Bug 1461978 - SELinux denies 'execute' for /usr/libexec/nm-dispatcher on boot after install from Atomic Host installer image
Summary: SELinux denies 'execute' for /usr/libexec/nm-dispatcher on boot after install...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: ostree
Version: rawhide
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Colin Walters
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1462976
TreeView+ depends on / blocked
 
Reported: 2017-06-15 19:18 UTC by Adam Williamson
Modified: 2017-06-23 01:56 UTC (History)
11 users (show)

Fixed In Version: ostree-2017.7-2.fc26 ostree-2017.7-2.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1462976 (view as bug list)
Environment:
Last Closed: 2017-06-22 13:36:50 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
more selinux denials (13.25 KB, text/plain)
2017-06-15 19:40 UTC, Dusty Mabe
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1463035 0 unspecified CLOSED SELinux denies 'entrypoint' for gdm-session-worker on /etc/gdm/PreSession/Default on boot of ostree Workstation install 2021-02-22 00:41:40 UTC

Internal Links: 1463035

Description Adam Williamson 2017-06-15 19:18:59 UTC
The openQA default-install-and-boot test for the Atomic Host installer image is showing several instances of one SELinux denial immediately after boot:

type=AVC msg=audit(1497548408.952:169): avc: denied { execute } for pid=998 comm="nm-dispatcher" name="10-ifcfg-rh-routes.sh" dev="dm-0" ino=28911 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=file permissive=0

with each occurrence the pid of the nm-dispatcher process changes, so it seems like perhaps this denial causes the operation (whatever exactly nm-dispatcher is doing, I'm not sure) to fail and then it is immediately retried, hits the denial, and fails again. This doesn't seem to prevent networking from working.

This seems to have started happening between Fedora-26-20170605.n.0 (which would have been effectively identical to Beta) and Fedora-26-20170611.n.1 (which was the first successful post-Beta-freeze compose, with all the packages queued for stable during the Beta freeze included).

Comment 1 Dusty Mabe 2017-06-15 19:40:30 UTC
Created attachment 1288165 [details]
more selinux denials

Comment 2 Dusty Mabe 2017-06-15 19:50:38 UTC
The denials in that attachment are from an atomic host vagrant box (i.e. not just the installer, but the installed system).

Comment 3 Dusty Mabe 2017-06-15 20:11:25 UTC
[root@vanilla-f26atomic ~]# rpm-ostree status
State: idle
Deployments:
● fedora-atomic:fedora/26/x86_64/atomic-host
             Version: 26.59 (2017-06-12 02:00:29)
              Commit: 95283eba36118de8b065ca29c079760cc82394e0128aadf8f32bb867454b64fb
[root@vanilla-f26atomic ~]# 
[root@vanilla-f26atomic ~]# 
[root@vanilla-f26atomic ~]# rpm -q selinux-policy 
selinux-policy-3.13.1-254.fc26.noarch
[root@vanilla-f26atomic ~]# rpm -q kernel
kernel-4.11.0-2.fc26.x86_64
[root@vanilla-f26atomic ~]# rpm -q NetworkManager
NetworkManager-1.8.0-4.fc26.x86_64

Comment 4 Dusty Mabe 2017-06-15 20:14:10 UTC
also seeing on a host with newer versions:

```
[root@f26-updates-testing ~]# rpm -q selinux-policy NetworkManager kernel
selinux-policy-3.13.1-257.fc26.noarch
NetworkManager-1.8.0-5.fc26.x86_64
kernel-4.11.4-300.fc26.x86_64
```

Comment 5 Daniel Walsh 2017-06-15 21:40:23 UTC
Looks like 10-ifcfg-rh-routes.sh has the wrong type on it, it is labeled as a netoworkmanager config file instead of an executable.

Comment 6 Daniel Walsh 2017-06-16 09:52:48 UTC
What is the path to 10-ifcfg-rh-routes.sh

matchpathcon /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh
/etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh	system_u:object_r:NetworkManager_initrc_exec_t:s0

restorecon -R -v /etc/NetworkManager

Should fix the label.

Comment 7 Dusty Mabe 2017-06-16 13:18:09 UTC



```
[root@vanilla-f26atomic ~]# ls -lZ /etc/NetworkManager/dispatcher.d/*
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  175 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/00-netreport
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  100 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/04-iscsi
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0 1056 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  933 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/11-dhclient
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  436 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/20-chrony
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  719 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/hook-network-manager

/etc/NetworkManager/dispatcher.d/no-wait.d:
total 0
lrwxrwxrwx. 1 root root system_u:object_r:NetworkManager_etc_t:s0 24 Jun 12 02:37 10-ifcfg-rh-routes.sh -> ../10-ifcfg-rh-routes.sh

/etc/NetworkManager/dispatcher.d/pre-down.d:
total 0

/etc/NetworkManager/dispatcher.d/pre-up.d:
total 0
lrwxrwxrwx. 1 root root system_u:object_r:NetworkManager_etc_t:s0 34 Jun 12 02:37 10-ifcfg-rh-routes.sh -> ../no-wait.d/10-ifcfg-rh-routes.sh

[root@vanilla-f26atomic ~]# ls -lZ /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh 
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0 1056 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh
```

Comment 8 Daniel Walsh 2017-06-16 13:22:29 UTC
Did restorecon fix the labels?

Comment 9 Dusty Mabe 2017-06-16 13:28:22 UTC

```
[root@vanilla-f26atomic ~]# restorecon -R -v /etc/NetworkManager 
Relabeled /etc/NetworkManager/dispatcher.d from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/00-netreport from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/04-iscsi from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/11-dhclient from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/20-chrony from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/hook-network-manager from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/no-wait.d from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/no-wait.d/10-ifcfg-rh-routes.sh from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/pre-down.d from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/pre-up.d from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/pre-up.d/10-ifcfg-rh-routes.sh from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/system-connections from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_etc_rw_t:s0
```

Comment 10 Colin Walters 2017-06-16 13:39:37 UTC
This might be a regression from https://github.com/ostreedev/ostree/pull/797

`restorecon -nvR /etc/`

shows a lot of diffs.

Comment 11 Colin Walters 2017-06-16 13:48:01 UTC
This reproduces in F25AH too, starting from:

```
  fedora-atomic:fedora-atomic/25/x86_64/docker-host
             Version: 25.137 (2017-06-04 23:31:40)
              Commit: 0ed61d7441eddf96e6a98de4f10f4675268c7888b6d2b8a405b8c21fe6c92d23
```

Then

```
$ rpm-ostree deploy 25.136
$ systemctl reboot
...
$ restorecon -nvR /etc
```

Comment 12 Dusty Mabe 2017-06-16 13:51:45 UTC
is there a specific test we can add for this to the atomic-host-tests suite?

Comment 13 Colin Walters 2017-06-16 15:03:58 UTC
https://github.com/ostreedev/ostree/pull/936

There's an installed test case there - which gets back to https://github.com/projectatomic/atomic-host-tests/issues/74

Comment 14 Fedora Update System 2017-06-19 18:21:27 UTC
ostree-2017.7-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7b464a11e7

Comment 15 Fedora Update System 2017-06-19 20:03:27 UTC
ostree-2017.7-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d194990d45

Comment 16 Dusty Mabe 2017-06-20 17:17:11 UTC
I don't think this actually affects F25AH. The commit [1] from the #797 PR you linked to #797 only made it into 2017.6, which wasn't in F25.

```
$ koji latest-build f25-updates ostree
Build                                     Tag                   Built by
----------------------------------------  --------------------  ----------------
ostree-2017.6-2.fc25                      f25-updates           walters
```


Also here is what I see from today's the cloud image [2]

```
[root@cloudhost ~]# restorecon -vnR /etc/
restorecon reset /etc/sysconfig/anaconda context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
``` 

[1] https://github.com/ostreedev/ostree/commit/e8efd1c8dcaad8fbd3b05c400972d237406263e7
[2] https://kojipkgs.fedoraproject.org/compose/twoweek/Fedora-Atomic-25-20170620.1/compose/CloudImages/x86_64/images/Fedora-Atomic-25-20170620.1.x86_64.qcow2

Comment 17 Dusty Mabe 2017-06-20 17:21:02 UTC
(In reply to Dusty Mabe from comment #16)
> I don't think this actually affects F25AH. The commit [1] from the #797 PR
> you linked to #797 only made it into 2017.6, which wasn't in F25.
> 
> ```
> $ koji latest-build f25-updates ostree
> Build                                     Tag                   Built by
> ----------------------------------------  -------------------- 
> ----------------
> ostree-2017.6-2.fc25                      f25-updates           walters

correction - that is 2017.6 in f25, but i still don't know why we don't see the problem as shown by the restorecon output.

Comment 18 Dusty Mabe 2017-06-20 17:44:57 UTC
ok - more info now - the qcow images we create most likely are built with an older ostree (from the installer), which means they won't show the problem, but if we do an upgrade/deploy the files will get relabeled with an incorrect label.

I verified this behavior and that it is fixed with the new RPM in testing.

Comment 19 Fedora Update System 2017-06-21 04:27:28 UTC
ostree-2017.7-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d194990d45

Comment 20 Fedora Update System 2017-06-21 06:21:20 UTC
ostree-2017.7-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7b464a11e7

Comment 21 Fedora Update System 2017-06-22 13:36:50 UTC
ostree-2017.7-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2017-06-23 01:56:49 UTC
ostree-2017.7-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.