1917507 – selinux targeted policies fail causes inablitity to ssh into host

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1917507 - selinux targeted policies fail causes inablitity to ssh into host

Summary: selinux targeted policies fail causes inablitity to ssh into host

Keywords:
Status:	CLOSED DUPLICATE of bug 1913224
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	libsemanage
Sub Component:
Version:	8.3
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	8.0
Assignee:	Petr Lautrbach
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-01-18 15:43 UTC by Aleksandr Sharov
Modified:	2021-02-02 13:48 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-02-02 10:40:23 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Aleksandr Sharov 2021-01-18 15:43:46 UTC

Description of problem:
Client has a RHEL 8.3 server which is enrolled into IPA domain.
sssd fails to authorize user into this system via ssh.

/var/log/sssd/selinux_child :

(2021-01-18 14:36:54): [selinux_child[1024078]] [main] (0x0400): selinux_child started.
(2021-01-18 14:36:54): [selinux_child[1024078]] [main] (0x2000): Running with effective IDs: [0][0].
(2021-01-18 14:36:54): [selinux_child[1024078]] [main] (0x2000): Running with real IDs [0][0].
(2021-01-18 14:36:54): [selinux_child[1024078]] [main] (0x0400): context initialized
(2021-01-18 14:36:54): [selinux_child[1024078]] [unpack_buffer] (0x2000): seuser length: 12
(2021-01-18 14:36:54): [selinux_child[1024078]] [unpack_buffer] (0x2000): seuser: unconfined_u
(2021-01-18 14:36:54): [selinux_child[1024078]] [unpack_buffer] (0x2000): mls_range length: 14
(2021-01-18 14:36:54): [selinux_child[1024078]] [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023
(2021-01-18 14:36:54): [selinux_child[1024078]] [unpack_buffer] (0x2000): username length: 7
(2021-01-18 14:36:54): [selinux_child[1024078]] [unpack_buffer] (0x2000): username: blupker
(2021-01-18 14:36:54): [selinux_child[1024078]] [main] (0x0400): performing selinux operations
(2021-01-18 14:36:54): [selinux_child[1024078]] [seuser_needs_update] (0x2000): sss_get_seuser: ret: 0 seuser: unconfined_u mls: s0-s0:c0.c1023
(2021-01-18 14:36:54): [selinux_child[1024078]] [sss_seuser_exists] (0x0400): seuser exists: no
(2021-01-18 14:36:54): [selinux_child[1024078]] [seuser_needs_update] (0x0400): The SELinux user does need an update
(2021-01-18 14:36:54): [selinux_child[1024078]] [libsemanage] (0x0020): Error while reading kernel policy from /var/lib/selinux/targeted/active/policy.linked.
(2021-01-18 14:36:54): [selinux_child[1024078]] [sss_set_seuser] (0x0020): Cannot commit SELinux transaction
(2021-01-18 14:36:54): [selinux_child[1024078]] [main] (0x0020): Cannot set SELinux login context.
(2021-01-18 14:36:54): [selinux_child[1024078]] [main] (0x0020): selinux_child failed!

Indeed, the /var/lib/selinux/targeted/active/ dir looks like this after reinstalling selinux-policy-targeted package looks like this:

root@vsupd00090 ~ # ls -la /var/lib/selinux/targeted/active/
total 8812
drwx------. 3 root root    4096 Jan 18 13:46 .
drwx------. 4 root root      84 Jan 18 14:32 ..
-rw-------. 1 root root      32 Sep 18 07:18 commit_num
-rw-------. 1 root root  397515 Sep 18 07:18 file_contexts
-rw-------. 1 root root   13770 Sep 18 07:18 file_contexts.homedirs
-rw-------. 1 root root       0 Dec  8 10:13 file_contexts.local
-rw-------. 1 root root   12349 Sep 18 07:18 homedir_template
drwx------. 6 root root      55 Sep 18 07:18 modules
-rw-------. 1 root root 8563304 Sep 18 07:18 policy.kern
-rw-------. 1 root root       0 Dec  8 10:13 policy.linked
-rw-------. 1 root root      73 Sep 18 07:18 seusers
-rw-------. 1 root root       0 Dec  8 10:13 seusers.linked
-rw-------. 1 root root    4911 Dec  8 10:13 seusers.local
-rw-------. 1 root root     101 Sep 18 07:18 users_extra
-rw-------. 1 root root       0 Dec  8 10:13 users_extra.linked

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-54.el8.noarch                         Mon Dec  7 20:56:43 2020
selinux-policy-targeted-3.14.3-54.el8.noarch                Mon Dec  7 20:57:09 2020

How reproducible:
Not reproducible in my lab, client has another server with same settings and without any problem.

Actual results:
ssh drops connection, pam gets error 4

Expected results:
ssh connects

Additional info:
sosreport and fresh sssd debug logs can be found in the attached case 	02840747

Comment 1 Milos Malik 2021-01-18 16:23:14 UTC

Does the client machine encountered any SELinux denials?

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Comment 2 Milos Malik 2021-01-18 16:36:49 UTC

The policy.linked file shown in comment#0 has zero length, which is weird.

# ls -l /var/lib/selinux/targeted/active/
total 17584
-rw-------. 1 root root     113 Jan 18 13:51 booleans.local
-rw-------. 1 root root      32 Jan 18 13:52 commit_num
-rw-------. 1 root root  398429 Jan 18 13:52 file_contexts
-rw-------. 1 root root   95792 Jan 18 13:52 file_contexts.homedirs
-rw-------. 1 root root      70 Jan 18 13:51 file_contexts.local
-rw-------. 1 root root   12456 Jan 18 13:52 homedir_template
drwx------. 6 root root      55 Jan 18 13:51 modules
-rw-------. 1 root root 8722281 Jan 18 13:52 policy.kern
-rw-------. 1 root root 8722281 Jan 18 13:52 policy.linked
-rw-------. 1 root root     323 Jan 18 13:52 seusers
-rw-------. 1 root root      73 Jan 18 13:52 seusers.linked
-rw-------. 1 root root     250 Jan 18 13:51 seusers.local
-rw-------. 1 root root     101 Jan 18 13:52 users_extra
-rw-------. 1 root root     101 Jan 18 13:52 users_extra.linked
#

Comment 3 Zdenek Pytela 2021-01-18 16:37:58 UTC

Switching the component to libselinux based on:

(2021-01-18 14:36:54): [selinux_child[1024078]] [libsemanage] (0x0020): Error while reading kernel policy from /var/lib/selinux/targeted/active/policy.linked.

Particularly refer to

-rw-------. 1 root root       0 Dec  8 10:13 policy.linked

Comment 4 Milos Malik 2021-01-18 16:40:05 UTC

If such a situation happened on my machine, I would be thinking about:
 * rebuild of SELinux policy, or
 * reinstall of SELinux-policy packages

Comment 5 Aleksandr Sharov 2021-01-20 16:17:29 UTC

Hi Milos, Zdenek, 

Client has run into same problems on a second server, what should we perform on the client side to restore connectivity? This behavior is present even after setenforce 0, they can see:

# semodule -l
libsemanage.semanage_direct_get_module_info: Unable to read pcpupstream module lang ext file.

Thanks!

Comment 6 Petr Lautrbach 2021-01-20 16:57:08 UTC

SELinux store is probably broken. Can you see empty - 0 file size - files when you list /var/lib/selinux/targeted/active/modules?

    # ls -lh /var/lib/selinux/targeted/active/modules/*

If you see empty files, it would be helpful to check their modification time and check logs what happened in this time. Was there unexpected reboot, package update, file system problem, ...?

SELinux policy reinstall should fix it:

    # dnf reinstall selinux-policy-targeted

Comment 7 Milos Malik 2021-01-21 08:06:00 UTC

The pcpupstream module comes from the pcp-selinux package. I would recommend reinstalling the pcp-selinux package.

Comment 8 Aleksandr Sharov 2021-01-21 10:45:21 UTC

Hi Team!

Last option something updated selinux packages seem to be 2020-12-15 :

ID     | Command line                                                 | Date and time    | Action(s)      | Altered
-------------------------------------------------------------------------------------------------------------------
    88 | erase sqldeveloper-20.2.0-175.1842.noarch                    | 2021-01-11 11:56 | Removed        |    1 EE
    87 | install /usr/lib64/dri                                       | 2021-01-04 13:53 | Install        |    1
    86 |                                                              | 2020-12-23 08:48 | Install        |    1 EE
    85 | -y update                                                    | 2020-12-15 16:57 | E, I, U        |    9
    84 | remove kernel-4.18.0-240.1.1.el8_3.x86_64                    | 2020-12-14 11:03 | Removed        |    1
    83 | install mtr                                                  | 2020-12-10 14:50 | Install        |    1
    82 | -y update                                                    | 2020-12-07 19:55 | E, I, U        |  389 EE

Uptime is 43 days, the files in  /var/lib/selinux/targeted/active/modules/ were modified December 8th, 2020 at 17:16 - probably on startup.

Question is, what caused it - it was working OK until last weekend?.. On the second server, even policy.kern is empty:

[gwubs@vsupc00089 /nfs/home/gwubs]$ sudo ls -l /var/lib/selinux/targeted/active/
First Factor:
Second Factor (optional):
total 2328
-rw-------. 1 root root      32 Dec  8 17:16 commit_num
-rw-------. 1 root root       0 Dec  8 17:16 file_contexts
-rw-------. 1 root root 2360544 Dec  8 17:16 file_contexts.homedirs
-rw-------. 1 root root       0 Dec  8 17:16 file_contexts.local
-rw-------. 1 root root       0 Dec  8 17:16 homedir_template
drwx------. 6 root root      55 Dec  8 17:16 modules
-rw-------. 1 root root       0 Dec  8 17:16 policy.kern                   <<
-rw-------. 1 root root       0 Dec  8 17:16 policy.linked                 <<
-rw-------. 1 root root    6251 Dec  8 17:16 seusers
-rw-------. 1 root root       0 Dec  8 17:16 seusers.linked
-rw-------. 1 root root    6178 Dec  8 17:16 seusers.local
-rw-------. 1 root root       0 Dec  8 17:16 users_extra
-rw-------. 1 root root       0 Dec  8 17:16 users_extra.linked

Any ideas?

Thank you!

Comment 9 Petr Lautrbach 2021-01-21 11:37:44 UTC

What about:

    # find /var/lib/selinux/targeted/active/modules -type f -size 0 -exec ls -l \{\} \;

Please share also libsemanage version:

    # rpm -q libsemanage

I'd suggest to backup whole /var/lib/selinux for future investigation

    # sudo tar -c -f selinux.backup.tar --selinux /var/lib/selinux

And fix the problem reinstalling the selinux-policy-targeted and pcp-selinux

    # dnf reinstall selinux-policy-targeted pcp-selinux

Anyway, it looks like something broke SELinux store - /var/lib/selinux - on weekend. It could be update of some package like pcp-selinux package, or filesystem problem, ... So it's important to know what happened on the weekend. 

Also I'd suggest to add `save-previous = true` to /etc/selinux/semanage.conf. It would preserve previous module directory after succesful commit, see `man semanage.conf`

Comment 10 Aleksandr Sharov 2021-01-21 12:34:31 UTC

Hi! 

All of them are empty:

root@vsupc00089 ~ # find /var/lib/selinux/targeted/active/modules -type f -exec ls -l \{\} \; | wc -l
   1268

root@vsupc00089 ~ # find /var/lib/selinux/targeted/active/modules -type f -size 0 -exec ls -l \{\} \; | wc -l
   1268

Client's trying reinstalling the packages.

Comment 12 Petr Lautrbach 2021-01-28 11:14:24 UTC

This patch https://lore.kernel.org/selinux/20210128104231.102470-1-plautrba@redhat.com/T/#u should prevent some issues with empty files in the module store after policy rebuild. It waits for upstream review now.

Comment 13 Petr Lautrbach 2021-02-02 10:40:23 UTC


*** This bug has been marked as a duplicate of bug 1913224 ***

Note You need to log in before you can comment on or make changes to this bug.