Bug 858373 - SELinux denials when packages create users/groups during live image creation with livecd-creator
SELinux denials when packages create users/groups during live image creation ...
Product: Fedora
Classification: Fedora
Component: livecd-tools (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Brian Lane
Fedora Extras Quality Assurance
: 804243 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2012-09-18 15:41 EDT by Adam Williamson
Modified: 2012-12-18 01:56 EST (History)
16 users (show)

See Also:
Fixed In Version: livecd-tools-18.13-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-12-18 01:56:21 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch for nocontexts (751 bytes, patch)
2012-10-10 12:47 EDT, Brian Lane
no flags Details | Diff
AVCs encountered while running livecd-creator from livecd-tools-18.13-1.fc18.i686 (10.06 KB, application/octet-stream)
2012-12-06 17:07 EST, John Florian
no flags Details

  None (edit)
Description Adam Williamson 2012-09-18 15:41:58 EDT
When creating a live image with livecd-creator (from livecd-tools), an F18 image created on an F18 host, I get SELinux denials every time a package being installed into the live image environment tries to create a user or group (and user/group creation actually fails). The denials are:

Raw Audit Messages
type=AVC msg=audit(1347997072.978:1040): avc:  denied  { read write } for  pid=14943 comm="useradd" name="lastlog" dev="loop0" ino=15518 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file

type=AVC msg=audit(1347997072.978:1040): avc:  denied  { open } for  pid=14943 comm="useradd" path="/var/log/lastlog" dev="loop0" ino=15518 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file

type=SYSCALL msg=audit(1347997072.978:1040): arch=x86_64 syscall=open success=yes exit=EBADF a0=7fe106df4e92 a1=2 a2=fffffffffffffec0 a3=0 items=0 ppid=14936 pid=14943 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm=useradd exe=/usr/sbin/useradd subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)

IIRC, I could create F17 lives on an F17 host in Enforcing mode. This problem is fatal to image creation, it fails later on due to the lack of the users/groups. I have to set Permissive mode to successfully create a live image.
Comment 1 Miroslav Grepl 2012-09-19 11:06:43 EDT
The problem is the lastlog is mislabeled.
Comment 2 Daniel Walsh 2012-09-19 19:59:13 EDT
So the question is how did lastlog get created with the wrong label?  Is something blowing it away and recreating it, without running restorecon?

What policy was used to create this?

I know unconfined domains have this rule
	logging_log_named_filetrans($1, lastlog_t, file, "lastlog")

Which should create the last log file with the correct label.
Comment 3 Adam Williamson 2012-09-20 14:03:19 EDT
I'm guessing this is the copy of lastlog inside the filesystem destined to become the live image, not the copy on the host system. I'm not really sure how that gets created. bcl would know.
Comment 4 Daniel Walsh 2012-10-08 16:17:07 EDT
Ok I think the problem here is the rpm transition stuff.  Basically we want all processes run within the livecd to stay as livecd_t, but rpm attempts to do a set its scripts to rpm_script_t which then transitions to useradd_t and groupadd_t.

Since we are just going to relabel the content when the command completes, we really do not care about these outputs.
Comment 5 Daniel Walsh 2012-10-08 16:21:31 EDT
RPM guys isn't there a way to tell rpm do not use rpm_script_t?

I remember doing something like this in mock.
Comment 6 Panu Matilainen 2012-10-09 00:34:44 EDT
Yup. From rpm cli, --nocontexts disables selinux entirely within rpm, but for livecd I guess we'd be talking about python where it'd be RPMTRANS_FLAG_NOCONTEXTS transaction flag. But since livecd relies on yum... its sufficient to add 'nocontexts' to the yum instance conf.tsflags property.
Comment 7 Daniel Walsh 2012-10-09 13:25:53 EDT
Thanks Panu, I could not remember what we had done.

You could look at mock-1.1.21/py/mockbuild/plugins/selinux.py 

To see how it is done.
Comment 8 Daniel Walsh 2012-10-09 14:14:34 EDT
*** Bug 804243 has been marked as a duplicate of this bug. ***
Comment 9 Brian Lane 2012-10-10 12:47:11 EDT
Created attachment 625015 [details]
patch for nocontexts
Comment 10 Adam Williamson 2012-10-10 20:03:42 EDT
So I tried the patch, and it makes the denials go away, but some of the user/group creations still fail:

groupadd: failure while writing changes to /etc/group
 error: %pre(initscripts-9.40-1.fc18.x86_64) scriptlet failed, exit status 10
 error: initscripts-9.40-1.fc18.x86_64: install failed

for instance. I got this on several packages, and then the image creation ultimately failed because /etc/inittab (iirc) didn't exist, which is what always happens when you hit this bug.
Comment 11 Daniel Walsh 2012-10-11 22:59:24 EDT
Adam if you run it in permissive mode i works?

Could you run it with 

semodule -DB and see if there is any avc's that we are not showing.
Comment 12 Adam Williamson 2012-10-12 15:43:36 EDT
So even run after semodule -DB I see no AVCs at the time of the errors in the compose. But the compose works fine if I do 'setenforce Permissive' first. So the problem is still somehow to do with selinux, even though there are no AVCs.
Comment 13 Fedora Update System 2012-12-04 18:44:03 EST
livecd-tools-18.13-1.fc18 has been submitted as an update for Fedora 18.
Comment 14 Fedora Update System 2012-12-05 18:10:33 EST
Package livecd-tools-18.13-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing livecd-tools-18.13-1.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 15 John Florian 2012-12-06 13:32:35 EST
Hrmm... this does not bode well:

  Installing: strace                       ##################### [515/516] 
  Installing: mtr                          ##################### [516/516] 
  Installing: zip                          ##################### [517/516] 
  Installing: ethtool                      ##################### [518/516] 
966 blocks
W: Could not find 'strip'. Not stripping the initramfs.

Error creating Live CD : Unable to run ['/usr/bin/firewall-offline-cmd', '--enabled', '--service=ssh']!
Comment 16 Brian Lane 2012-12-06 13:56:46 EST
That isn't related to selinux. strip comes from binutils. If that isn't being included then something is probably wrong with your package set.
Comment 17 John Florian 2012-12-06 15:33:54 EST
Sorry, I should have been clearer.  I was actually more worried about the last error where it was unable to run firewall-offline-cmd.  That's something new I'm seeing.  (I've seen the strip warning before for at least a week or so now and it never seemed to cause any actual problems; although I should probably look into that as well.)
Comment 18 Brian Lane 2012-12-06 16:18:37 EST
Well, then we need more info. What selinux state is the host in? Does /var/log/audit/audit.log show any denials?

I did a build using the spin-kickstarts' lxde livecd kickstart and didn't see either of these problems. Please also attach your kickstart file.
Comment 19 John Florian 2012-12-06 17:06:11 EST
Selinux is enforcing the targeted policy.  (Good news!  I no longer see the user/group creation problems that started this BZ.)

I do see quite a few AVCs, which I'll provide via an attachment.

The firewall-offline-cmd error seems to be caused by not having the 'firewalld' package included.  Is that now mandatory for images created by livecd-tools?  My use case requires iptables and at this point would be nearly impossible to migrate over to firewalld.

(My AVCs attachment is with firewalld cited in the package section, so I no longer got that particular error and indeed the spin seemed to be created to completion.  I've only included the AVCs in case they're still of interest.)

I'll see what I can do to reveal the kickstart.  It's split up among several %includes, some of which have dynamically generated content, and of course proprietary company secrets.  :-)  It was originally based off some thincrust AOS-type minimal kickstarts.  Is /usr/share/doc/livecd-tools-18.13/livecd-fedora-minimal.ks a better base to be starting from nowadays?
Comment 20 John Florian 2012-12-06 17:07:35 EST
Created attachment 659070 [details]
AVCs encountered while running livecd-creator from livecd-tools-18.13-1.fc18.i686
Comment 21 Miroslav Grepl 2012-12-07 04:23:17 EST
Please test it with the latest -60.fc18 policy.
Comment 22 John Florian 2012-12-07 08:57:22 EST
Using the latest -60.fc18 policy I saw not a single AVC.  Looks very good here.
Comment 23 Adam Williamson 2012-12-12 22:10:42 EST
Well I can *build* images with -60 and -62, but they don't work properly. Even with host in Permissive. See https://bugzilla.redhat.com/show_bug.cgi?id=886733 .
Comment 24 John Florian 2012-12-13 08:34:09 EST
(In reply to comment #23)
> Well I can *build* images with -60 and -62, but they don't work properly.
> Even with host in Permissive. See
> https://bugzilla.redhat.com/show_bug.cgi?id=886733 .

I just wanted to add that while I saw no problems at all during the image build or while running the build, I do only have selinux enabled on the build host.  Specifically, I don't have selinux enabled for the live spins I'm building.  This seems to match what you're saying in #886733.
Comment 25 Fedora Update System 2012-12-14 19:49:17 EST
livecd-tools-18.14-1.fc18 has been submitted as an update for Fedora 18.
Comment 26 Fedora Update System 2012-12-18 01:56:24 EST
livecd-tools-18.14-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.