1746413 – Revert selinux policy workaround for s390x systemd/dbus-broker issue (was: selinux blocks dbus-broker from starting)

Bug 1746413 - Revert selinux policy workaround for s390x systemd/dbus-broker issue (was: selinux blocks dbus-broker from starting)

Summary: Revert selinux policy workaround for s390x systemd/dbus-broker issue (was: se...

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	rawhide
Hardware:	s390x
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:	AcceptedFreezeException
Duplicates (1):	1756912 (view as bug list)
Depends On:	1769148
Blocks:	ZedoraTracker F31FinalFreezeException
TreeView+	depends on / blocked

Reported:	2019-08-28 12:18 UTC by Dan Horák
Modified:	2022-02-21 14:50 UTC (History)
CC List:	19 users (show)
Fixed In Version:	selinux-policy-3.14.4-37.fc31
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-25 18:10:01 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
test script (542 bytes, application/x-shellscript) 2019-09-19 13:55 UTC, Dan Horák	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
IBM Linux Technology Center	181372	0	None	None	None	2019-09-08 12:17:45 UTC

Description Dan Horák 2019-08-28 12:18:35 UTC

Description of problem:
I have installed Fedora-31-20190826.n.0 on a s390x machine. During boot the dbus-broker service fails to start with

Aug 28 08:08:43 devel7.s390.bos.redhat.com systemd[1]: Starting D-Bus System Message Bus...
Aug 28 08:08:43 devel7.s390.bos.redhat.com systemd[1099]: dbus-broker.service: Failed to set up mount namespacing: /run/systemd/unit-root/dev: Permission denied
Aug 28 08:08:43 devel7.s390.bos.redhat.com systemd[1099]: dbus-broker.service: Failed at step NAMESPACE spawning /usr/bin/dbus-broker-launch: Permission denied
Aug 28 08:08:43 devel7.s390.bos.redhat.com systemd[1]: dbus-broker.service: Main process exited, code=exited, status=226/NAMESPACE
Aug 28 08:08:43 devel7.s390.bos.redhat.com systemd[1]: dbus-broker.service: Failed with result 'exit-code'.
Aug 28 08:08:43 devel7.s390.bos.redhat.com systemd[1]: Failed to start D-Bus System Message Bus.

Switching SELinux into permissive mode makes the problem go away.

Version-Release number of selected component (if applicable):
selinux-policy-3.14.4-31.fc31.noarch

How reproducible:
100%

Steps to Reproduce:
1. install Fedora-31-20190826.n.0
2. reboot into new system

Actual results:
dbus-broker not started, breaking other services

Expected results:
dbus-broker starter


Additional info:
Relabeling didn't help. There is already bug #1706451 with the same/similar symptoms. Automated testing is passing on eg. ppc64le, so it might be an arch specific issue.

Comment 1 Dan Horák 2019-08-28 13:19:55 UTC

Seems I experience the same issue also in a rawhide system that I've updated recently. Might be a change in the last 3 weeks ...

Comment 2 Lukas Vrabec 2019-08-28 14:17:44 UTC

Hi Dan, 

I tried to reproduce it with following versions:

selinux-policy-3.14.4-31.fc31.noarch
dbus-broker-21-6.fc31.x86_64

and  dbus-broker is working for me. 

# systemctl status dbus-broker
● dbus-broker.service - D-Bus System Message Bus
   Loaded: loaded (/usr/lib/systemd/system/dbus-broker.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2019-08-28 10:07:04 EDT; 1min 51s ago
     Docs: man:dbus-broker-launch(1)
 Main PID: 482 (dbus-broker-lau)
    Tasks: 2
   Memory: 3.1M
      CPU: 54ms
   CGroup: /system.slice/dbus-broker.service
           ├─482 /usr/bin/dbus-broker-launch --scope system --audit
           └─499 dbus-broker --log 4 --controller 9 --machine-id e4659f437b124fb38a91d9c5a156b0b7 --max-…

Aug 28 10:07:03 localhost.localdomain systemd[1]: Starting D-Bus System Message Bus...
Aug 28 10:07:04 localhost.localdomain systemd[1]: Started D-Bus System Message Bus.
Aug 28 10:07:04 localhost.localdomain dbus-broker-lau[482]: Ready
Aug 28 10:07:12 host-10-0-136-62 dbus-broker-launch[482]: Activation request for 'org.freedesktop.r…ound.
Hint: Some lines were ellipsized, use -l to show in full.


Did I miss anything from reproducer? 

Thanks,
Lukas.

Comment 3 Dan Horák 2019-08-28 14:38:07 UTC

Yes, seems it's a s390x specific issue, I haven't seen reports like that from any other arch.

Comment 4 Dan Horák 2019-08-28 14:57:46 UTC

So booting with previous kernel + initrd has no such issue. I'll give you access to the machines in question.

Comment 5 Dan Horák 2019-08-29 12:14:05 UTC

So I have tracked that to a change in systemd between 242 and 243rc. With latest kernel and selinux-policy things work when I downgrade to systemd 242. Both rawhide and F-31 are affected.

Comment 6 Zbigniew Jędrzejewski-Szmek 2019-08-30 06:30:58 UTC

> Relabeling didn't help.

Please see #1467103. Relabelling is not effective.

> There is already bug #1706451 with the same/similar symptoms.

Please note that #1706451 seems to be just another case of /dev mountpoint
on the root partition being mislabelled. This might be the same thing, but I don't
see why it'd trigger only with newer systemd. To check this, please disable dontaudit
rules, reproduce the problem, and report the AVCs.

> So I have tracked that to a change in systemd between 242 and 243rc.

I don't see anything obviously related (though there are ~2k commits between 242 and 243rc1, so
it's easy to miss something). Maybe it'll be easier to figure out with the AVCs.

Comment 7 Dan Horák 2019-08-30 08:15:00 UTC

I have retried with the Fedora-31-20190828.n.0 compose and the "dontaudit" rules disabled.
- state after installation and reboot - dbus-broker still not started as expected
- then logged in on the console and run "semodule -DB" and "systemctl start dbus-broker", which failed, this should be the 1st batch of AVCs
- then "setenforce 0" and another "systemctl start dbus-broker", which has been successful, this is the 2nd batch
- then fixing the ifcfg file (bug 1727904) with "echo FOO >> ifcfg", followed by "systemctl start NetworkManager", 3rd batch
- then log in over network with ssh

type=AVC msg=audit(1567151662.153:74): avc:  denied  { create } for  pid=1145 comm="(r-launch)" name="ptmx" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=file permissive=0
type=AVC msg=audit(1567151662.153:76): avc:  denied  { create } for  pid=1148 comm="(r-launch)" name="ptmx" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=file permissive=0
type=AVC msg=audit(1567151662.163:78): avc:  denied  { create } for  pid=1151 comm="(r-launch)" name="ptmx" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=file permissive=0
type=AVC msg=audit(1567151662.163:80): avc:  denied  { create } for  pid=1154 comm="(r-launch)" name="ptmx" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=file permissive=0
type=AVC msg=audit(1567151662.173:82): avc:  denied  { create } for  pid=1157 comm="(r-launch)" name="ptmx" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=file permissive=0
type=AVC msg=audit(1567151841.603:138): avc:  denied  { create } for  pid=1237 comm="(r-launch)" name="ptmx" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=file permissive=0

type=AVC msg=audit(1567152101.123:141): avc:  denied  { create } for  pid=1291 comm="(r-launch)" name="ptmx" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=file permissive=1
type=AVC msg=audit(1567152101.123:142): avc:  denied  { mounton } for  pid=1291 comm="(r-launch)" path="/tmp/namespace-dev-lWM0jQ/dev/ptmx" dev="tmpfs" ino=24182 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=file permissive=1
type=AVC msg=audit(1567152101.123:143): avc:  denied  { create } for  pid=1291 comm="(r-launch)" name="null" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:null_device_t:s0 tclass=file permissive=1
type=AVC msg=audit(1567152101.123:144): avc:  denied  { mounton } for  pid=1291 comm="(r-launch)" path="/tmp/namespace-dev-lWM0jQ/dev/null" dev="tmpfs" ino=24189 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:null_device_t:s0 tclass=file permissive=1
type=AVC msg=audit(1567152101.123:145): avc:  denied  { create } for  pid=1291 comm="(r-launch)" name="zero" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:zero_device_t:s0 tclass=file permissive=1
type=AVC msg=audit(1567152101.123:146): avc:  denied  { mounton } for  pid=1291 comm="(r-launch)" path="/tmp/namespace-dev-lWM0jQ/dev/zero" dev="tmpfs" ino=24191 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:zero_device_t:s0 tclass=file permissive=1
type=AVC msg=audit(1567152101.123:147): avc:  denied  { create } for  pid=1291 comm="(r-launch)" name="random" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=file permissive=1
type=AVC msg=audit(1567152101.123:148): avc:  denied  { mounton } for  pid=1291 comm="(r-launch)" path="/tmp/namespace-dev-lWM0jQ/dev/random" dev="tmpfs" ino=24195 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=file permissive=1
type=AVC msg=audit(1567152101.123:149): avc:  denied  { create } for  pid=1291 comm="(r-launch)" name="urandom" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=file permissive=1
type=AVC msg=audit(1567152101.123:150): avc:  denied  { mounton } for  pid=1291 comm="(r-launch)" path="/tmp/namespace-dev-lWM0jQ/dev/urandom" dev="tmpfs" ino=24197 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=file permissive=1
type=AVC msg=audit(1567152101.123:151): avc:  denied  { create } for  pid=1291 comm="(r-launch)" name="tty" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:devtty_t:s0 tclass=file permissive=1
type=AVC msg=audit(1567152101.123:152): avc:  denied  { mounton } for  pid=1291 comm="(r-launch)" path="/tmp/namespace-dev-lWM0jQ/dev/tty" dev="tmpfs" ino=24199 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:devtty_t:s0 tclass=file permissive=1

type=AVC msg=audit(1567152110.523:157): avc:  denied  { noatsecure } for  pid=1304 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1
type=AVC msg=audit(1567152110.523:158): avc:  denied  { rlimitinh } for  pid=1304 comm="11-dhclient" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1
type=AVC msg=audit(1567152110.523:159): avc:  denied  { siginh } for  pid=1304 comm="11-dhclient" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1

type=AVC msg=audit(1567152118.913:167): avc:  denied  { noatsecure } for  pid=1319 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1567152118.913:168): avc:  denied  { rlimitinh } for  pid=1319 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1567152118.913:169): avc:  denied  { siginh } for  pid=1319 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1567152228.343:179): avc:  denied  { siginh } for  pid=1327 comm="kill" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
type=AVC msg=audit(1567152237.313:187): avc:  denied  { noatsecure } for  pid=1330 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1567152237.313:188): avc:  denied  { rlimitinh } for  pid=1330 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1567152237.313:189): avc:  denied  { siginh } for  pid=1330 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1567152237.813:198): avc:  denied  { siginh } for  pid=1337 comm="unix_chkpwd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1567152237.873:203): avc:  denied  { siginh } for  pid=1336 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1

Comment 8 Zbigniew Jędrzejewski-Szmek 2019-08-31 14:40:09 UTC

This is the code in https://github.com/systemd/systemd/blob/master/src/core/namespace.c#L628,
called from https://github.com/systemd/systemd/blob/master/src/core/namespace.c#L711.
There are two mknod's in that function. After the first one succeeds, the function returns.
So it can't be that one. After the second one succeeds, it goes on to do a bind mount, which
is consistent with getting that second error about 'mounton'.

There are pais of 'create' and 'mounton'. I don't understand why there's just one failed 'create'
at the beginning. I'd expect to see an error from
https://github.com/systemd/systemd/blob/master/src/core/namespace.c#L614 too.

Can you run this under strace (strace -e process,file -f -p1)?

I get the following (on amd64):
[pid 68267] unshare(CLONE_NEWNS)        = 0
[pid 68267] mount(NULL, "/", NULL, MS_REC|MS_SLAVE, NULL) = 0
[pid 68267] mount("/", "/run/systemd/unit-root", NULL, MS_BIND|MS_REC, NULL) = 0
[pid 68267] openat(AT_FDCWD, "/proc/self/mountinfo", O_RDONLY|O_CLOEXEC) = 3
[pid 68267] openat(AT_FDCWD, "/", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4
[pid 68267] openat(4, "run", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 5
[pid 68267] openat(5, "systemd", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4
[pid 68267] openat(4, "unit-root", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 5
[pid 68267] openat(5, "boot", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4
[pid 68267] openat(AT_FDCWD, "/run/systemd/unit-root", O_RDONLY|O_CLOEXEC|O_PATH|O_DIRECTORY) = 4
[pid 68267] name_to_handle_at(4, "boot", {handle_bytes=128 => 12, handle_type=129, f_handle=0x800000000000000000000000}, [344], 0) = 0
[pid 68267] name_to_handle_at(4, "", {handle_bytes=128 => 20, handle_type=77, f_handle=0x0001000000000000000100000000000006000000}, [312], AT_EMPTY_PATH) = 0
[pid 68267] openat(AT_FDCWD, "/", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4
[pid 68267] openat(4, "run", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 5
[pid 68267] openat(5, "systemd", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4
[pid 68267] openat(4, "unit-root", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 5
[pid 68267] openat(5, "dev", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4
[pid 68267] mkdir("/tmp/namespace-dev-anBWke", 0700) = 0
[pid 68267] mkdir("/tmp/namespace-dev-anBWke/dev", 0755) = 0
[pid 68267] mount("tmpfs", "/tmp/namespace-dev-anBWke/dev", "tmpfs", MS_NOSUID|MS_NOEXEC|MS_STRICTATIME, "mode=755") = 0
[pid 68267] mkdir("/tmp/namespace-dev-anBWke/dev/pts", 0755) = 0
[pid 68267] mount("/dev/pts", "/tmp/namespace-dev-anBWke/dev/pts", NULL, MS_BIND, NULL) = 0
[pid 68267] lstat("/dev/ptmx", {st_mode=S_IFCHR|0666, st_rdev=makedev(0x5, 0x2), ...}) = 0
[pid 68267] stat("/dev/ptmx", {st_mode=S_IFCHR|0666, st_rdev=makedev(0x5, 0x2), ...}) = 0
[pid 68267] openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 4
[pid 68267] mknod("/tmp/namespace-dev-anBWke/dev/ptmx", S_IFCHR|0666, makedev(0x5, 0x2)) = 0
[pid 68267] openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 4
[pid 68267] stat("/tmp/namespace-dev-anBWke/dev/char", 0x7ffe9f5b5f70) = -1 ENOENT (No such file or directory)
[pid 68267] mkdir("/tmp", 0755)         = -1 EEXIST (File exists)
[pid 68267] mkdir("/tmp/namespace-dev-anBWke", 0755) = -1 EEXIST (File exists)
[pid 68267] mkdir("/tmp/namespace-dev-anBWke/dev", 0755) = -1 EEXIST (File exists)
[pid 68267] mkdir("/tmp/namespace-dev-anBWke/dev/char", 0755) = 0
[pid 68267] symlink("../ptmx", "/tmp/namespace-dev-anBWke/dev/char/5:2") = 0
[pid 68267] mkdir("/tmp/namespace-dev-anBWke/dev/shm", 0755) = 0
[pid 68267] mount("/dev/shm", "/tmp/namespace-dev-anBWke/dev/shm", NULL, MS_BIND, NULL) = 0
[pid 68267] mkdir("/tmp/namespace-dev-anBWke/dev/mqueue", 0755) = 0
[pid 68267] mount("/dev/mqueue", "/tmp/namespace-dev-anBWke/dev/mqueue", NULL, MS_BIND, NULL) = 0
[pid 68267] mkdir("/tmp/namespace-dev-anBWke/dev/hugepages", 0755) = 0
[pid 68267] mount("/dev/hugepages", "/tmp/namespace-dev-anBWke/dev/hugepages", NULL, MS_BIND, NULL) = 0
[pid 68267] symlink("/run/systemd/journal/dev-log", "/tmp/namespace-dev-anBWke/dev/log") = 0
[pid 68267] stat("/dev/null", {st_mode=S_IFCHR|0666, st_rdev=makedev(0x1, 0x3), ...}) = 0
[pid 68267] openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 4
[pid 68267] mknod("/tmp/namespace-dev-anBWke/dev/null", S_IFCHR|0666, makedev(0x1, 0x3)) = 0
...

Comment 9 Dan Horák 2019-09-03 09:01:01 UTC

this is the output for "systemctl restart dbus-broker" after "setenforce 1". I wonder if it could be related to kernel bug 1658675, probbaly not as all arches were affected.

...
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service", O_RDONLY|O_CLOEXEC|O_DIRECTORY) = 57
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/pids.max", O_WRONLY|O_NOCTTY|O_CLOEXEC) = 57
[pid     1] setxattr("/sys/fs/cgroup/system.slice/dbus-broker.service", "trusted.invocation_id", "9917b98b8f3e4857bc18f2fc17ca2193", 32, 0) = 0
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cpu.stat", O_RDONLY|O_CLOEXEC) = 57
[pid     1] symlink("9917b98b8f3e4857bc18f2fc17ca2193", "/run/systemd/units/.#invocation:dbus-broker.service050698ec9db6445f") = 0
[pid     1] rename("/run/systemd/units/.#invocation:dbus-broker.service050698ec9db6445f", "/run/systemd/units/invocation:dbus-broker.service") = 0
[pid     1] mkdir("/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-PMYn2f", 0700) = 0
[pid     1] mkdir("/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-PMYn2f/tmp", 01777) = 0
[pid     1] mkdir("/var/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-W1jzTi", 0700) = 0
[pid     1] mkdir("/var/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-W1jzTi/tmp", 01777) = 0
[pid     1] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x3ffaed69a20) = 13277
strace: Process 13277 attached
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.procs", O_WRONLY|O_NOCTTY|O_CLOEXEC) = 57
[pid     1] openat(AT_FDCWD, "/proc/13277/stat", O_RDONLY|O_CLOEXEC) = 57
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.events", O_RDONLY|O_CLOEXEC) = 57
[pid 13277] openat(AT_FDCWD, "/proc/self/fd", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 57
[pid 13277] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.procs", O_WRONLY|O_NOCTTY|O_CLOEXEC) = 3
[pid 13277] openat(AT_FDCWD, "/dev/null", O_RDONLY|O_NOCTTY) = 3
[pid     1] openat(AT_FDCWD, "/proc/909/cgroup", O_RDONLY|O_CLOEXEC) = 58
[pid 13277] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_NOCTTY|O_CLOEXEC) = 3
[pid 13277] openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 3
[pid 13277] mkdir("/run/systemd/unit-root", 0700) = -1 EEXIST (File exists)
[pid 13277] openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 3
[pid 13277] unshare(CLONE_NEWNS)        = 0
[pid 13277] mount(NULL, "/", NULL, MS_REC|MS_SLAVE, NULL) = 0
[pid 13277] mount("/", "/run/systemd/unit-root", NULL, MS_BIND|MS_REC, NULL) = 0
[pid 13277] openat(AT_FDCWD, "/proc/self/mountinfo", O_RDONLY|O_CLOEXEC) = 3
[pid 13277] openat(AT_FDCWD, "/", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4
[pid 13277] openat(4, "run", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 5
[pid 13277] openat(5, "systemd", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4
[pid 13277] openat(4, "unit-root", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 5
[pid 13277] openat(5, "boot", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4
[pid 13277] openat(AT_FDCWD, "/run/systemd/unit-root", O_RDONLY|O_CLOEXEC|O_PATH|O_DIRECTORY) = 4
[pid 13277] name_to_handle_at(4, "boot", {handle_bytes=128 => 8, handle_type=1, f_handle=0x0000000200000000}, [209], 0) = 0
[pid 13277] name_to_handle_at(4, "", {handle_bytes=128 => 8, handle_type=1, f_handle=0x0000000200000000}, [188], AT_EMPTY_PATH) = 0
[pid 13277] openat(AT_FDCWD, "/", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4
[pid 13277] openat(4, "run", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 5
[pid 13277] openat(5, "systemd", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4
[pid 13277] openat(4, "unit-root", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 5
[pid 13277] openat(5, "dev", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4
[pid 13277] mkdir("/tmp/namespace-dev-Wc1698", 0700) = 0
[pid 13277] mkdir("/tmp/namespace-dev-Wc1698/dev", 0755) = 0
[pid 13277] mount("tmpfs", "/tmp/namespace-dev-Wc1698/dev", "tmpfs", MS_NOSUID|MS_NOEXEC|MS_STRICTATIME, "mode=755") = 0
[pid 13277] mkdir("/tmp/namespace-dev-Wc1698/dev/pts", 0755) = 0
[pid 13277] mount("/dev/pts", "/tmp/namespace-dev-Wc1698/dev/pts", NULL, MS_BIND, NULL) = 0
[pid 13277] lstat("/dev/ptmx", {st_mode=S_IFCHR|0666, st_rdev=makedev(0x5, 0x2), ...}) = 0
[pid 13277] stat("/dev/ptmx", {st_mode=S_IFCHR|0666, st_rdev=makedev(0x5, 0x2), ...}) = 0
[pid 13277] openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 4
[pid 13277] mknod("/tmp/namespace-dev-Wc1698/dev/ptmx", S_IFCHR|0666, makedev(0x5, 0x2)) = -1 EPERM (Operation not permitted)
[pid 13277] openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 4
[pid 13277] openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 4
[pid 13277] mknod("/tmp/namespace-dev-Wc1698/dev/ptmx", S_IFREG|000) = -1 EACCES (Permission denied)
[pid 13277] openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 4
[pid 13277] umount2("/tmp/namespace-dev-Wc1698/dev/pts", 0) = 0
[pid 13277] umount2("/tmp/namespace-dev-Wc1698/dev", 0) = 0
[pid 13277] rmdir("/tmp/namespace-dev-Wc1698/dev") = 0
[pid 13277] rmdir("/tmp/namespace-dev-Wc1698") = 0
[pid 13277] exit_group(226)             = ?
[pid 13277] +++ exited with 226 +++
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.events", O_RDONLY|O_CLOEXEC) = 58
[pid     1] openat(AT_FDCWD, "/proc/13277/comm", O_RDONLY|O_CLOEXEC) = 58
[pid     1] waitid(P_ALL, 0, {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=13277, si_uid=0, si_status=226, si_utime=0, si_stime=0}, WNOHANG|WEXITED|WNOWAIT, NULL) = 0
[pid     1] openat(AT_FDCWD, "/proc/13277/comm", O_RDONLY|O_CLOEXEC) = 58
[pid     1] openat(AT_FDCWD, "/proc/13277/cgroup", O_RDONLY|O_CLOEXEC) = 58
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/memory.events", O_RDONLY|O_CLOEXEC) = 58
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.procs", O_RDONLY|O_CLOEXEC) = 58
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 58
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.procs", O_RDONLY|O_CLOEXEC) = 58
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.threads", O_RDONLY|O_CLOEXEC) = 58
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 58
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.procs", O_RDONLY|O_CLOEXEC) = 58
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 58
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.procs", O_RDONLY|O_CLOEXEC) = 58
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cgroup.threads", O_RDONLY|O_CLOEXEC) = 58
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 58
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service/cpu.stat", O_RDONLY|O_CLOEXEC) = 58
[pid     1] lstat("/sys/fs/cgroup/system.slice/dbus-broker.service", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 58
[pid     1] newfstatat(58, "cgroup.events", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "memory.events", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "io.pressure", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "cgroup.procs", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "memory.events.local", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "memory.swap.current", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "memory.swap.max", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "memory.swap.events", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "cgroup.max.descendants", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "cpu.stat", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "memory.pressure", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "memory.current", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "pids.current", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "memory.stat", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "pids.events", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "memory.low", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "cpu.pressure", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "cgroup.type", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "cgroup.stat", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "cgroup.threads", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "cgroup.freeze", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "memory.min", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "cgroup.controllers", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "memory.oom.group", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "memory.max", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "memory.high", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "pids.max", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "cgroup.subtree_control", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] newfstatat(58, "cgroup.max.depth", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid     1] rmdir("/sys/fs/cgroup/system.slice/dbus-broker.service") = 0
[pid     1] openat(AT_FDCWD, "/sys/fs/cgroup/system.slice/dbus-broker.service", O_RDONLY|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
[pid     1] unlink("/run/systemd/units/invocation:dbus-broker.service") = 0
[pid     1] clone(child_stack=0x3ffad07efc0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[13278], tls=0x3ffad07f910, child_tidptr=0x3ffad07f9e0) = 13278
[pid     1] clone(child_stack=0x3ffac87dfc0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[13279], tls=0x3ffac87e910, child_tidptr=0x3ffac87e9e0) = 13279
[pid     1] waitid(P_PID, 13277, {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=13277, si_uid=0, si_status=226, si_utime=0, si_stime=0}, WEXITED, NULL) = 0
[pid     1] waitid(P_ALL, 0, {}, WNOHANG|WEXITED|WNOWAIT, NULL) = 0
strace: Process 13278 attached
[pid 13278] newfstatat(AT_FDCWD, "/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-PMYn2f", strace: Process 13279 attached
{st_mode=S_IFDIR|0700, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid 13278] newfstatat(AT_FDCWD, "/", {st_mode=S_IFDIR|0555, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid 13278] openat(AT_FDCWD, "/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-PMYn2f", O_RDONLY|O_NONBLOCK|O_NOFOLLOW|O_NOATIME|O_CLOEXEC|O_DIRECTORY) = 21
[pid 13278] openat(21, "tmp", O_RDONLY|O_NONBLOCK|O_NOFOLLOW|O_NOATIME|O_CLOEXEC|O_DIRECTORY) = 22
[pid 13278] name_to_handle_at(21, "tmp", {handle_bytes=128 => 12, handle_type=1, f_handle=0x80cfabd60000cfc100000000}, [36], 0) = 0
[pid 13278] name_to_handle_at(21, "", {handle_bytes=128 => 12, handle_type=1, f_handle=0xf9e680ab0000cfc000000000}, [36], AT_EMPTY_PATH) = 0
[pid 13278] unlinkat(21, "tmp", AT_REMOVEDIR) = 0
[pid 13278] rmdir("/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-PMYn2f") = 0
[pid 13278] exit(0)                     = ?
[pid 13278] +++ exited with 0 +++
[pid     1] getxattr("/usr/lib/systemd/system/dbus-broker.service", "security.selinux", "system_u:object_r:systemd_unit_f"..., 255) = 41
[pid 13279] newfstatat(AT_FDCWD, "/var/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-W1jzTi", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid 13279] newfstatat(AT_FDCWD, "/", {st_mode=S_IFDIR|0555, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0
[pid 13279] openat(AT_FDCWD, "/var/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-W1jzTi", O_RDONLY|O_NONBLOCK|O_NOFOLLOW|O_NOATIME|O_CLOEXEC|O_DIRECTORY) = 21
[pid 13279] openat(21, "tmp", O_RDONLY|O_NONBLOCK|O_NOFOLLOW|O_NOATIME|O_CLOEXEC|O_DIRECTORY) = 22
[pid 13279] name_to_handle_at(21, "tmp", {handle_bytes=128 => 8, handle_type=1, f_handle=0x000409a5d1b10451}, [58], 0) = 0
[pid 13279] name_to_handle_at(21, "", {handle_bytes=128 => 8, handle_type=1, f_handle=0x000409a09fee6aa7}, [58], AT_EMPTY_PATH) = 0
[pid 13279] unlinkat(21, "tmp", AT_REMOVEDIR) = 0
[pid 13279] rmdir("/var/tmp/systemd-private-37724470ed17488995bb8f80c623a16d-dbus-broker.service-W1jzTi") = 0
[pid 13279] exit(0)                     = ?
[pid 13279] +++ exited with 0 +++
[pid     1] openat(AT_FDCWD, "/proc/960/cgroup", O_RDONLY|O_CLOEXEC) = 20
[pid     1] openat(AT_FDCWD, "/proc/909/cgroup", O_RDONLY|O_CLOEXEC) = 20
[pid     1] openat(AT_FDCWD, "/proc/13270/cgroup", O_RDONLY|O_CLOEXEC) = 20

Comment 10 Dan Horák 2019-09-18 12:44:21 UTC

I wonder if we could replicate the mkdir/mount/mknod sequence in shell and reproduce the behaviour ...

Comment 11 Dan Horák 2019-09-19 13:55:33 UTC

Created attachment 1616747 [details]
test script

This script should reproduce the steps (based on the strace output) leading to the failed mknod() call, I hope I cloned all syscalls to tool calls correctly. But it doesn't as it is now.

Comment 12 Zbigniew Jędrzejewski-Szmek 2019-09-19 14:57:38 UTC

I have no idea why the denial occurs: the policy should be the same on all architectures. Anyway, let's reassign, since this is clearly caused by selinux denial.

Comment 13 Dan Horák 2019-09-20 09:14:31 UTC

One question can also be - what's so special with the dbus-broker service, that it fails to start? For example sshd has been started with an issue.

Comment 14 Dan Horák 2019-09-20 09:57:51 UTC

And the specialty is PrivateDevices=yes in the unit file, there are just few services with this setting.

Comment 15 Lukas Vrabec 2019-10-02 11:43:26 UTC

Hi All, 

Sorry for late reply. I prepared local policy for testing purposes, could somebody please test it ? 

1. Load following policy to the kernel: 

$ cat local_bz1746613.cil 
(allow init_t device_node (file (getattr create open mounton)))

# semodule -i local_bz1746613.cil

2. reproduce the scenario

THanks,
Lukas.

Comment 16 Dan Horák 2019-10-02 11:59:51 UTC

I run some test with it and it fixes the problem. The local policy survives reboot, this is expected, right?

The policy snippet looks logical to me, gives systemd some permission for managing device nodes. But do you an idea, why it worked until now and why only s390x was broken in F-31?

Comment 17 Lukas Vrabec 2019-10-02 14:42:03 UTC

THanks for testing. 

Well what is interesting is the class. Device nodes are files not block or char devices. Any idea why? 

Thanks,
Lukas.

Comment 18 Dan Horák 2019-10-02 15:03:11 UTC

I wonder if it has something to do with the namespaces ...

Comment 19 Fedora Blocker Bugs Application 2019-10-03 12:11:45 UTC

Proposed as a Freeze Exception for 31-final by Fedora user sharkcz using the blocker tracking app because:

 Without the SELinux policy change the system can't boot correctly after the installation, dbus-broker doesn't start and as a consequence other services fail to start as well. FE because s390x is an alt-arch.

Comment 20 Adam Williamson 2019-10-03 18:59:42 UTC

Obvious +1 FE.

Comment 21 Zbigniew Jędrzejewski-Szmek 2019-10-03 20:00:46 UTC

+1 FE.

Comment 22 Lukas Vrabec 2019-10-04 10:44:07 UTC

commit 0729590a5777eaa449e70f0da8a74368d47651ec (HEAD -> rawhide, origin/rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Fri Oct 4 12:33:09 2019 +0200

    Make dbus-broker service working on s390x arch
    
    When dbus-broker service is started on Fedora 31+ on s390x arch it end
    up in failed stated because systemd failed to set up mount namespacing.
    
    Systemd needs to be able to create and bindmount devices to the
    namespace. This patch fixes the issue
    
    Resolves: rhbz#1746413

commit f5d5e8f24f1a0be465707cd5052db88ed6534d17
Author: Lukas Vrabec <lvrabec>
Date:   Fri Oct 4 12:30:24 2019 +0200

    Add new interface dev_mounton_all_device_nodes()

commit eaaa0d710c003f0389f46d3d41fe4c071ba36fc1
Author: Lukas Vrabec <lvrabec>
Date:   Fri Oct 4 12:27:40 2019 +0200

    Add new interface dev_create_all_files()

Comment 23 dac.override 2019-10-04 12:03:14 UTC

I suspect that the "mac_selinux_create_file*" calls in the "fallback" code is causing these and that these calls should not be there.

The "dummy bind mount target" is not an actual device node and it probably should not be labeled as such (its just a fi;e that is used to mount the actual device node on i suspect). System would probably allowed to create that with the generic context, and then it would probably have been allowed to moun the actual node on that "dummy bind mount target" just fine without any extra policy.

The alternative to not fixing this properly in the code, are the rules that you see above. The rules do not make sense (to me).

Comment 24 Geoffrey Marr 2019-10-08 06:26:20 UTC

Discussed during the 2019-10-07 blocker review meeting: [0]

The decision to classify this bug as an "AcceptedFreezeException" was made as this is a showstopping issue on a non-blocking arch that cannot be fixed with an update alone.

[0] https://meetbot.fedoraproject.org/fedora-blocker-review/2019-10-07/f31-blocker-review.2019-10-07-16.02.txt

Comment 25 Adam Williamson 2019-10-10 18:37:16 UTC

Lukas, what's your take on the objection in comment #23? And if you're satisfied you have the right fix, can we get it submitted as an update so we can get it into F31 ASAP? Thanks.

Comment 26 Dan Horák 2019-10-11 10:22:25 UTC

If I see right, then the policy update is included in the last selinux-policy-3.14.4-37.fc31 build that's already in https://bodhi.fedoraproject.org/updates/FEDORA-2019-5adca37a25 Then we only need to attach this bug to the bodhi update. Lukas, is it correct?

Comment 27 Fedora Update System 2019-10-11 11:44:58 UTC

FEDORA-2019-5adca37a25 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-5adca37a25

Comment 28 Lukas Vrabec 2019-10-11 12:00:35 UTC

Hi All, 

Dan is right it's should be included in selinux-policy-3.14.4-37.fc31, I also updated bodhi update. 

To answer question from comment#23, it's very hard to change something in systemd because it's not working with SELinux, there is no time for it and also, not all distros using SELinux.

Comment 29 dac.override 2019-10-11 12:13:12 UTC

I acknowledge that the timing is unfortunate. The change would have to be tested and since the scenario is rather exotic, it is not trivial to simulate it.

However the second argument I do not understand. The problem is the SELinux specific code in the fallback scenario. Removing that code should not affect any distributions that do not use SELinux.

Also let me give a reason why one *would* want to address this issue in a sustainable way. The policy needed to work around this flaw is unlikely to be accepted into to upstream. Distributions relying on upstream will thus be left out.

Comment 30 Zbigniew Jędrzejewski-Szmek 2019-10-11 12:42:27 UTC

> The "dummy bind mount target" is not an actual device node and it probably should not be labeled as such (its just a fi;e that is used to mount the actual device node on i suspect). System would probably allowed to create that with the generic context, and then it would probably have been allowed to moun the actual node on that "dummy bind mount target" just fine without any extra policy.

systemd seems to be calling mac_selinux_create_file_prepare() with the appropriate mode.
First, with the mode stat()ed from the actual device node (before the call to mknod()),
and then with mode==0, before creating a dummy mount target. So the "dummy bind mount target"
should not be labelled as a device node, but as a normal file. Or at least systemd passes
this metadata to selabel_lookup_raw().

So I'm not sure if I understood your comment correctly. If you think systemd should do
something different here, please submit a patch upstream, and then it can be discussed
and reviewed appropriately.

Comment 31 Dan Horák 2019-10-11 13:15:56 UTC

*** Bug 1756912 has been marked as a duplicate of this bug. ***

Comment 32 dac.override 2019-10-11 13:16:55 UTC

(In reply to Zbigniew Jędrzejewski-Szmek from comment #30)
> > The "dummy bind mount target" is not an actual device node and it probably should not be labeled as such (its just a fi;e that is used to mount the actual device node on i suspect). System would probably allowed to create that with the generic context, and then it would probably have been allowed to moun the actual node on that "dummy bind mount target" just fine without any extra policy.
> 
> systemd seems to be calling mac_selinux_create_file_prepare() with the
> appropriate mode.
> First, with the mode stat()ed from the actual device node (before the call
> to mknod()),
> and then with mode==0, before creating a dummy mount target. So the "dummy
> bind mount target"
> should not be labelled as a device node, but as a normal file. Or at least
> systemd passes
> this metadata to selabel_lookup_raw().
> 
> So I'm not sure if I understood your comment correctly. If you think systemd
> should do
> something different here, please submit a patch upstream, and then it can be
> discussed
> and reviewed appropriately.

ok let's take it here: https://github.com/systemd/systemd/issues/13762

Comment 33 Fedora Update System 2019-10-11 23:18:17 UTC

selinux-policy-3.14.4-37.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Comment 34 Dan Horák 2019-11-20 11:35:42 UTC

Reopening, because we can drop the workarounds from the policy.

Bug 1769148 led to fixing the root cause in systemd (https://github.com/systemd/systemd/pull/13994) and now things work fine with

selinux-policy-3.14.4-35.fc31.noarch - pre-workaround policy
systemd-243.4-1.fc31.s390x - contains fix for 1769148

Comment 35 Ben Cotton 2020-02-11 17:45:27 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle.
Changing version to 32.

Comment 36 Fedora Program Management 2021-04-29 17:14:20 UTC

This message is a reminder that Fedora 32 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 32 on 2021-05-25.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '32'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 32 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 37 Ben Cotton 2021-05-25 18:10:01 UTC

Fedora 32 changed to end-of-life (EOL) status on 2021-05-25. Fedora 32 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 38 Adam Williamson 2021-05-25 23:28:25 UTC

Lukas, did we ever remove the policy workaround here? See #c34.

Comment 39 Lukas Vrabec 2021-05-26 07:48:29 UTC

Adam, 
Good catch! 

Zdenek, 
Please look on comment#34, we need to drop commits from comment#22. Personally, I would keep interfaces in the policy just revert 0729590a5777eaa449e70f0da8a74368d47651ec. Also, it would be great to discuss it again with systemd folks. 

Thanks,
Lukas.

Comment 40 Adam Williamson 2021-05-26 15:16:34 UTC

OK, so re-opening, setting to Rawhide, and updating summary.

Comment 41 Zdenek Pytela 2022-02-21 14:50:06 UTC

I reverted the old commit for rawhide, but it seems it needs to be committed again to support PrivateDevices.

see https://bugzilla.redhat.com/show_bug.cgi?id=1840265

Note You need to log in before you can comment on or make changes to this bug.