Description of problem: New update of selinux-policy breaks Cockpit. Version-Release number of selected component (if applicable): selinux-policy-35.10-1.fc35.noarch How reproducible: I have Fedora 35 environment with some older selinux policy: ``` # rpm -q selinux-policy selinux-policy-35.7-1.fc35.noarch ``` When I try to do `systemctl restart cockpit` it works fine and `cockpit` service is running. Now I try to do `dnf update selinux-policy` and after the update I have ``` # rpm -q selinux-policy selinux-policy-35.10-1.fc35.noarch ``` Now doing `systemctl restart cockpit` does not succeed: ``` Job for cockpit.service failed because the control process exited with error code. See "systemctl status cockpit.service" and "journalctl -xeu cockpit.service" for details. ``` Doing `journalctl -r` and restarting cockpit yields: ``` Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: Starting Socket for Cockpit Web Service http instance... Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: Starting Socket for Cockpit Web Service https instance factory... Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: Listening on Socket for Cockpit Web Service http instance. Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: Listening on Socket for Cockpit Web Service https instance factory. Jan 19 10:49:51 fedora-35-127-0-0-2-2201 kernel: kauditd_printk_skb: 13 callbacks suppressed Jan 19 10:49:51 fedora-35-127-0-0-2-2201 kernel: audit: type=1334 audit(1642589391.274:374): prog-id=90 op=LOAD Jan 19 10:49:51 fedora-35-127-0-0-2-2201 audit: BPF prog-id=90 op=LOAD Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: Starting Cockpit Web Service... Jan 19 10:49:51 fedora-35-127-0-0-2-2201 cockpit-certificate-ensure[3502]: cockpit-certificate-ensure: mkdir: /run/cockpit/tls/server: File exists Jan 19 10:49:51 fedora-35-127-0-0-2-2201 kernel: audit: type=1130 audit(1642589391.297:375): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=cockpit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Jan 19 10:49:51 fedora-35-127-0-0-2-2201 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=cockpit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: cockpit.service: Control process exited, code=exited, status=1/FAILURE Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: cockpit.service: Failed with result 'exit-code'. Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: Failed to start Cockpit Web Service. Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: cockpit-wsinstance-http.socket: Deactivated successfully. Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: Closed Socket for Cockpit Web Service http instance. Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: cockpit-wsinstance-https-factory.socket: Deactivated successfully. Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: Closed Socket for Cockpit Web Service https instance factory. Jan 19 10:49:51 fedora-35-127-0-0-2-2201 audit[1]: AVC avc: denied { unlink } for pid=1 comm="systemd" name="key.source" dev="tmpfs" ino=1374 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:cockpit_var_run_t:s0 tclass=lnk_file permissive=0 Jan 19 10:49:51 fedora-35-127-0-0-2-2201 kernel: audit: type=1400 audit(1642589391.297:376): avc: denied { unlink } for pid=1 comm="systemd" name="key.source" dev="tmpfs" ino=1374 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:cockpit_var_run_t:s0 tclass=lnk_file permissive=0 Jan 19 10:49:51 fedora-35-127-0-0-2-2201 audit[1]: AVC avc: denied { unlink } for pid=1 comm="systemd" name="cert.source" dev="tmpfs" ino=1373 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:cockpit_var_run_t:s0 tclass=lnk_file permissive=0 Jan 19 10:49:51 fedora-35-127-0-0-2-2201 kernel: audit: type=1400 audit(1642589391.297:377): avc: denied { unlink } for pid=1 comm="systemd" name="cert.source" dev="tmpfs" ino=1373 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:cockpit_var_run_t:s0 tclass=lnk_file permissive=0 Jan 19 10:49:51 fedora-35-127-0-0-2-2201 audit: BPF prog-id=0 op=UNLOAD Jan 19 10:49:51 fedora-35-127-0-0-2-2201 kernel: audit: type=1334 audit(1642589391.303:378): prog-id=0 op=UNLOAD ``` Actual results: Cockpit service cannot be restarted with the new selinux-policy. Expected results: Cockpit service could be restarted.
I have a very strong déjà-vu on that one. A few months ago, systemd was already not allowed to clean up files in /run, then this was fixed, and broke again. I just wasn't able to find the corresponding bugzilla in my history or a search. cockpit.service's unit contains RuntimeDirectory=cockpit/tls and we really rely on systemd's guarantee that this gets cleaned up when the unit stops.
I think this all is just a result of non-working custom cockpit module. A new build is on the way.
FEDORA-2022-87a0b7e8d0 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-87a0b7e8d0
FEDORA-2022-87a0b7e8d0 has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.
*** Bug 2042873 has been marked as a duplicate of this bug. ***
*** Bug 2043025 has been marked as a duplicate of this bug. ***
*** Bug 2042442 has been marked as a duplicate of this bug. ***
*** Bug 2042520 has been marked as a duplicate of this bug. ***