While testing FEDORA-2017-8225c4e502[0], I found that the new SELinux policy was preventing the 'rhel-push-plugin' socket from starting with an AVC denial. I was using an F27 Atomic Host on the 'testing' branch and replaced the existing 'selinux-policy' with 'rpm-ostree override replace': # rpm-ostree status State: idle Deployments: ● fedora-atomic:fedora/27/x86_64/testing/atomic-host Version: 27.30 (2017-12-12 15:21:57) Commit: 2575b3a0c66897d1ba10a4294a54f2e70eae16f133fd40d7883d8a1ff95430ed GPGSignature: Valid signature by 860E19B0AFA800A1751881A6F55E7430F5282EE4 # rpm-ostree override replace selinux-policy-3.13.1-283.18.fc27.noarch.rpm selinux-policy-targeted-3.13.1-283.18.fc27.noarch.rpm Migrating pkgcache... 0 done Checking out tree 2575b3a... done Enabled rpm-md repositories: updates fedora Updating metadata for 'updates': [===============================] 100% rpm-md repo 'updates'; generated: 2017-12-12 11:01:29 Updating metadata for 'fedora': [==================================] 100% rpm-md repo 'fedora'; generated: 2017-11-05 05:51:47 Importing metadata [=============================] 100% Resolving dependencies... done Applying 2 overrides... done Running pre scripts... 1 done Running post scripts... 5 done Writing rpmdb... done Writing OSTree commit... done Copying /etc changes: 20 modified, 0 removed, 54 added Transaction complete; bootconfig swap: yes deployment count change: 0 Upgraded: selinux-policy 3.13.1-283.17.fc27 -> 3.13.1-283.18.fc27 selinux-policy-targeted 3.13.1-283.17.fc27 -> 3.13.1-283.18.fc27 Run "systemctl reboot" to start a reboot # systemct reboot [...wait for host...] # rpm-ostree status State: idle Deployments: ● fedora-atomic:fedora/27/x86_64/testing/atomic-host Version: 27.30 (2017-12-12 15:21:57) BaseCommit: 2575b3a0c66897d1ba10a4294a54f2e70eae16f133fd40d7883d8a1ff95430ed GPGSignature: Valid signature by 860E19B0AFA800A1751881A6F55E7430F5282EE4 ReplacedBasePackages: selinux-policy-targeted selinux-policy 3.13.1-283.17.fc27 -> 3.13.1-283.18.fc27 fedora-atomic:fedora/27/x86_64/testing/atomic-host Version: 27.30 (2017-12-12 15:21:57) Commit: 2575b3a0c66897d1ba10a4294a54f2e70eae16f133fd40d7883d8a1ff95430ed GPGSignature: Valid signature by 860E19B0AFA800A1751881A6F55E7430F5282EE4 # systemctl status rhel-push-plugin.socket ● rhel-push-plugin.socket - Docker Block RHEL push plugin Socket for the API Loaded: loaded (/usr/lib/systemd/system/rhel-push-plugin.socket; disabled; vendor preset: disabled) Active: failed (Result: resources) Docs: man:rhel-push-plugin(8) Listen: /run/docker/plugins/rhel-push-plugin.sock (Stream) Dec 13 15:55:21 micah-f27ah-vm1211a.localdomain systemd[1]: rhel-push-plugin.socket: Failed to listen on sockets: Permission denied Dec 13 15:55:21 micah-f27ah-vm1211a.localdomain systemd[1]: Failed to listen on Docker Block RHEL push plugin Socket for the API. Dec 13 15:55:21 micah-f27ah-vm1211a.localdomain systemd[1]: rhel-push-plugin.socket: Unit entered failed state. # journalctl -b | grep 'avc: denied' Dec 13 15:55:21 micah-f27ah-vm1211a.localdomain audit[1]: AVC avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0 [0] https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
This appears to be Atomic Host specific. I upgraded a Fedora 27 Cloud system to the latest in 'updates-testing' and then installed the offending 'selinux-policy' package, but did not observe any issues. # cat /etc/os-release NAME=Fedora VERSION="27 (Cloud Edition)" ID=fedora VERSION_ID=27 PRETTY_NAME="Fedora 27 (Cloud Edition)" ANSI_COLOR="0;34" CPE_NAME="cpe:/o:fedoraproject:fedora:27" HOME_URL="https://fedoraproject.org/" SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Fedora" REDHAT_BUGZILLA_PRODUCT_VERSION=27 REDHAT_SUPPORT_PRODUCT="Fedora" REDHAT_SUPPORT_PRODUCT_VERSION=27 PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy" VARIANT="Cloud Edition" VARIANT_ID=cloud # systemctl status rhel-push-plugin.socket ● rhel-push-plugin.socket - Docker Block RHEL push plugin Socket for the API Loaded: loaded (/usr/lib/systemd/system/rhel-push-plugin.socket; disabled; vendor preset: disabled) Active: active (running) since Wed 2017-12-13 16:24:12 UTC; 38s ago Docs: man:rhel-push-plugin(8) Listen: /run/docker/plugins/rhel-push-plugin.sock (Stream) Dec 13 16:24:12 micah-f27cloud-vm1213a.localdomain systemd[1]: Listening on Docker Block RHEL push plugin Socket for the API. # journalctl -b | grep 'avc: denied' # rpm -q docker docker-rhel-push-plugin selinux-policy selinux-policy-targeted docker-1.13.1-44.git584d391.fc27.x86_64 docker-rhel-push-plugin-1.13.1-44.git584d391.fc27.x86_64 selinux-policy-3.13.1-283.18.fc27.noarch selinux-policy-targeted-3.13.1-283.18.fc27.noarch
Might be related to the 'rpm-ostree override replace' problem here - https://github.com/projectatomic/rpm-ostree/issues/1145
Dan, I have no idea what rhel-push-plugin is but it looks like it's connected to docker. We should label it somehow. Is it possible to do it in docker policy? Thanks, Lukas.
ls -lZ /usr/libexec/docker/rhel-push-plugin
I think this was a side-effect of using 'rpm-ostree override replace' to update 'selinux-poicy' on Atomic Host as mentioned in comment#2. I'm unable to reproduce this on the Fedora Rawhide Atomic Host or the lastest Fedora 27 Testing Atomic Host.