Bug 1714600 - Mislabeled /dev, causing systemd to cascade crash
Summary: Mislabeled /dev, causing systemd to cascade crash
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 31
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On: 1467103
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-05-28 12:31 UTC by Michal Schorm
Modified: 2020-10-20 09:55 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-10-29 01:27:56 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Michal Schorm 2019-05-28 12:31:09 UTC 
The issue:
  the "/dev" isn't labeled correctly.

Results:
  for example: https://bugzilla.redhat.com/show_bug.cgi?id=1712935

---

Steps to reproduce:

1) parition a disk and mount it somewhere.
2) prepare /dev, /sys and /proc on the mounted location with "mkdir"
*)   ^^ that's where the directory get bad context ^^
3) try to install OS there (with "dnf --installroot=...  groupinstall core")
4) "touch /.autorelabel" on the mounted system
5) boot into that system, got it relabeled

6) the "/dev" wasn't relabeled. Beacuse at the time of the releabeling, it was already mounted.

---

It's basically this bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1411942
comment 31 & 35 describes a workaround

---

This bug still haven't been touched:
  https://bugzilla.redhat.com/show_bug.cgi?id=1467103

---

Please swap to the correct component if necessary.
Comment 1 Petr Lautrbach 2019-08-06 07:57:25 UTC 
You can skip 2)

# dnf --installroot /mnt --releasever 31 groupinstall core
# ls -ldZ /mnt/dev
drwxr-xr-x. 2 root root unconfined_u:object_r:mnt_t:s0 4096 Aug  6 09:44 /mnt/dev


Instead of 4) you can/should use `setfiles`:

# setfiles -v -F -r /mnt /mnt/etc/selinux/targeted/contexts/files/file_contexts /mnt/
...
Relabeled /mnt/dev from system_u:object_r:mnt_t:s0 to system_u:object_r:device_t:s0
Relabeled /mnt/dev/null from system_u:object_r:mnt_t:s0 to system_u:object_r:device_t:s0
...

Or selinux-policy could allow systemd/init_t to mount on unlabeled_fs mountpoint:

type=PROCTITLE msg=audit(08/06/2019 09:21:35.063:282) : proctitle=(ls)
type=PATH msg=audit(08/06/2019 09:21:35.063:282) : item=0 name=/run/systemd/unit-root/dev inode=262158 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/06/2019 09:21:35.063:282) : cwd=/ 
type=SYSCALL msg=audit(08/06/2019 09:21:35.063:282) : arch=x86_64 syscall=mount success=no exit=EACCES(Permission denied) a0=0x7fff7d635270 a1=0x5643d27e5c10 a2=0x0 a3=MS_MOVE items=1 ppid=1 pid=1512 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(ls) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(08/06/2019 09:21:35.063:282) : avc:  denied  { mounton } for  pid=1512 comm=(ls) path=/run/systemd/unit-root/dev dev="vda3" ino=262158 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Comment 2 Lukas Vrabec 2019-08-06 16:31:46 UTC 
Hi Michal, 

I tried to reproduce it today, and it working well for me: 

# cd /mnt
# mkdir sys proc dev
ls -Z /mnt
staff_u:object_r:mnt_t:s0 dev   staff_u:object_r:mnt_t:s0 sys
staff_u:object_r:mnt_t:s0 proc  staff_u:object_r:mnt_t:s0 var

# dnf --installroot=/mnt --releasever 30 groupinstall core
...
...
Complete!

# ls -ldZ /mnt/dev
drwxr-xr-x. 2 root root system_u:object_r:device_t:s0 4096 Aug  6 10:23
/mnt/dev

So /mnt/dev has correct SELinux label "device_t". Am I missing something from the description how to reproduce it? 

Thanks,
Lukas.
Comment 3 Lukas Vrabec 2019-09-03 10:26:02 UTC 
commit b313a79dbfd2fba545e00f31aa53d29c6f2b2722
Author: Lukas Vrabec <lvrabec>
Date:   Tue Aug 13 17:36:11 2019 +0200

    Allow systemd to relabel all files on system.
    
    Resolves: #270

This is fixed on Fedora 31+
Comment 4 Fedora Update System 2019-10-22 19:32:43 UTC 
FEDORA-2019-7ef1fde499 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7ef1fde499
Comment 5 Fedora Update System 2019-10-23 15:44:42 UTC 
selinux-policy-3.14.4-38.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7ef1fde499
Comment 6 Fedora Update System 2019-10-26 16:59:30 UTC 
FEDORA-2019-7d65c50fd6 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6
Comment 7 Fedora Update System 2019-10-27 04:02:55 UTC 
selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6
Comment 8 Fedora Update System 2019-10-29 01:27:56 UTC 
selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.