Bug 1465650 - 'unlabeled_t' files found in /usr when using RHELAH 7.4
'unlabeled_t' files found in /usr when using RHELAH 7.4
Status: ASSIGNED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: rhel-server-atomic (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Colin Walters
atomic-bugs@redhat.com
: Extras
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-27 16:48 EDT by Micah Abbott
Modified: 2017-07-31 12:00 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Micah Abbott 2017-06-27 16:48:06 EDT
Going to start by saying this is probably the wrong component, but I haven't been able to come up with a super reliable reproducer....

While running our 'improved-sanity-tests', we are seeing the following files being flagged as being 'unabeled_t' after an upgrade to 7.4:

/usr/lib/systemd/systemd-bootchart
/usr/lib/systemd/systemd-initctl
/usr/lib/systemd/system/systemd-bootchart.service 


I found the following relevant messages in the journal:

Jun 27 19:14:16 host-172-16-69-238 kernel: SELinux:  Context system_u:object_r:systemd_bootchart_exec_t:s0 is not valid (left unmapped).
Jun 27 19:15:37 host-172-16-69-238 kernel: SELinux:  Context system_u:object_r:systemd_bootchart_unit_file_t:s0 is not valid (left unmapped).
Jun 27 19:15:37 host-172-16-69-238 kernel: SELinux:  Context system_u:object_r:systemd_initctl_exec_t:s0 is not valid (left unmapped).


The trouble is that I am unable to reproduce this manually.  It only seems to be teased out during the automation.

Just reporting this here until we can get some more info.


Found using:

# rpm-ostree status
State: idle
Deployments:
● custom:rhel-atomic-host/7/x86_64/standard
                Version: 7.4.0 (2017-06-27 16:55:35)
                 Commit: 13b30690b7573d0749bf15d0e60394a5ee939a70f5272f4982fa29209042e7ad
Comment 2 Colin Walters 2017-06-27 17:57:57 EDT
This is probably related to doing a 7.3 → 7.4 upgrade.
Comment 3 Colin Walters 2017-06-28 10:19:50 EDT
Hm, things seem OK in a manual test here too.

Offhand, I'd suspect this is related to rpm-ostree not running as install_t.  What's the upgrade starting point?
Comment 4 Micah Abbott 2017-06-28 10:29:57 EDT
Starting point was 7.3.6
Comment 7 Micah Abbott 2017-07-21 12:43:14 EDT
Reproducer:

1.  Boot 7.3.6
2.  Toggle a SELinux boolean

semanage boolean --m --on virt_use_nfs

3.  Rebase/Upgrade to 7.4
4.  Reboot
5.  Check for unlabeled_t

# find /usr -context '*:unlabeled_t:*'
/usr/lib/systemd/systemd-bootchart
/usr/lib/systemd/systemd-initctl
/usr/lib/systemd/system/systemd-bootchart.service



Upstream issue - https://github.com/ostreedev/ostree/issues/1026
Comment 8 Micah Abbott 2017-07-31 12:00:03 EDT
Worth noting here, when I did an upgrade from 7.3.6 to 7.4 on a bare metal system using the physical KVM, I saw the following messages printed to the console:

Jul 31 11:54:21 dhcp-41-200.bos.redhat.com kernel: SELinux:  Context system_u:object_r:systemd_bootchart_unit_file_t:s0 is not valid (left unmapped).
Jul 31 11:54:23 dhcp-41-200.bos.redhat.com kernel: SELinux:  Context system_u:object_r:systemd_initctl_exec_t:s0 is not valid (left unmapped).
Jul 31 11:54:24 dhcp-41-200.bos.redhat.com kernel: SELinux:  Context system_u:object_r:systemd_bootchart_exec_t:s0 is not valid (left unmapped).


When doing the same upgrade via an SSH session, these messages were not directly observed.  But I can find them in the journal.

Note You need to log in before you can comment on or make changes to this bug.