needing a new RPM built
every time, the compile-debug cycle is about 10 minutes.

The patch in comment 6 is needed, but it's not the whole story.

I finally found out what's going wrong.  Any path under
/sysroot is rejected by the function selinux_restorecon.c:check_excludes.

I added some debugging to this function, and the list of excludes
is peculiar:

static int check_excluded(const char *file)
{
	int i;

        fprintf (stderr, "check_excluded file=%s\n", file);
	for (i = 0; i < exclude_count; i++) {
                fprintf (stderr, "compare %s to %s\n",
                         file, exclude_lst[i].directory);
...
check_excluded file=/sysroot/
compare /sysroot/ to /
compare /sysroot/ to /proc
compare /sysroot/ to /sys
compare /sysroot/ to /run
compare /sysroot/ to /dev
compare /sysroot/ to /dev/pts
compare /sysroot/ to /sysroot   # this leads to the whole subdir being excluded

On the setfiles command line I specified:

  -e /sysroot/dev -e /sysroot/proc -e /sysroot/selinux -e /sysroot/sys

which doesn't include any of the paths above.  It seems to have excluded all
mounted directories in the appliance.

It seems this is a new "feature" of setfiles, which you have to turn off using
the "-m" flag on the command line.

This was added by upstream commit:

commit f2e77865e144ab2e1313aa78d99b969f8f48695e
Author: Richard Haines <richard_c_haines@btinternet.com>
Date:   Tue Jul 26 09:44:17 2016 +0100

Comment 9 Petr Lautrbach 2017-03-22 09:46:34 UTC
https://koji.fedoraproject.org/koji/taskinfo?taskID=18517231 libselinux-2.6-4.fc26

https://koji.fedoraproject.org/koji/taskinfo?taskID=18517229 libselinux-2.6-4.fc27

Comment 10 Fedora Update System 2017-04-06 16:16:41 UTC
policycoreutils-2.6-5.fc26 libselinux-2.6-5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f21a1bffda

Comment 11 Fedora Update System 2017-04-07 21:21:09 UTC
libselinux-2.6-5.fc26, policycoreutils-2.6-5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f21a1bffda

Comment 12 Fedora Update System 2017-04-12 14:51:11 UTC
libselinux-2.6-5.fc26, policycoreutils-2.6-5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.