Bug 1574649 - Creation of cgroup in /etc/cgconfig.cfg failing at boot; AVC denial
Summary: Creation of cgroup in /etc/cgconfig.cfg failing at boot; AVC denial
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-03 18:45 UTC by rhbzla
Modified: 2019-02-20 08:08 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.1-29.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-26 20:45:31 UTC
Type: Bug


Attachments (Terms of Use)
/etc/cgconfig.conf settings (266 bytes, text/plain)
2018-05-03 18:45 UTC, rhbzla
no flags Details

Description rhbzla 2018-05-03 18:45:23 UTC
Created attachment 1430852 [details]
/etc/cgconfig.conf settings

Description of problem: After upgrading from Fedora 27 to 28, the cgroup set up in /etc/cgconfig.conf is failing to be created on boot (cgconfig.service error status 87).

sudo systemctl status -n40 cgconfig.service shows the following output:

● cgconfig.service - Control Group configuration service
   Loaded: loaded (/usr/lib/systemd/system/cgconfig.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2018-05-03 13:43:15 EDT; 4min 25s ago
  Process: 815 ExecStart=/usr/sbin/cgconfigparser -l /etc/cgconfig.conf -s 1664 (code=exited, status=87)
 Main PID: 815 (code=exited, status=87)

May 03 13:43:25 fedora cgconfigparser[735]: /usr/sbin/cgconfigparser; error loading /etc/cgconfig.conf: Cgroup, operation not allowed
May 03 13:43:03 fedora systemd[1]: cgconfig.service: Main process exited, code=exited, status=87/n/a
May 03 13:43:03 fedora systemd[1]: cgconfig.service: Failed with result 'exit-code'.
May 03 13:43:03 fedora systemd[1]: Failed to start Control Group configuration service.
May 03 13:43:25 fedora cgconfigparser[812]: /usr/sbin/cgconfigparser; error loading /etc/cgconfig.conf: Cgroup, operation not allowed
May 03 13:43:25 fedora cgconfigparser[815]: /usr/sbin/cgconfigparser; error loading /etc/cgconfig.conf: Cgroup, operation not allowed
May 03 13:43:15 fedora systemd[1]: Starting Control Group configuration service...
May 03 13:43:15 fedora systemd[1]: cgconfig.service: Main process exited, code=exited, status=87/n/a
May 03 13:43:15 fedora systemd[1]: cgconfig.service: Failed with result 'exit-code'.
May 03 13:43:15 fedora systemd[1]: Failed to start Control Group configuration service.
May 03 13:43:15 fedora systemd[1]: Starting Control Group configuration service...
May 03 13:43:15 fedora systemd[1]: cgconfig.service: Main process exited, code=exited, status=87/n/a
May 03 13:43:15 fedora systemd[1]: cgconfig.service: Failed with result 'exit-code'.
May 03 13:43:15 fedora systemd[1]: Failed to start Control Group configuration service.



I also notice the following AVC denial errors at around the same time:

May 03 13:43:15 fedora audit[815]: AVC avc:  denied  { dac_override } for  pid=815 comm="cgconfigparser" capability=1  scontext=system_u:system_r:cgconfig_t:s0 tcontext=system_u:system_r:cgconfig_t:s0 tclass=capability permissive=0


How reproducible: Every boot


Steps to Reproduce:
1. Create a cgroup that is owned by non root in /etc/cgconfig.conf (see attached cgconfig.conf)
2. Reboot
3. Appears to fail due to SELinux

Actual results: Cgroup not being created


Expected results: Cgroup to be created


Additional info: I found that if I run the process mentioned in cgconfig.service manually (/usr/sbin/cgconfigparser -l /etc/cgconfig.conf -s 1664) in a terminal as the normal user (not root), I get the same "Cgroup, operation not allowed) error. However, if I run it as root (sudo /usr/sbin/cgconfigparser -l /etc/cgconfig.conf -s 1664), the cgroup gets created with no errors.

Comment 1 Fedora Update System 2018-05-24 14:37:59 UTC
selinux-policy-3.14.1-29.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364

Comment 2 Fedora Update System 2018-05-25 18:43:44 UTC
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364

Comment 3 Fedora Update System 2018-05-26 20:45:31 UTC
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Ondrej Mosnacek 2019-02-20 08:08:39 UTC
Removing the aliases since they are apparently misused here. For example, adding alias 'selinux' means the bug is accessible via 'https://bugzilla.redhat.com/show_bug.cgi?id=selinux'. Also when you search for 'selinux', you get redirected directly to this bug, which is confusing.


Note You need to log in before you can comment on or make changes to this bug.