1777001 – cockpit-ws should require(post) semanage somehow

Bug 1777001 - cockpit-ws should require(post) semanage somehow

Summary: cockpit-ws should require(post) semanage somehow

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	cockpit
Sub Component:
Version:	31
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Martin Pitt
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-11-26 17:11 UTC by Yanko Kaneti
Modified:	2019-12-07 01:30 UTC (History)
CC List:	4 users (show)
Fixed In Version:	cockpit-208-1.fc31 cockpit-208-1.fc30
Clone Of:
Environment:
Last Closed:	2019-12-06 05:43:58 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	cockpit-project cockpit issues 13183	0	'None'	closed	cockpit-tls: connect(/run/cockpit/wsinstance/https-factory.sock) failed	2020-11-12 08:47:45 UTC

Description Yanko Kaneti 2019-11-26 17:11:36 UTC

Description of problem:
Nov 26 18:58:10 cafe1 cockpit-tls[989]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Nov 26 18:58:10 cafe1 audit[989]: AVC avc:  denied  { connectto } for  pid=989 comm="cockpit-tls" path="/run/cockpit/wsinstance/https-factory.sock" scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0
Nov 26 18:58:10 cafe1 cockpit-tls[989]: cockpit-tls: connect(/run/cockpit/wsinstance/https-factory.sock) failed: Permission denied


Version-Release number of selected component (if applicable):
cockpit-207-1.fc31

Steps to reproduce:
Have cockpit-ws installed and enabled without having semanage (policycoreutils-python-utils)


Fixed by installing explicitly policycoreutils-python-utils and reinstalling cockpit-ws

Comment 1 Martin Pitt 2019-11-27 07:28:09 UTC

Thanks Yanko for figuring this out! I already got a similar report upstream, but couldn't make sense of it.

So apparently https://github.com/fedora-selinux/selinux-policy-contrib/pull/161 still didn't make it into Fedora 31.

Comment 2 Martin Pitt 2019-11-27 07:45:22 UTC

https://github.com/cockpit-project/cockpit/pull/13196

Comment 3 Yanko Kaneti 2019-11-27 08:04:50 UTC

Thanks.

selinux-policy in f31 might have the fix, but this was a dnf upgrade from 30 -> 31 and package upgrade ordering might have had a part in the problem.

Comment 4 Martin Pitt 2019-11-27 08:47:11 UTC

Yanko: No, I checked, selinux-policy really doesn't have the fix yet (https://bodhi.fedoraproject.org/updates/?packages=selinux-policy). My policy update landed upstream 22 days ago, and the current policy version 3.14.4-40 (https://bodhi.fedoraproject.org/updates/FEDORA-2019-aec8f7ab50) got packaged 23 days ago. So it's not an upgrade issue at all, just the missing dependencies.

Comment 5 Ben Cotton 2019-11-27 14:20:31 UTC

Fedora 29 changed to end-of-life (EOL) status on 2019-11-26. Fedora 29 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 6 Yanko Kaneti 2019-11-27 14:41:18 UTC

Closed bu accident:  
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/V3GOSPZLJMO4L4YZ6W4B2CYAV2522MZ7/
Reopening

Comment 7 Fedora Update System 2019-11-27 21:20:23 UTC

FEDORA-2019-d3b55c4594 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d3b55c4594

Comment 8 Fedora Update System 2019-11-27 21:21:20 UTC

FEDORA-2019-b29e09a8d4 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-b29e09a8d4

Comment 9 Fedora Update System 2019-11-28 01:44:38 UTC

cockpit-208-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b29e09a8d4

Comment 10 Fedora Update System 2019-11-28 02:21:48 UTC

cockpit-208-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d3b55c4594

Comment 11 Craigsilva 2019-11-30 20:25:41 UTC

Last metadata expiration check: 0:00:20 ago on Sun 01 Dec 2019 07:00:12 AEDT
Attempted sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2019-b29e09a8d4

ouput:

Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                   1/1 
  Running scriptlet: cockpit-bridge-208-1.fc31.x86_64                                                                                                                                                  1/1 
  Upgrading        : cockpit-bridge-208-1.fc31.x86_64                                                                                                                                                 1/23 
  Upgrading        : cockpit-dashboard-208-1.fc31.noarch                                                                                                                                              2/23 
  Upgrading        : cockpit-packagekit-208-1.fc31.noarch                                                                                                                                             3/23 
  Running scriptlet: cockpit-ws-208-1.fc31.x86_64                                                                                                                                                     4/23 
  Upgrading        : cockpit-ws-208-1.fc31.x86_64                                                                                                                                                     4/23 
  Running scriptlet: cockpit-ws-208-1.fc31.x86_64                                                                                                                                                     4/23 
Applying SELinux policy change for cockpit-wsinstance-factory...
Traceback (most recent call last):
  File "/sbin/semanage", line 970, in <module>
    do_parser()
  File "/sbin/semanage", line 947, in do_parser
    commandParser = createCommandParser()
  File "/sbin/semanage", line 877, in createCommandParser
    import seobject
  File "/usr/lib/python3.7/site-packages/seobject.py", line 33, in <module>
    import sepolicy
  File "/usr/lib/python3.7/site-packages/sepolicy/__init__.py", line 7, in <module>
    import setools
  File "/usr/lib64/python3.7/site-packages/setools/__init__.py", line 79, in <module>
    from .diff import PolicyDifference
  File "/usr/lib64/python3.7/site-packages/setools/diff/__init__.py", line 20, in <module>
    from .bounds import BoundsDifference
  File "/usr/lib64/python3.7/site-packages/setools/diff/bounds.py", line 25, in <module>
    from .types import type_wrapper_factory
  File "/usr/lib64/python3.7/site-packages/setools/diff/types.py", line 26, in <module>
    from ..policyrep import Type
ImportError: cannot import name 'Type' from 'setools.policyrep' (/usr/lib64/python3.7/site-packages/setools/policyrep/__init__.py)


cockpit still failing:
Dec 01 07:05:15 c21home audit[1105]: AVC avc:  denied  { connectto } for  pid=1105 comm="cockpit-tls" path="/run/cockpit/wsinstance/https-factory.sock" scontext=system_u:system_r:cockpit_ws_t:s0 tcontex>
Dec 01 07:05:15 c21home cockpit-tls[1105]: cockpit-tls: connect(/run/cockpit/wsinstance/https-factory.sock) failed: Permission denied

Dec 01 07:05:19 c21home audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.6-org.fedoraproject.Setroubleshootd@0 comm="systemd" exe="/u>
Dec 01 07:05:20 c21home python3[1117]: detected unhandled Python exception in '/usr/sbin/setroubleshootd'
Dec 01 07:05:20 c21home setroubleshootd[1117]: Traceback (most recent call last):
Dec 01 07:05:20 c21home setroubleshootd[1117]:   File "/usr/sbin/setroubleshootd", line 35, in <module>
Dec 01 07:05:20 c21home setroubleshootd[1117]:     from setroubleshoot.util import log_debug
Dec 01 07:05:20 c21home setroubleshootd[1117]:   File "/usr/lib/python3.7/site-packages/setroubleshoot/util.py", line 357, in <module>
Dec 01 07:05:20 c21home setroubleshootd[1117]:     from sepolicy import get_all_file_types
Dec 01 07:05:20 c21home setroubleshootd[1117]:   File "/usr/lib/python3.7/site-packages/sepolicy/__init__.py", line 7, in <module>
Dec 01 07:05:20 c21home setroubleshootd[1117]:     import setools
Dec 01 07:05:20 c21home setroubleshootd[1117]:   File "/usr/lib64/python3.7/site-packages/setools/__init__.py", line 79, in <module>
Dec 01 07:05:20 c21home setroubleshootd[1117]:     from .diff import PolicyDifference
Dec 01 07:05:20 c21home setroubleshootd[1117]:   File "/usr/lib64/python3.7/site-packages/setools/diff/__init__.py", line 20, in <module>
Dec 01 07:05:20 c21home setroubleshootd[1117]:     from .bounds import BoundsDifference
Dec 01 07:05:20 c21home setroubleshootd[1117]:   File "/usr/lib64/python3.7/site-packages/setools/diff/bounds.py", line 25, in <module>
Dec 01 07:05:20 c21home setroubleshootd[1117]:     from .types import type_wrapper_factory
Dec 01 07:05:20 c21home setroubleshootd[1117]:   File "/usr/lib64/python3.7/site-packages/setools/diff/types.py", line 26, in <module>
Dec 01 07:05:20 c21home setroubleshootd[1117]:     from ..policyrep import Type
Dec 01 07:05:20 c21home setroubleshootd[1117]: ImportError: cannot import name 'Type' from 'setools.policyrep' (/usr/lib64/python3.7/site-packages/setools/policyrep/__init__.py)
Dec 01 07:05:20 c21home systemd[1]: dbus-:1.6-org.fedoraproject.Setroubleshootd: Succeeded.


-- The unit cockpit-wsinstance-http.socket has successfully entered the 'dead' state.
Dec 01 07:06:45 c21home systemd[1]: Closed Socket for Cockpit Web Service http instance.
-- Subject: A stop job for unit cockpit-wsinstance-http.socket has finished
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- A stop job for unit cockpit-wsinstance-http.socket has finished.

Comment 12 Martin Pitt 2019-12-03 09:59:14 UTC

@Craigsilva: that setroubleshoot crash is tracked in bug 1761143. At this point I just have to give up, I'm afraid -- the real solution is to land an updated selinux-policy that applies the cockpit adjustments properly, instead of our %post hack. That should hopefully happen soon.

Comment 13 Fedora Update System 2019-12-06 05:43:58 UTC

cockpit-208-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2019-12-07 01:30:30 UTC

cockpit-208-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.