Bug 1484566 - Multiple 'map' denials prevent Cockpit from working
Summary: Multiple 'map' denials prevent Cockpit from working
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 27
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard: AcceptedBlocker
Depends On:
Blocks: F27BetaBlocker
TreeView+ depends on / blocked
 
Reported: 2017-08-23 21:08 UTC by Adam Williamson
Modified: 2017-09-09 04:11 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-279.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-09 04:11:30 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Adam Williamson 2017-08-23 21:08:46 UTC 
In the most recent Rawhide compose, the openQA Cockpit test fails; trying to access Cockpit in the browser shows an 'Internal Server Error' message:

https://openqa.fedoraproject.org/tests/133144#step/server_cockpit_default/21

Looking at the logs, this appears to be caused by multiple 'map' denials:

Aug 22 14:03:08 localhost.localdomain systemd[1]: Started Cockpit Web Service.
Aug 22 14:03:08 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=cockpit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 22 14:03:08 localhost.localdomain cockpit-ws[1794]: Using certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert
Aug 22 14:03:08 localhost.localdomain audit[1794]: AVC avc:  denied  { map } for  pid=1794 comm="cockpit-ws" path="/usr/share/cockpit/static/login.po.html" dev="dm-0" ino=8839810 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Aug 22 14:03:08 localhost.localdomain audit[1794]: AVC avc:  denied  { map } for  pid=1794 comm="cockpit-ws" path="/usr/share/cockpit/static/login.min.html" dev="dm-0" ino=8839801 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Aug 22 14:03:08 localhost.localdomain cockpit-ws[1794]: Failed to map /usr/share/cockpit/static/login.po.html' /usr/share/cockpit/static/login.po.html': mmap() failed: Permission denied
Aug 22 14:03:08 localhost.localdomain cockpit-ws[1794]: Failed to map /usr/share/cockpit/static/login.min.html' /usr/share/cockpit/static/login.min.html': mmap() failed: Permission denied
Aug 22 14:03:08 localhost.localdomain audit[1794]: AVC avc:  denied  { map } for  pid=1794 comm="cockpit-ws" path="/usr/share/cockpit/static/fonts/OpenSans-Regular-webfont.woff" dev="dm-0" ino=12724528 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Aug 22 14:03:08 localhost.localdomain audit[1794]: AVC avc:  denied  { map } for  pid=1794 comm="cockpit-ws" path="/usr/share/cockpit/static/fonts/OpenSans-Light-webfont.woff" dev="dm-0" ino=12724526 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Aug 22 14:03:08 localhost.localdomain audit[1794]: AVC avc:  denied  { map } for  pid=1794 comm="cockpit-ws" path="/usr/share/icons/hicolor/16x16/apps/fedora-logo-icon.png" dev="dm-0" ino=12971895 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Aug 22 14:03:08 localhost.localdomain audit[1794]: AVC avc:  denied  { map } for  pid=1794 comm="cockpit-ws" path="/usr/share/icons/hicolor/16x16/apps/fedora-logo-icon.png" dev="dm-0" ino=12971895 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0

This is a clear Fedora 27 Beta blocker (I'm 99.9% sure the same bug will affect F27, just F27 composes are failing at present so we don't have any test results from recent F27), per Alpha criterion "Unless explicitly specified otherwise, after system installation the Cockpit web management interface must be running and accessible on its default port (9090)." - https://fedoraproject.org/wiki/Fedora_27_Alpha_Release_Criteria#Cockpit_management_interface
Comment 1 Adam Williamson 2017-08-23 21:12:38 UTC 
Note for Cockpit folks: just CCing you on this for information. SELinux has added a new 'map' permission recently, and we're getting tons of denials for it, breaking all kinds of stuff.
Comment 2 Kamil Páral 2017-09-04 17:02:43 UTC 
Discussed during blocker review [1]:

 AcceptedBlocker (Beta) - clear violation of Alpha criterion "Unless explicitly specified otherwise, after system installation the Cockpit web management interface must be running and accessible on its default port (9090)"

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-09-04/
Comment 3 Adam Williamson 2017-09-04 17:07:43 UTC 
Cockpit still fails to start with selinux-policy-3.13.1-277.fc27 , with these denials:

Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc:  denied  { map } for  pid=1715 comm="cockpit-ws" path="/usr/share/cockpit/static/login.po.html" dev="dm-0" ino=4573538 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc:  denied  { map } for  pid=1715 comm="cockpit-ws" path="/usr/share/cockpit/static/login.min.html" dev="dm-0" ino=4573529 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc:  denied  { map } for  pid=1715 comm="cockpit-ws" path="/usr/share/cockpit/static/fonts/OpenSans-Regular-webfont.woff" dev="dm-0" ino=8560638 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc:  denied  { map } for  pid=1715 comm="cockpit-ws" path="/usr/share/cockpit/static/fonts/OpenSans-Light-webfont.woff" dev="dm-0" ino=8560636 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc:  denied  { map } for  pid=1715 comm="cockpit-ws" path="/usr/share/icons/hicolor/16x16/apps/fedora-logo-icon.png" dev="dm-0" ino=4558008 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Sep 03 14:36:52 localhost.localdomain audit[1715]: AVC avc:  denied  { map } for  pid=1715 comm="cockpit-ws" path="/usr/share/icons/hicolor/16x16/apps/fedora-logo-icon.png" dev="dm-0" ino=4558008 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Comment 4 Fedora Update System 2017-09-05 21:10:19 UTC 
selinux-policy-3.13.1-279.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-bf736ee273
Comment 5 Fedora Update System 2017-09-07 12:12:59 UTC 
selinux-policy-3.13.1-280.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-edf1be580e
Comment 6 Fedora Update System 2017-09-07 14:34:12 UTC 
selinux-policy-3.13.1-280.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-edf1be580e
Comment 7 Fedora Update System 2017-09-09 04:11:30 UTC 
selinux-policy-3.13.1-280.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.