Bug 343851 - Selinux denials from anaconda-runtime (leads to selinux disabled at install time)
Selinux denials from anaconda-runtime (leads to selinux disabled at install t...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: David Cantrell
Fedora Extras Quality Assurance
bzcl34nup
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-20 11:17 EDT by John Reiser
Modified: 2013-01-09 23:28 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-09 02:19:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
saved log of selinux_alert.txt from pungi compose (22.22 KB, text/plain)
2007-11-19 11:00 EST, John Reiser
no flags Details
selinux_alert.txt for pungi when enforcing=0 (2.30 KB, text/plain)
2007-11-19 13:14 EST, John Reiser
no flags Details
selinux_alert.txt for pungi when enforcing=0 (18.58 KB, text/plain)
2007-11-19 14:14 EST, John Reiser
no flags Details
selinux_alert.txt for pungi when enforcing=1 (19.82 KB, text/plain)
2007-11-19 14:18 EST, John Reiser
no flags Details

  None (edit)
Description John Reiser 2007-10-20 11:17:32 EDT
Description of problem: A default install of rawhide for Fedora 8 (Oct.19, 2007)
has Disabled as the selinux policy.


Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-24.fc8


How reproducible: always


Steps to Reproduce:
1. create install DVD via Example from "man pungi": pungi -c
/usr/share/pungi/f8-fedora.ks --destdir=/data/Fedora8 --name Fedora --ver 8
2. burn DVD and install default Internet and Office Productivity
3. boot installed system
  
Actual results: The firstboot screen for choosing SELinux policy has Disabled as
the default, and suggests that most people should use the default.  After taking
the default, then logging in:
-----
$ /usr/sbin/selinuxenabled
$ echo $?
1   ### disabled
$ 
-----

Expected results: Enabled should be the default policy.


Additional info:
anaconda-11.3.0.42-1
anaconda-runtime-11.3.0.42-1
pungi-1.1.6-1.fc8
Comment 1 Daniel Walsh 2007-10-22 10:02:58 EDT
Why is pungi doing this?  
Comment 2 Jesse Keating 2007-10-22 10:33:58 EDT
pungi isn't.  Pungi can't adjust what the package defaults are, or anaconda's
defaults.  I've done multiple rawhide installs and multiple installs from pungi
created trees (which pungi is used to create rawhide) and none of them exhibit
this behavior.

John, did you use any special boot flags or anything?  
Comment 3 John Reiser 2007-10-22 11:22:47 EDT
Often I append " vga=791" to the boot command line, so that I get 128x48 text
console (for longer history on text screen).  Otherwise, no other flags.

This might be related to Bug # 343861, where anaconda "Can't load policy: no
such file or directory" because policycoreutils is not where it needs to be on
the DVD.  So SELinux would be disabled during the initial install; perhaps this
setting carries over into firstboot?


Comment 4 Jesse Keating 2007-10-22 11:32:20 EDT
Hrm, did you modify the kickstart file used to create the spin?  If there is no
policycoreutils then SElinux can't be enabled.
Comment 5 John Reiser 2007-10-22 11:47:26 EDT
I made two modifications to /usr/share/pungi/f8-fedora.ks of pungi-1.1.6-1.fc8:
1. "part iso --size=677" in order to create CDs <= 709,885,952 bytes.  (I also
add "--discs=3" to the command line arguments for pungi on x86, and "--discs=4"
for x86_64.
2. comment-out all the lines "@ <language>-support".

"policycoreutils" does not appear in /usr/share/pungi/f8-fedora.ks .  I'll add
it (after "kernel*") and re-spin.
Comment 6 John Reiser 2007-10-25 10:25:50 EDT
Running 'top' on vtty2 during "Starting install process.  This make take several
minutes...", then I see this command line:
-----
/usr/bin/python /usr/bin/ananconda -m cdrom:://scd0:/mnt/source \
    --graphical --noselinux
-----
What is the "--noselinux" doing there?
Comment 7 Jesse Keating 2007-10-25 10:35:21 EDT
that's got to be something generated at compose time.  My recent pungi spins
show that --selinux is being passed, using the .ks that comes in the current
pungi package in rawhide.

The machine you're composing on, does it have selinux enabled?  It needs to at
least be in permissive mode.
Comment 8 John Reiser 2007-10-25 11:02:11 EDT
I just did a compose for i386 from today's rawhide.  pungi-1.1.6-1.fc8,
composing with SELinux enabled (/usr/sbin/selinuxenabled gives shell return code
of 0, which is *true* in shell).  Booting the DVD and installing still shows
"--noselinux" as the last parameter on the command line to anaconda.

What other inputs determine that last parameter "--noselinux"?
Comment 9 Jesse Keating 2007-10-25 11:24:32 EDT
I'm not actually sure.  That all falls out of anaconda-runtime.  Jeremy, any
thoughts here?  
Comment 10 Jesse Keating 2007-11-15 12:55:35 EST
I really can't duplicate this issue.  My only suggestion is to start with a
fresh install or fresh chroot to do the compose.
Comment 11 John Reiser 2007-11-15 22:49:12 EST
Please re-open; I can reproduce this every time.  I re-ran pungi under a fresh
install of released Fedora 8 with default configuration (base Internet plus
Office and Productivity; plus "yum install pungi"), and the pungi-generated DVD
still installs SELinux disabled as default.  The .ks kickstart file for pungi
was modified with "part_size=666" to force generation of CDs (although the
install was done using the generated DVD), the repos were specified as the
Fedora 8 release mirrorlist, and all the "@ <language>-support" lines were
commented out with '## ' at the beginning, and "--discs=5" was appended to the
Example command line from "man pungi".

Here is the output from "ps ax" run as soon as vty2 gives a shell prompt during
install from pungi-DVD.  Captured by plugging in a USB flash storage device
before boot, then mounting the  device explicitly on a new directory /mnt/key,
changing directory to /mnt/key, and using the command "ps ax  > ps_ax-anaconda.out":
-----

  PID TTY      STAT   TIME COMMAND
    1 tty1     Ss+    0:00 /init
    2 ?        S<     0:00 [kthreadd]
    3 ?        S<     0:00 [migration/0]
    4 ?        S<     0:00 [ksoftirqd/0]
    5 ?        S<     0:00 [watchdog/0]
    6 ?        S<     0:00 [events/0]
    7 ?        S<     0:00 [khelper]
   58 ?        S<     0:00 [kblockd/0]
   61 ?        S<     0:00 [kacpid]
   62 ?        S<     0:00 [kacpi_notify]
  204 ?        S<     0:00 [cqueue/0]
  206 ?        S<     0:00 [ksuspend_usbd]
  211 ?        S<     0:00 [khubd]
  214 ?        S<     0:00 [kseriod]
  249 ?        S      0:00 [pdflush]
  250 ?        S      0:00 [pdflush]
  251 ?        S<     0:00 [kswapd0]
  303 ?        S<     0:00 [aio/0]
  397 ?        S<     0:00 [khvcd]
  462 ?        S<     0:00 [kpsmoused]
  474 tty1     S+     0:00 /init
  475 tty1     S+     0:02 /sbin/loader
  519 ?        S<     0:00 [rpciod/0]
  624 ?        S<     0:00 [ata/0]
  625 ?        S<     0:00 [ata_aux]
  629 ?        S<     0:00 [scsi_eh_1]
  630 ?        S<     0:00 [scsi_eh_2]
  634 ?        S<     0:00 [scsi_eh_3]
  635 ?        S<     0:00 [scsi_eh_4]
  639 ?        S<     0:00 [scsi_eh_5]
  640 ?        S<     0:00 [usb-storage]
  647 ?        S<     0:00 [loop0]
  649 tty2     Ss     0:00 -/bin/sh
  689 ?        S<     0:00 [jfsIO]
  690 ?        S<     0:00 [jfsCommit]
  691 ?        S<     0:00 [jfsSync]
  695 ?        S<     0:00 [xfslogd/0]
  696 ?        S<     0:00 [xfsdatad/0]
  697 ?        S<     0:00 [xfs_mru_cache]
  710 ?        S<     0:00 [ksnapd]
  714 ?        S<     0:00 [kmpathd/0]
  724 ?        Ss     0:00 /sbin/loader
  725 tty1     S+     0:03 /usr/bin/python /usr/bin/anaconda -m
cdrom://scd1:/mnt/source --graphical --noselinux
  726 tty1     S+     0:00 /usr/bin/python /usr/bin/anaconda -m
cdrom://scd1:/mnt/source --graphical --noselinux
  727 ?        S<     0:00 [kauditd]
  729 tty6     Ss+    0:00 /usr/bin/Xorg -logfile /tmp/ramfs/X.log :1 vt6
-config /tmp/XConfig.test -extension Composite -s 1440 -dpms -v -ac -nolisten
tcp -screen Anaconda -dpi 96 -br
  731 tty1     S+     0:00 //usr/bin/mini-wm --display :1
  739 tty2     R+     0:00 ps ax
-----

Note the "--noselinux" command line parameter passed to anaconda.  I did not
specify this.

I can reproduce this every time; 4 pungi-created DVD so far, each of which
installs SELinux disabled as default.  If you want, I'll send one of the
pungi-generated physical DVDs by USPS.  My cached copy of
firstboot-1.4.39-1.fc8.noarch.rpm compares equal to the one on mirrors.cat.pdx.edu.
Comment 12 John Reiser 2007-11-16 11:48:48 EST
I have a set of CD .isos for Fedora 8 made by pungi, and a set made by jigdo
(fedoraunity.org.)  The jigdo set installs SELinux enabled, the pungi set
installs SELinux *dis*abled.

Doing md5sum of all files on all CDs, and then a logical 'diff' of the two sets,
shows that boot.cat, boot.iso, diskboot.img, and isolinux.bin are different. 
[Also: repoview/*, *sqlite*, initrd.img, .discinfo, initrd.img.  Remebmer that I
excluded all @<language>-support from my pungi set, while the jigdo set is 100%
released Fedora 8.]

Why would boot.cat, boot.iso, diskboot.img, isolinux.bin be different?

[Also note that only the pungi set gets a message "Can't load policy: no such
file or directory" very early after loading drivers.  Bug 343861.]
Comment 13 John Reiser 2007-11-16 17:25:32 EST
Doing the install in text mode (instead of graphical) makes no difference: the
pungi-generated DVD still installs SELinux disabled by default.

Appending " vga=791" to the boot command line also makes no difference.  I like
the larger text console [128x43 ?] in contrast to the default [80x25], but I had
to verify that it did not contribute to the problem of installing SELinux
disabled by default.
Comment 14 John Reiser 2007-11-18 22:52:50 EST
(In reply to comment #11)
>   725 tty1     S+     0:03 /usr/bin/python /usr/bin/anaconda -m
> cdrom://scd1:/mnt/source --graphical --noselinux

The "--noselinux" parameter is passed from /sbin/loader when
/usr/sbin/load_policy exits with return code non-zero.  Bug 343861 does apply. 
Re-running "strace /usr/sbin/load_policy" on vty2 shows that load_policy cannot
find /etc/selinux/targeted/policy/policy.21  or any version down to .15.  /etc
is in /tmp/loop0 which is mounted on /mnt/runtime, a 95680-block squashfs
filesystem.  So that is stage2.img.

Looking at stage2.img, the files in etc/selinux do not have directory
targeted/policy.  Why?  The full file list is:
-----
.
./config
./targeted
./targeted/contexts
./targeted/contexts/customizable_types
./targeted/contexts/dbus_contexts
./targeted/contexts/default_contexts
./targeted/contexts/default_type
./targeted/contexts/failsafe_context
./targeted/contexts/files
./targeted/contexts/files/media
./targeted/contexts/initrc_context
./targeted/contexts/removable_context
./targeted/contexts/securetty_types
./targeted/contexts/userhelper_context
./targeted/contexts/users
./targeted/contexts/users/guest_u
./targeted/contexts/users/root
./targeted/contexts/users/staff_u
./targeted/contexts/users/user_u
./targeted/contexts/users/xguest_u
./targeted/modules
./targeted/modules/semanage.read.LOCK
./targeted/modules/semanage.trans.LOCK
./targeted/setrans.conf
-----
Notice those .LOCK files, which are strange.  So either mksquashfs failed, or
the tree did not contain any SELinux policy files.  Why?

Comment 15 Jesse Keating 2007-11-18 23:58:04 EST
Are you by chance composing /to/ an NFS or otherwise network share?
Comment 16 John Reiser 2007-11-19 10:58:02 EST
No, the destination directory is ext3 filesystem on a local mounted harddrive
(sata_nv).

Composing is done on Fedora 8 final release (with updates) in SELinux targeted
enforcing mode.  There were several SELinux alerts; I will attach the log.
Comment 17 John Reiser 2007-11-19 11:00:02 EST
Created attachment 263591 [details]
saved log of selinux_alert.txt from pungi compose

Here is the complete log of selinux_alert.txt from the time that pungi compose
was running.  System was "otherwise idle" but is a default Fedora 8 (plus
updates) install, so cron jobs could account for something.
Comment 18 Jesse Keating 2007-11-19 11:03:53 EST
Just to be sure, you've tried it with permissive or disabled mode?  Enforcing
may very well get in the way of the compose happening cleanly.
Comment 19 Daniel Walsh 2007-11-19 11:30:33 EST
Looks like you have a labeling problem

/etc/passwd, /dev/null and files in /var/log are mislabeled.

restorecon -R -v /dev/null /etc/passwd /var/log 
Should fix those.

Looks like unconfined_t process (pungi?) is leaking a open file descriptor to
the network  which can probably be ignored, although the process should not leak,

Also unconfined_t is creating a file in /tmp and then redirecting output from
the install to that file, and this is generating the AVC messages for
unconfined_tmp_t.  These can probably be ignored.

I think the mislabeled files above are the problem.
Comment 20 John Reiser 2007-11-19 12:18:59 EST
Before the last pungi compose, I did "touch /.autorelabel" and rebooted, and a
relabeling pass was done by the boot.  The SELinux contexts are:
-----
# ls -ldZ /dev/null /etc/passwd /var/log
crw-rw-rw-  root root system_u:object_r:null_device_t:s0 /dev/null
-rw-r--r--  root root system_u:object_r:etc_t:s0       /etc/passwd
drwxr-xr-x  root root system_u:object_r:var_log_t:s0   /var/log
-----

Running the suggested command from Comment #19:
-----
# /sbin/restorecon -R -v /dev/null /etc/passwd /var/log 
/sbin/restorecon reset /var/log/rpmpkgs context
system_u:object_r:cron_log_t:s0->system_u:object_r:rpm_log_t:s0
# ls -ldZ /dev/null /etc/passwd /var/log
crw-rw-rw-  root root system_u:object_r:null_device_t:s0 /dev/null
-rw-r--r--  root root system_u:object_r:etc_t:s0       /etc/passwd
drwxr-xr-x  root root system_u:object_r:var_log_t:s0   /var/log
# 
-----
so it looks to me like the only change was to /var/log/rpmpkgs.

I will now try another pungi compose.

Comment 21 John Reiser 2007-11-19 13:14:33 EST
Created attachment 263761 [details]
selinux_alert.txt for pungi when enforcing=0

Here is the selinux_alert.txt when running pungi on the system booted with "
enforcing=0" appended to the kernel command line.  (Still 'targeted' mode.)

The generated stage2.img does contain  /etc/selinux/targeted/policy/policy.21 ,
so using it should install SELinux enabled as default.
Comment 22 John Reiser 2007-11-19 13:18:17 EST
Arrggghhhh!  The SELinux alert browser saved only one alert, even though I
checked the boxes for all today's alerts.  
Comment 23 Daniel Walsh 2007-11-19 13:23:26 EST
SO is pungi creating its own /dev/null?  It seems to be labeled device_t?
Comment 24 Jesse Keating 2007-11-19 13:28:12 EST
Pungi isn't, but anaconda's buildinstall may be.

The entire pile isn't selinux "enabled" really.  A lot of time needs to be put
into that, and at the same time, that pile of stuff isn't worth a lot of time,
as it really needs some present day rewrite love.
Comment 25 John Reiser 2007-11-19 14:14:10 EST
Created attachment 263841 [details]
selinux_alert.txt for pungi when enforcing=0

Here are all the SELinux alerts for pungi running on a system with enforcing=0,
after the relabel of a few Comments ago.

The generated stage2.img squashfs has /etc/setlinux/targeted/policy/policy.21,
and using the DVD to install gives SELinux enabled by default.
Comment 26 John Reiser 2007-11-19 14:18:19 EST
Created attachment 263851 [details]
selinux_alert.txt for pungi when enforcing=1

These are the SELinux alerts for pungi when SELinux is enforcing (and
targeted).

The generated stage2.img has no /etc/selinux/targeted/policy/*, and using the
DVD to install gives SELinux disabled by default.

So, as a workaround, please add a check in pungi for selinux non-enforcing,
just like the existing check for "must be root to run pungi."
Comment 27 John Reiser 2007-11-19 14:22:58 EST
An alternative workaround might be to generate /.autorelabel on the installed
system, for the case where load_policy fails during install itself, but SELinux
Enabled is still selected (by default or otherwise.)  As long as the correct
SELinux .rpms are installed, then the installed system could have SELinux
Enabled by default even though anaconda ran with --noselinux.
Comment 28 Jesse Keating 2007-11-20 17:17:09 EST
I created https://hosted.fedoraproject.org/projects/pungi/ticket/63 to add an
selinux check to pungi.

I'm going to reassign this bug to anaconda-runtime to work out something there.
Comment 29 Bug Zapper 2008-04-04 10:13:35 EDT
Based on the date this bug was created, it appears to have been reported
during the development of Fedora 8. In order to refocus our efforts as
a project we are changing the version of this bug to '8'.

If this bug still exists in rawhide, please change the version back to
rawhide.
(If you're unable to change the bug's version, add a comment to the bug
and someone will change it for you.)

Thanks for your help and we apologize for the interruption.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
Comment 30 Bug Zapper 2008-11-26 03:02:19 EST
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '8'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 8's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 8 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 31 Andy Lindeberg 2008-11-26 11:45:59 EST
Dcantrell: Chris said you were looking to rewrite this stuff, so assigning to you.
Comment 32 John Reiser 2008-12-02 13:53:35 EST
Today it works for me.  Running under targeted enforcing policy on Fedora 10, I used pungi to compose an install DVD for Fedora 10 i386, without turning off selinux before(+during) the compose.  The resulting DVD installed a Fedora 10 that had selinux enabled by default.

It would be nice to confirm that something intentional made the process work, and then to remove the warning that pungi gives near the beginning about the need to disable selinux.

pungi-2.0.8-1.fc10.noarch
anaconda-11.4.1.62-1.i386
anaconda-yum-plugins-1.0-3.fc10.noarch
busybox-anaconda-1.10.3-3.fc10.i386
libselinux-2.0.73-1.fc10.i386
libselinux-python-2.0.73-1.fc10.i386
libselinux-utils-2.0.73-1.fc10.i386
selinux-policy-3.5.13-18.fc10.noarch
selinux-policy-targeted-3.5.13-18.fc10.noarch
Comment 33 Daniel Walsh 2008-12-02 14:56:57 EST
You should be able to do livecd creation in F10 without disabling selinux.
Comment 34 Bug Zapper 2009-01-09 02:19:56 EST
Fedora 8 changed to end-of-life (EOL) status on 2009-01-07. Fedora 8 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.