RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1870493 - /var/log/anaconda/hawkey.log has non-default selinux label on fresh installation.
Summary: /var/log/anaconda/hawkey.log has non-default selinux label on fresh installat...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: anaconda
Version: 8.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Vladimír Slávik
QA Contact: Release Test Team
URL:
Whiteboard:
Depends On: 1885772
Blocks: 1812825
TreeView+ depends on / blocked
 
Reported: 2020-08-20 08:57 UTC by Marek Havrila
Modified: 2021-05-18 15:47 UTC (History)
10 users (show)

Fixed In Version: anaconda-33.16.4.3-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 15:47:06 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)
anaconda.log (29.56 KB, text/plain)
2020-08-20 14:32 UTC, Marek Havrila 		no flags Details
boot.log (11.26 KB, text/plain)
2020-08-20 14:32 UTC, Marek Havrila 		no flags Details
hawkey.log (102 bytes, text/plain)
2020-08-20 14:32 UTC, Marek Havrila 		no flags Details
lvm.log (2.24 MB, text/plain)
2020-08-20 14:32 UTC, Marek Havrila 		no flags Details
messages (45.76 KB, text/plain)
2020-08-20 14:33 UTC, Marek Havrila 		no flags Details
packaging.log (209.91 KB, text/plain)
2020-08-20 14:33 UTC, Marek Havrila 		no flags Details
program.log (18.45 KB, text/plain)
2020-08-20 14:33 UTC, Marek Havrila 		no flags Details
storage.log (465.88 KB, text/plain)
2020-08-20 14:33 UTC, Marek Havrila 		no flags Details
sys.log (1.16 MB, text/plain)
2020-08-20 14:33 UTC, Marek Havrila 		no flags Details
systemd_journal.log (10.94 KB, text/plain)
2020-08-20 14:33 UTC, Marek Havrila 		no flags Details
zipl.conf (70 bytes, text/plain)
2020-08-20 14:33 UTC, Marek Havrila 		no flags Details
View All

Description Marek Havrila 2020-08-20 08:57:10 UTC 
Description of problem:
Selinux labels of usr/share/restraint/plugins/task_run.d/20_unconfined and /var/log/anaconda/hawkey.log have non-default values on fresh installation of RHEL-8.3

Version-Release number of selected component (if applicable):
RHEL-8.3.0-20200811.0; anaconda-33.16.3.17-1.el8

How reproducible:
always

Steps to Reproduce:
1. Install RHEL-8
2. run restorecon -rvn / -e /sys -e /proc -e /run -e /dev

Actual results:
output of restorecon is: 
Would relabel /var/log/anaconda/hawkey.log from system_u:object_r:rpm_log_t:s0 to system_u:object_r:var_log_t:s0
Would relabel /usr/share/restraint/plugins/task_run.d/20_unconfined from system_u:object_r:usr_t:s0 to system_u:object_r:unconfined_exec_t:s0

Expected results:
there are no files to relabel on fresh installation

Additional info:
Non-default label of /usr/share/restraint/plugins/task_run.d/20_unconfined was found on all architectures, while var/log/anaconda/hawkey.log was reported only for x86_64 and s390x
Comment 1 Marek Havrila 2020-08-20 14:29:08 UTC 
Note that file /usr/share/restraint/plugins/task_run.d/20_unconfined is not from RHEL package and is installed in %post section from repository other than BaseOS or Appstream.

Attaching logs from s390x machine (Unfortunately, logs on x86_64 were not saved due to network issue).
Comment 2 Marek Havrila 2020-08-20 14:32:27 UTC 
Created attachment 1712024 [details]
anaconda.log
Comment 3 Marek Havrila 2020-08-20 14:32:31 UTC 
Created attachment 1712025 [details]
boot.log
Comment 4 Marek Havrila 2020-08-20 14:32:41 UTC 
Created attachment 1712027 [details]
hawkey.log
Comment 5 Marek Havrila 2020-08-20 14:32:59 UTC 
Created attachment 1712028 [details]
lvm.log
Comment 6 Marek Havrila 2020-08-20 14:33:08 UTC 
Created attachment 1712029 [details]
messages
Comment 7 Marek Havrila 2020-08-20 14:33:15 UTC 
Created attachment 1712030 [details]
packaging.log
Comment 8 Marek Havrila 2020-08-20 14:33:19 UTC 
Created attachment 1712031 [details]
program.log
Comment 9 Marek Havrila 2020-08-20 14:33:27 UTC 
Created attachment 1712032 [details]
storage.log
Comment 10 Marek Havrila 2020-08-20 14:33:37 UTC 
Created attachment 1712033 [details]
sys.log
Comment 11 Marek Havrila 2020-08-20 14:33:42 UTC 
Created attachment 1712034 [details]
systemd_journal.log
Comment 12 Marek Havrila 2020-08-20 14:33:45 UTC 
Created attachment 1712035 [details]
zipl.conf
Comment 13 Petr Zatko 2020-09-11 09:49:31 UTC 
Update from RHEL-8.3.0-20200909.1:
/var/log/anaconda/hawkey.log doesn't seem to be an issue any more, actual restorecon output:

Would relabel /usr/share/restraint/plugins/task_run.d/20_unconfined from system_u:object_r:usr_t:s0 to system_u:object_r:unconfined_exec_t:s0
Comment 15 Jan Stodola 2020-09-16 21:26:51 UTC 
OK, let's use this bug to track the problem with /var/log/anaconda/hawkey.log (which is not reproducible on the latest compose).
The problem with /usr/share/restraint/plugins/task_run.d/20_unconfined has been reported as bug 1879749 against restraint.
Comment 16 Vladimír Slávik 2020-09-17 10:09:45 UTC 
On Anaconda side, we handle the logs and contexts in post-scripts: First runs 80-setfilecons.ks to set the contexts, and then 90-copy-screenshots.ks and 99-copy-logs.ks. That means the screenshots and logs do *not* get relabeled. Still, that seems to work well enough. However we handle all the logs identically, while you observed problems only with the hawkey file. That means the problem is some change outside anaconda. Hawkey is used by dnf, so perhaps they would know? CCing.
Comment 20 Jan Stodola 2020-10-06 23:27:12 UTC 
hawkey.log is copied to /mnt/sysimage/var/log/anaconda/ with an incorrect SELinux label even on the other architectures, but the file is relabeled a bit later by 80-setfilecons.ks (described below):

See how the label is changed at the end of the installation, right before reboot:

[anaconda]# while true; do date; ls -lZ /tmp/hawkey.log /mnt/sysimage/var/log/anaconda/hawkey.log; sleep 0.1; done
...
Tue Oct  6 18:41:50 UTC 2020
-rw-------. 1 root root system_u:object_r:rpm_log_t:s0 102 Oct  6 18:41 /mnt/sysimage/var/log/anaconda/hawkey.log
-rw-r--r--. 1 root root system_u:object_r:tmp_t:s0     102 Oct  6 18:39 /tmp/hawkey.log
Tue Oct  6 18:41:50 UTC 2020
-rw-------. 1 root root system_u:object_r:var_log_t:s0 102 Oct  6 18:41 /mnt/sysimage/var/log/anaconda/hawkey.log
-rw-r--r--. 1 root root system_u:object_r:tmp_t:s0     102 Oct  6 18:39 /tmp/hawkey.log
...

I do not know why rpm_log_t is used on hawkey.log, hopefully it will be exaplained/fixed in a new bug 1885772 reported against selinux-policy.



But debugging this bug clarified why the test fails sometimes on some architectures and not on the others - glob.glob() [1] doesn't return an alphabetically sorted list of post-scripts [2], so the scripts are not executed in the intended order:

[1] https://github.com/rhinstaller/anaconda/blob/master/pyanaconda/kickstart.py#L540
[2] https://github.com/rhinstaller/anaconda/tree/master/data/post-scripts

See an example on x86_64, executed in the installation environment:

Python 3.6.8 (default, Aug 18 2020, 08:33:21)
[GCC 8.3.1 20191121 (Red Hat 8.3.1-5)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import glob
>>> glob.glob("/usr/share/anaconda/post-scripts/*ks")
['/usr/share/anaconda/post-scripts/90-copy-screenshots.ks', '/usr/share/anaconda/post-scripts/99-copy-logs.ks', '/usr/share/anaconda/post-scripts/80-setfilecons.ks']

And aarch64:

Python 3.6.8 (default, Aug 18 2020, 08:37:53) 
[GCC 8.3.1 20191121 (Red Hat 8.3.1-5)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import glob
>>> glob.glob("/usr/share/anaconda/post-scripts/*ks")
['/usr/share/anaconda/post-scripts/80-setfilecons.ks', '/usr/share/anaconda/post-scripts/90-copy-screenshots.ks', '/usr/share/anaconda/post-scripts/99-copy-logs.ks']
Comment 21 Jan Stodola 2020-10-06 23:27:47 UTC 
PR: https://github.com/rhinstaller/anaconda/pull/2902
Comment 22 Vladimír Slávik 2020-10-19 10:49:12 UTC 
Taking the bug so that somebody owns it.

Meanwhile, a port of the PR to master has been merged.
Comment 23 Vladimír Slávik 2020-11-24 16:43:56 UTC 
PR merged.
Comment 29 errata-xmlrpc 2021-05-18 15:47:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (anaconda bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1844
Note You need to log in before you can comment on or make changes to this bug.