1984740 – Use of inst.selinux=0 fails to set root password

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1984740 - Use of inst.selinux=0 fails to set root password

Summary: Use of inst.selinux=0 fails to set root password

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	shadow-utils
Sub Component:
Version:	8.4
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	beta
Target Release:	---
Assignee:	Iker Pedrosa
QA Contact:	Anuj Borah
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-07-22 05:49 UTC by Parikshit Khedekar
Modified:	2023-11-14 18:03 UTC (History)
CC List:	14 users (show)
Fixed In Version:	shadow-utils-4.6-18.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-11-14 15:49:14 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-90486	None	None	None	2022-10-03 10:07:44 UTC
Red Hat Issue Tracker	RHELPLAN-90487	None	None	None	2022-10-03 10:12:44 UTC
Red Hat Issue Tracker	SSSD-5085	None	None	None	2022-10-03 10:07:49 UTC
Red Hat Product Errata	RHSA-2023:7112	None	None	None	2023-11-14 15:49:28 UTC

Description Parikshit Khedekar 2021-07-22 05:49:15 UTC

Description of problem:
When we use "inst.selinux=0" to install any 8.X it fails with the traceback as,

------------

...
Configuring installed system
...............
An unknown error has occured, look at the /tmp/anaconda-tb* file(s) for more details


    sync_run_task(self._task_proxy)
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 490, in start
    self.run_task()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation.py", line 403, in run_installation
    queue.start()
  File "/usr/lib64/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/lib64/python3.6/site-packages/pyanaconda/threading.py", line 280, in run
    threading.Thread.run(self)
dasbus.error.DBusError: Unable to set password for new user: status=-6
------------

Checking it deep I see the command fails as,

[anaconda root@localhost ~]# chpasswd -R /mnt/sysimage/ -e
chpasswd: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
Aborted (core dumped)
[anaconda root@localhost ~]# 

Gathered the dumps as well, but not able to make solid conclusion from it as
I'm not that expert to selinux yet but I fee the patch
shadow-4.3.1-selinux-perms.patch introduces the changes in RHEL 8 whereas it
works fine on RHEL7


Version-Release number of selected component (if applicable):

RHEL 8.X


How reproducible:

Use inst.selinux=0 to boot line as,

BOOT_IMAGE=images/8.1/vmlinuz initrd=images/8.1/initrd.img inst.stage2=hd:LABEL=RHEL-8-1-0-BaseOS-x86_64  inst.ks=ftp://192.168.122.1/pub/rhel8.4.ks inst.selinux=0

Actual results:

Fails to set a root password and results to traceback

Expected results:

Installation shall work fine.

Additional info:

The current workaround is to set the selinux=0 as well, I don't see
inst.selinux=0 turning off selinux as it still marks it permissive.

There were confusion in RH doc and Upstream doc so based on theory I
have asked for a change to upstream doc as,

https://github.com/rhinstaller/anaconda/pull/3530

I'm not sure if this needs shadow-utils as well, but as this is install
time I'm marking it to anaconda

Comment 11 Jiri Konecny 2022-09-21 10:25:05 UTC

I was looking into this and attaching log.

The interesting part:

10:07:49,944 NOTICE kernel:audit: type=1107 audit(1663754869.943:1525): pid=53923 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='avc:  could not determine enforcing mode: No such file or directory#012 exe="/usr/sbin/chpasswd" sauid=0 hostname=? addr=? terminal=?'
10:07:49,944 NOTICE kernel:audit: type=1701 audit(1663754869.943:1526): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:kernel_t:s0 pid=53923 comm="chpasswd" exe="/usr/sbin/chpasswd" sig=6 res=1
10:07:49,983 INFO systemd:Created slice system-systemd\x2dcoredump.slice.
10:07:49,986 INFO systemd:Started Process Core Dump (PID 53924/UID 0).
10:07:49,987 NOTICE kernel:audit: type=1130 audit(1663754869.985:1527): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=systemd-coredump@0-53924-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
10:07:50,169 INFO systemd-coredump:Resource limits disable core dumping for process 53923 (chpasswd).
10:07:50,176 CRIT systemd-coredump:Process 53923 (chpasswd) of user 0 dumped core.

Seems like the chpasswd call will crash which could be potential SELinux issue even though the SELinux should be set to permissive. Based on the first line it seems that it has an issue to determine the enforcing mode.

Comment 13 Jiri Konecny 2022-09-21 10:31:02 UTC

Based on the above I would like to know SELinux team opinion on why avc can't determine enforcing mode and if that could be the root cause of the crash.

Could this be an issue that chpasswd is started with chroot -R option for chroot where the SELinux is not completely set. However, installation environment is set to Permissive.

chpasswd call:
chpasswd -R /mnt/sysroot -e 


$ getenforce
Permissive


Switching to SELinux team for further investigation.

Comment 14 Petr Lautrbach 2022-09-30 09:33:51 UTC

It looks like a problem similar to https://bugzilla.redhat.com/show_bug.cgi?id=1993081 which seems to be  already fixed in shadow-utils rhel9.

The problem with `chpasswd -R ...` is that libselinux is initialized before `chroot()` as enabled. But when the process `chroot()`s there's no /sys/fs/selinux in the chroot and libselinux is confused. IIRC the solution was to call `selabel_close()` in order to reset libselinux state, or something.

CC @ipedrosa

Comment 15 Iker Pedrosa 2022-09-30 11:33:53 UTC

The (In reply to Petr Lautrbach from comment #14)
> It looks like a problem similar to
> https://bugzilla.redhat.com/show_bug.cgi?id=1993081 which seems to be 
> already fixed in shadow-utils rhel9.

The selinux labeling code in shadow-utils changed before RHEL9 and that's why the regression happened. You can take a look at the code before:
https://github.com/shadow-maint/shadow/blob/e6416fd81bff205f9daac3da02cb3392d3d75e58/lib/selinux.c#L54

And after those changes:
https://github.com/shadow-maint/shadow/blob/master/lib/selinux.c#L47

I don't think those changes are affecting RHEL8 because I didn't port them.

> The problem with `chpasswd -R ...` is that libselinux is initialized before
> `chroot()` as enabled. But when the process `chroot()`s there's no
> /sys/fs/selinux in the chroot and libselinux is confused. IIRC the solution
> was to call `selabel_close()` in order to reset libselinux state, or
> something.
> 
> CC @ipedrosa

I don't see any question and I'm not an expert in selinux. So, how can I help you?

Comment 16 Petr Lautrbach 2022-09-30 13:23:36 UTC

It wasn't a question. I used a wrong CC technology to let you know about this issue releated to chpasswd.


Setup:

# dnf --instalroot=/tmp/root group install 'Minimal Install'
# mount -t proc proc /tmp/root/proc
# setenforce 0

RHEL8 version:

[root@rhel8 ~]# echo 'root:e' | chpasswd -R /tmp/root
chpasswd: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
Aborted (core dumped)

RHEL9 version:

[root@rhel9 ~]# echo 'root:e' | chpasswd -R /tmp/root
[root@rhel9 ~]#

Comment 25 errata-xmlrpc 2023-11-14 15:49:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: shadow-utils security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:7112

Note You need to log in before you can comment on or make changes to this bug.