Bug 1744027 - [downstream clone - 4.3.6] [RFE] Warn if SELinux is disabled when upgrading RHV-H
Summary: [downstream clone - 4.3.6] [RFE] Warn if SELinux is disabled when upgrading R...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: imgbased
Version: 4.3.4
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ovirt-4.3.6
: 4.3.6
Assignee: Yuval Turgeman
QA Contact: Yaning Wang
URL:
Whiteboard:
Depends On: 1724102
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-21 07:25 UTC by RHV bug bot
Modified: 2022-07-09 10:47 UTC (History)
13 users (show)

Fixed In Version: imgbased-1.1.10
Doc Type: Enhancement
Doc Text:
Clone Of: 1724102
Environment:
Last Closed: 2019-10-10 15:37:21 UTC
oVirt Team: Node
Target Upstream Version:
Embargoed:
lsvaty: testing_plan_complete-


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3011 0 None None None 2019-10-10 15:37:37 UTC
oVirt gerrit 101483 0 'None' 'MERGED' 'osupdater: don''t mount selinuxfs when not needed' 2019-11-13 06:07:52 UTC
oVirt gerrit 101614 0 'None' 'MERGED' 'osupdater: don''t mount selinuxfs when not needed' 2019-11-13 06:07:52 UTC
oVirt gerrit 102486 0 'None' 'MERGED' 'update: warn if selinux is disabled' 2019-11-13 06:07:52 UTC
oVirt gerrit 102509 0 'None' 'MERGED' 'update: warn if selinux is disabled' 2019-11-13 06:07:52 UTC

Description RHV bug bot 2019-08-21 07:25:37 UTC
+++ This bug is a downstream clone. The original bug is: +++
+++   bug 1724102 +++
======================================================================

Description of problem:

If SELinux is disabled, then the directory "selinux" will not be available under sys filesystem.

===
~]# getenforce 
Disabled

~]# ls /sys/fs/selinux
ls: cannot access /sys/fs/selinux: No such file or directory
===

However, when imgbased tries to mount the selinuxfs, it will try to create the selinux directory under sys filesystem. As per the logic, the mount point will be created by the imgbased if the directory doesn't exist.

===
src/imgbased/plugins/osupdater.py

 770                     with utils.mounted("selinuxfs",
 771                                        target=new_fs.target +
 772                                        "/sys/fs/selinux",
 773                                        fstype="selinuxfs"):

src/imgbased/utils.py
 227         if not os.path.exists(self.target):
 228             self.run.call(["mkdir", "-p", self.target])

====


Since sysfs is not writable filesystem, it will fail with error "Operation not permitted" when it tries to create directory "/sys/fs/selinux".

====

2019-06-21 12:30:05,018 [DEBUG] (run_rpm_selinux_post) Calling: (['mount', u'/dev/rhvh_md2-rhvn1/rhvh-4.3.0.8-0.20190610.0+1', u'/tmp/mnt.47yq9'],) {'close_fds': True, 'stderr': -2}
2019-06-21 12:30:06,190 [DEBUG] (run_rpm_selinux_post) Calling: (['mount', '-tsysfs', 'sys', u'/tmp/mnt.47yq9/sys'],) {'close_fds': True, 'stderr': -2}

2019-06-21 12:30:06,196 [DEBUG] (run_rpm_selinux_post) Calling binary: (['mkdir', '-p', u'/tmp/mnt.47yq9/sys/fs/selinux'],) {}
2019-06-21 12:30:06,196 [DEBUG] (run_rpm_selinux_post) Calling: (['mkdir', '-p', u'/tmp/mnt.47yq9/sys/fs/selinux'],) {'close_fds': True, 'stderr': -2}
2019-06-21 12:30:06,201 [DEBUG] (run_rpm_selinux_post) Exception! mkdir: cannot create directory '/tmp/mnt.47yq9/sys/fs/selinux': Operation not permitted

====

Version-Release number of selected component (if applicable):

imgbased-1.1.5-0.1.el7ev.noarch


How reproducible:

100%

Steps to Reproduce:

1. Disable SELinux in RHV-H and ty to upgrade it.
2.
3.

Actual results:

Upgrading the RHV-H will fail if the SELinux is disabled in the server

Expected results:

Upgrade should work.

Additional info:

(Originally by Nijin Ashok)

Comment 1 RHV bug bot 2019-08-21 07:25:40 UTC
Nijin, can you share the use case for having selinux disabled?

(Originally by Sandro Bonazzola)

Comment 2 RHV bug bot 2019-08-21 07:25:42 UTC
Asking because selinux should be enforcing there according to bug #1349241

(Originally by Sandro Bonazzola)

Comment 3 RHV bug bot 2019-08-21 07:25:43 UTC
Also, Nijin, is this a beta system? I see imgbased 1.1.5 but in RHV 4.3 GA we shipped 1.1.7 and upgrade from beta to GA is not supported.
That said, upgrade with selinux disbaled should work since we fixed it in bug #1542833 so we need to reproduce on supported configuration.

(Originally by Sandro Bonazzola)

Comment 9 RHV bug bot 2019-08-21 07:25:54 UTC
(In reply to Sandro Bonazzola from comment #2)
> Asking because selinux should be enforcing there according to bug #1349241

I already asked the customer but doesn't get a response. However, now we are trying to upgrade with SELinux enabled but getting some other errors which we are currently troubleshooting.

(In reply to Sandro Bonazzola from comment #3)
> Also, Nijin, is this a beta system? I see imgbased 1.1.5 but in RHV 4.3 GA
> we shipped 1.1.7 and upgrade from beta to GA is not supported.
> That said, upgrade with selinux disbaled should work since we fixed it in
> bug #1542833 so we need to reproduce on supported configuration.

Sorry about that. Looks like I reproduced in an old beta server. However, I just tried to upgrade from 4.2 to 4.3 and can clearly reproduce it with mentioned reproducer steps. It fails when it tries to create the directory "/tmp/mnt.WHo1r/sys/fs/selinux". Attaching the imgbased.log.

(Originally by Nijin Ashok)

Comment 27 RHV bug bot 2019-08-21 07:26:28 UTC
Honestly a RHV-H should always have selinux in enforcing. If a customer disables it, upgrade *should* fail from my pov, as it really weakens security.
In addition there is no reason for disabling selinux.

So in case we don't fail the upgrade, we should ensure that we enable selinux (enforcing) at the very minimum. Every boot of a RHV-H system should automatically check if selinux is in enforcing and put it in enforcing in case it is not.

If customers want to run with less security they can still use a RHEL based installation. The RHV-H should not allow a setup with selinux disabled.

(Originally by Martin Tessun)

Comment 28 RHV bug bot 2019-08-21 07:26:30 UTC
This is something the RHV Upgrade Helper (https://access.redhat.com/labs/rhvupgradehelper/) should call out SELinux status as a requirement. We cannot just fail an upgrade without giving customers the chance to remediate any issues.

(Originally by Peter Lauterbach)

Comment 30 Yaning Wang 2019-08-27 09:57:51 UTC
upgrade from 

rhvh-4.2.8.5-0.20190416.0

to

rhvh-4.3-20190821.0.el7_7

steps:

1. install rhvh 4.2
2. disable selinux
3. upgrade to rhvh 4.3

actual results:

upgrade is success

Comment 32 errata-xmlrpc 2019-10-10 15:37:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3011


Note You need to log in before you can comment on or make changes to this bug.