2042369 – New selinux-policy release breaks Cockpit

Bug 2042369 - New selinux-policy release breaks Cockpit

Summary: New selinux-policy release breaks Cockpit

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	35
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	urgent
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (4):	2042442 2042520 2042873 2043025 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-01-19 10:55 UTC by Matej Marušák
Modified:	2022-01-26 15:39 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-35.11-1.fc35
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-01-20 14:53:28 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Matej Marušák 2022-01-19 10:55:41 UTC

Description of problem:

New update of selinux-policy breaks Cockpit.


Version-Release number of selected component (if applicable):
selinux-policy-35.10-1.fc35.noarch


How reproducible:

I have Fedora 35 environment with some older selinux policy:
```
# rpm -q selinux-policy
selinux-policy-35.7-1.fc35.noarch
```
When I try to do `systemctl restart cockpit` it works fine and `cockpit` service is running.

Now I try to do `dnf update selinux-policy` and after the update I have
```
# rpm -q selinux-policy
selinux-policy-35.10-1.fc35.noarch
```

Now doing `systemctl restart cockpit` does not succeed:
```
Job for cockpit.service failed because the control process exited with error code.
See "systemctl status cockpit.service" and "journalctl -xeu cockpit.service" for details.
```

Doing `journalctl -r` and restarting cockpit yields:
```
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: Starting Socket for Cockpit Web Service http instance...
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: Starting Socket for Cockpit Web Service https instance factory...
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: Listening on Socket for Cockpit Web Service http instance.
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: Listening on Socket for Cockpit Web Service https instance factory.
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 kernel: kauditd_printk_skb: 13 callbacks suppressed
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 kernel: audit: type=1334 audit(1642589391.274:374): prog-id=90 op=LOAD
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 audit: BPF prog-id=90 op=LOAD
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: Starting Cockpit Web Service...
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 cockpit-certificate-ensure[3502]: cockpit-certificate-ensure: mkdir: /run/cockpit/tls/server: File exists
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 kernel: audit: type=1130 audit(1642589391.297:375): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=cockpit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=cockpit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: cockpit.service: Control process exited, code=exited, status=1/FAILURE
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: cockpit.service: Failed with result 'exit-code'.
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: Failed to start Cockpit Web Service.
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: cockpit-wsinstance-http.socket: Deactivated successfully.
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: Closed Socket for Cockpit Web Service http instance.
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: cockpit-wsinstance-https-factory.socket: Deactivated successfully.
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 systemd[1]: Closed Socket for Cockpit Web Service https instance factory.
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 audit[1]: AVC avc:  denied  { unlink } for  pid=1 comm="systemd" name="key.source" dev="tmpfs" ino=1374 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:cockpit_var_run_t:s0 tclass=lnk_file permissive=0
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 kernel: audit: type=1400 audit(1642589391.297:376): avc:  denied  { unlink } for  pid=1 comm="systemd" name="key.source" dev="tmpfs" ino=1374 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:cockpit_var_run_t:s0 tclass=lnk_file permissive=0
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 audit[1]: AVC avc:  denied  { unlink } for  pid=1 comm="systemd" name="cert.source" dev="tmpfs" ino=1373 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:cockpit_var_run_t:s0 tclass=lnk_file permissive=0
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 kernel: audit: type=1400 audit(1642589391.297:377): avc:  denied  { unlink } for  pid=1 comm="systemd" name="cert.source" dev="tmpfs" ino=1373 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:cockpit_var_run_t:s0 tclass=lnk_file permissive=0
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 audit: BPF prog-id=0 op=UNLOAD
Jan 19 10:49:51 fedora-35-127-0-0-2-2201 kernel: audit: type=1334 audit(1642589391.303:378): prog-id=0 op=UNLOAD
```

Actual results:
Cockpit service cannot be restarted with the new selinux-policy.


Expected results:
Cockpit service could be restarted.

Comment 1 Martin Pitt 2022-01-19 11:01:34 UTC

I have a very strong déjà-vu on that one. A few months ago, systemd was already not allowed to clean up files in /run, then this was fixed, and broke again. I just wasn't able to find the corresponding bugzilla in my history or a search.

cockpit.service's unit contains

   RuntimeDirectory=cockpit/tls

and we really rely on systemd's guarantee that this gets cleaned up when the unit stops.

Comment 2 Zdenek Pytela 2022-01-19 11:53:52 UTC

I think this all is just a result of non-working custom cockpit module. A new build is on the way.

Comment 3 Fedora Update System 2022-01-19 16:56:53 UTC

FEDORA-2022-87a0b7e8d0 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-87a0b7e8d0

Comment 4 Fedora Update System 2022-01-20 14:53:28 UTC

FEDORA-2022-87a0b7e8d0 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 5 Zdenek Pytela 2022-01-20 16:10:14 UTC

*** Bug 2042873 has been marked as a duplicate of this bug. ***

Comment 6 Zdenek Pytela 2022-01-20 16:11:59 UTC

*** Bug 2043025 has been marked as a duplicate of this bug. ***

Comment 7 Zdenek Pytela 2022-01-20 17:40:39 UTC

*** Bug 2042442 has been marked as a duplicate of this bug. ***

Comment 8 Zdenek Pytela 2022-01-21 09:54:11 UTC

*** Bug 2042520 has been marked as a duplicate of this bug. ***

Comment 9 Zdenek Pytela 2022-01-26 15:39:59 UTC

*** Bug 2042442 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.