Bug 1574372 - selinux: dhclient fails to run on updated qcow2 image
Summary: selinux: dhclient fails to run on updated qcow2 image
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-03 07:23 UTC by Bruno Goncalves
Modified: 2018-05-03 09:00 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-03 09:00:35 UTC
Type: Bug


Attachments (Terms of Use)
cloud-init.iso (364.00 KB, application/octet-stream)
2018-05-03 07:24 UTC, Bruno Goncalves
no flags Details
all denied messages (23.90 KB, text/plain)
2018-05-03 07:28 UTC, Bruno Goncalves
no flags Details

Description Bruno Goncalves 2018-05-03 07:23:03 UTC
Description of problem:
After installing package to qcow2 image dhclient fails to run.

Version-Release number of selected component (if applicable):
selinux-policy-3.14.2-16.fc29.noarch

How reproducible:
100%

Steps to Reproduce:
1. Download qcow2 image
# wget https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Cloud/x86_64/images/Fedora-Cloud-Base-Rawhide-20180502.n.0.x86_64.qcow2

# /usr/bin/qemu-system-x86_64 -cpu host -m 1024 Fedora-Cloud-Base-Rawhide-20180502.n.0.x86_64.qcow2 -enable-kvm -snapshot -cdrom cloud-init.iso -net nic,model=virtio -net user,hostfwd=tcp:127.0.0.3:2222-:22 -device virtio-rng-pci -rtc base=utc -device isa-serial,chardev=pts2 -chardev file,id=pts2,path=image.log

2. (different terminal check image.log)
# tail -f image.log

[   13.085798] cloud-init[754]: Cloud-init v. 17.1 running 'init' at Thu, 03 May 2018 06:49:04 +0000. Up 12.35 seconds.
[   13.087203] cloud-init[754]: ci-info: +++++++++++++++++++++++++++++Net device info+++++++++++++++++++++++++++++
[   13.088555] cloud-init[754]: ci-info: +--------+------+-----------+---------------+-------+-------------------+
[   13.089995] cloud-init[754]: ci-info: | Device |  Up  |  Address  |      Mask     | Scope |     Hw-Address    |
[   13.091491] cloud-init[754]: ci-info: +--------+------+-----------+---------------+-------+-------------------+
[   13.093044] cloud-init[754]: ci-info: | eth0:  | True | 10.0.2.15 | 255.255.255.0 |   .   | 52:54:00:12:34:56 |
[   13.094605] cloud-init[754]: ci-info: | eth0:  | True |     .     |       .       |   d   | 52:54:00:12:34:56 |
[   13.096114] cloud-init[754]: ci-info: |  lo:   | True | 127.0.0.1 |   255.0.0.0   |   .   |         .         |
[   13.097706] cloud-init[754]: ci-info: |  lo:   | True |     .     |       .       |   d   |         .         |
[   13.099207] cloud-init[754]: ci-info: +--------+------+-----------+---------------+-------+-------------------+
[   13.100712] cloud-init[754]: ci-info: +++++++++++++++++++++++++++Route IPv4 info++++++++++++++++++++++++++++
[   13.103121] cloud-init[754]: ci-info: +-------+-------------+----------+---------------+-----------+-------+
[   13.104831] cloud-init[754]: ci-info: | Route | Destination | Gateway  |    Genmask    | Interface | Flags |
[   13.106786] cloud-init[754]: ci-info: +-------+-------------+----------+---------------+-----------+-------+
[   13.109189] cloud-init[754]: ci-info: |   0   |   0.0.0.0   | 10.0.2.2 |    0.0.0.0    |    eth0   |   UG  |
[   13.110604] cloud-init[754]: ci-info: |   1   |   10.0.2.0  | 0.0.0.0  | 255.255.255.0 |    eth0   |   U   |
[   13.112078] cloud-init[754]: ci-info: +-------+-------------+----------+---------------+-----------+-------+


3. terminate /usr/bin/qemu-system-x86_64

4. install package to qcow2
# virt-customize -a Fedora-Cloud-Base-Rawhide-20180502.n.0.x86_64.qcow2 --run-command "dnf install -y nss-tools"

5. Bring VM back up again
#  /usr/bin/qemu-system-x86_64 -cpu host -m 1024 Fedora-Cloud-Base-Rawhide-20180502.n.0.x86_64.qcow2 -enable-kvm -snapshot -cdrom cloud-init.iso -net nic,model=virtio -net user,hostfwd=tcp:127.0.0.3:2222-:22 -device virtio-rng-pci -rtc base=utc -device isa-serial,chardev=pts2 -chardev file,id=pts2,path=image.log

6. check image.log
[   10.376120] cloud-init[646]: Cloud-init v. 17.1 running 'init' at Thu, 03 May 2018 06:56:18 +0000. Up 9.63 seconds.
[   10.377602] cloud-init[646]: ci-info: +++++++++++++++++++++++++++Net device info+++++++++++++++++++++++++++
[   10.378775] cloud-init[646]: ci-info: +--------+------+-----------+-----------+-------+-------------------+
[   10.379908] cloud-init[646]: ci-info: | Device |  Up  |  Address  |    Mask   | Scope |     Hw-Address    |
[   10.381162] cloud-init[646]: ci-info: +--------+------+-----------+-----------+-------+-------------------+
[   10.382526] cloud-init[646]: ci-info: | eth0:  | True |     .     |     .     |   .   | 52:54:00:12:34:56 |
[   10.384089] cloud-init[646]: ci-info: | eth0:  | True |     .     |     .     |   d   | 52:54:00:12:34:56 |
[   10.385495] cloud-init[646]: ci-info: |  lo:   | True | 127.0.0.1 | 255.0.0.0 |   .   |         .         |
[   10.386899] cloud-init[646]: ci-info: |  lo:   | True |     .     |     .     |   d   |         .         |
[   10.388447] cloud-init[646]: ci-info: +--------+------+-----------+-----------+-------+-------------------+


7. eth0 does not get IP address

8. from QEMU window is possible to login to the server
user root and password is foobar
check for AVC denied message on /var/log/audit.login
disable selinux
# setenforce 0
run dhclient manually
# dhclient


9. Now it is possible to login to the server with ssh
# ssh -p 2222 root@127.0.0.3
# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1525331562.483:81): avc:  denied  { read } for  pid=398 comm="audispd" name="ld.so.cache" dev="sda1" ino=132411 scontext=system_u:system_r:audisp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
type=AVC msg=audit(1525331562.581:83): avc:  denied  { unlink } for  pid=394 comm="ldconfig" name="ld.so.cache" dev="sda1" ino=132411 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
type=AVC msg=audit(1525331562.626:85): avc:  denied  { map } for  pid=406 comm="systemd-update-" path="/etc/ld.so.cache" dev="sda1" ino=132411 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
type=AVC msg=audit(1525331562.772:90): avc:  denied  { map } for  pid=429 comm="systemd-update-" path="/etc/ld.so.cache" dev="sda1" ino=132411 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
type=AVC msg=audit(1525331562.835:93): avc:  denied  { read } for  pid=430 comm="sshd-keygen" name="ld.so.cache" dev="sda1" ino=132411 scontext=system_u:system_r:sshd_keygen_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
type=AVC msg=audit(1525331562.849:94): avc:  denied  { read } for  pid=432 comm="rm" name="ld.so.cache" dev="sda1" ino=132411 scontext=system_u:system_r:sshd_keygen_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
type=AVC msg=audit(1525331562.849:95): avc:  denied  { open } for  pid=431 comm="dbus-daemon" path="/etc/ld.so.cache" dev="sda1" ino=132411 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
<snip>
type=AVC msg=audit(1525331565.805:138): avc:  denied  { read } for  pid=651 comm="ip" name="ld.so.cache" dev="sda1" ino=132411 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
type=AVC msg=audit(1525331565.815:139): avc:  denied  { read } for  pid=654 comm="dhclient" name="ld.so.cache" dev="sda1" ino=132411 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0


Actual results:
dhclient: error while loading shared libraries: libirs-export.so.160: cannot open shared object file: No such file or directory

Expected results:
dhclient should run and server boot with IP

Additional info:
** Workaround, disable selinux
# virt-customize -a Fedora-Cloud-Base-Rawhide-20180502.n.0.x86_64.qcow2 --run-command "sed -i --follow-symlinks 's/^SELINUX=.*/SELINUX=disabled/g' /etc/sysconfig/selinux"

Comment 1 Bruno Goncalves 2018-05-03 07:24:34 UTC
Created attachment 1430503 [details]
cloud-init.iso

cloud_init.iso file used during /usr/bin/qemu-system-x86_64

Comment 2 Bruno Goncalves 2018-05-03 07:28:53 UTC
Created attachment 1430515 [details]
all denied messages

all denied messages from /var/log/audit/audit.log including the ones after disabling selinux.

Comment 3 Bruno Goncalves 2018-05-03 09:00:35 UTC
Closing it as not a bug as I should use virt-customize with --selinux-relabel option.


Note You need to log in before you can comment on or make changes to this bug.