886733 – live images built with livecd-creator 18.13 have major SELinux problems (SELinux is preventing /usr/libexec/colord from 'write' accesses on the directory colord.)

Bug 886733 - live images built with livecd-creator 18.13 have major SELinux problems (SELinux is preventing /usr/libexec/colord from 'write' accesses on the directory colord.)

Summary: live images built with livecd-creator 18.13 have major SELinux problems (SELi...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	18
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:8893822a75eca2eba8109db7627...
Depends On:
Blocks:	F18-accepted, F18FinalFreezeExcept
TreeView+	depends on / blocked

Reported:	2012-12-13 02:29 UTC by Adam Williamson
Modified:	2012-12-18 06:53 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-12-18 06:53:48 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Adam Williamson 2012-12-13 02:29:54 UTC

Description of problem:
Created a live image with enforcing enabled on an F18 host, using selinux-policy -60 for guest and host (current stable). Using livecd-tools 18.13. Tried to boot the live image; boots to a black screen. Booting with enforcing=0 boots fine and gives me this single AVC.
SELinux is preventing /usr/libexec/colord from 'write' accesses on the directory colord.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow colord to have write access on the colord directory
Then you need to change the label on colord
Do
# semanage fcontext -a -t FILE_TYPE 'colord'
where FILE_TYPE is one of the following: tmpfs_t, tmp_t, colord_tmpfs_t, colord_var_lib_t, var_lib_t, colord_tmp_t. 
Then execute: 
restorecon -v 'colord'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that colord should be allowed write access on the colord directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep colord /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:colord_t:s0
Target Context                unconfined_u:object_r:var_t:s0
Target Objects                colord [ dir ]
Source                        colord
Source Path                   /usr/libexec/colord
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           colord-0.1.25-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-60.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec
                              4 14:12:51 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2012-12-12 21:23:07 EST
Last Seen                     2012-12-12 21:23:07 EST
Local ID                      4ac14a97-4749-4b5e-8c8a-dc81ff78a7c6

Raw Audit Messages
type=AVC msg=audit(1355365387.703:397): avc:  denied  { write } for  pid=1646 comm="colord" name="colord" dev="dm-0" ino=9172 scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir


type=AVC msg=audit(1355365387.703:397): avc:  denied  { add_name } for  pid=1646 comm="colord" name="mapping.db" scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir


type=AVC msg=audit(1355365387.703:397): avc:  denied  { create } for  pid=1646 comm="colord" name="mapping.db" scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file


type=AVC msg=audit(1355365387.703:397): avc:  denied  { read write open } for  pid=1646 comm="colord" path="/var/lib/colord/mapping.db" dev="dm-0" ino=42686 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file


type=SYSCALL msg=audit(1355365387.703:397): arch=x86_64 syscall=open success=yes exit=ENXIO a0=17e9720 a1=80042 a2=1a4 a3=7fff5e6aae20 items=0 ppid=1 pid=1646 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0 key=(null)

Hash: colord,colord_t,var_t,dir,write

audit2allow
audit2allow -R

Additional info:
hashmarkername: setroubleshoot
kernel:         3.6.9-4.fc18.x86_64
type:           libreport

Comment 1 Adam Williamson 2012-12-13 02:40:32 UTC

CCing bcl as this is likely livecd-creator not selinux-policy...

Comment 2 Adam Williamson 2012-12-13 03:09:29 UTC

If I build an image with -62 on the host and -62 in the package set for the live image, the resulting image boots, but only to gdm: if I click on 'live user' it cycles right back to gdm. If I boot with enforcing=0 and login I see a whole *pile* of AVCs, 52+ from pulseaudio, gnome-settings-daemon, gnome-keyring-daemon, gnome-session, pactl, dconf-service...it's obviously borked. And more AVCs show up just leaving the VM sitting there. This seems to happen whether I set Enforcing or Permissive on the host.

Re-assigning to livecd-creator as I'm fairly sure that's where the problem is.

Comment 3 Adam Williamson 2012-12-13 03:25:40 UTC

system installed from a 62/62 image has the same problem - gdm loops if booted with selinux in enforcing. works if booted with enforcing=off . giant pile of AVCs. If I do 'restorecon -nvr /' , it seems like the system is completely mislabelled - everything seems to be unconfined_u:object_r:root_t:s0 .

Comment 4 Adam Williamson 2012-12-13 03:29:18 UTC

I see these errors/warnings during live image generation:

/etc/selinux/targeted/contexts/files/file_contexts: line 3259 has invalid context system_u:object_r:consoletype_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts: line 3835 has invalid context system_u:object_r:consoletype_exec_t:s0
1.0%/etc/selinux/targeted/contexts/files/file_contexts: has invalid context system_u:object_r:consoletype_exec_t:s0

not sure if that's related.

Comment 5 Brian Lane 2012-12-13 15:31:28 UTC

I think this is a selinux-policy problem.

I built multiple successful livecds using -50 on the host and -60 and -62 on the image. When I upgraded my system (various package upgrades including selinux-policy-3.11.1-62) and built a new livecd it will no longer boot. checking the audit.log on the host doesn't show any unusual denials during the build.

I *do* see the output from comment 4, but I also so it on all of the successful builds so I think that is unrelated.

Comment 6 Miroslav Grepl 2012-12-13 18:00:49 UTC

what does

# grep consoletype_exec_t /etc/selinux/targeted



I need to test it on my machine.

Comment 7 Adam Williamson 2012-12-13 18:30:29 UTC

[root@adam tmp]# grep -r consoletype_exec_t /etc/selinux/targeted
[root@adam tmp]#

Comment 8 Adam Williamson 2012-12-13 18:45:30 UTC

[root@adam tmp]# rpm -V selinux-policy-targeted
missing     /etc/selinux/targeted/modules/active/modules/consoletype.pp

Comment 9 Brian Lane 2012-12-13 18:54:42 UTC

On my desktop I was able to build bootable livecd's using policy -50 (and -62 on the image). When I upgraded to -62 the would not boot.

I am missing the same file as comment 8 on the desktop.


On my laptop I can build bootable images. It isn't missing the file, and the upgrade path for selinux-policy has been:

-46 to -50 to -60 (on 12/8) to -62 today.

Comment 10 Brian Lane 2012-12-13 21:48:30 UTC

Note, running yum reinstall selinux-policy-targeted doesn't reinstall the missing file.

Comment 11 Miroslav Grepl 2012-12-14 08:14:50 UTC

I am fixing it.

Fixed in selinux-policy-3.11.1-63.fc18.noarch

Comment 12 Adam Williamson 2012-12-14 21:08:54 UTC

Proposing as at least NTH because we may be pulling a newer selinux so we should ensure we get one that fixes this, if we do.

Comment 13 Adam Williamson 2012-12-15 02:29:55 UTC

mgrepl: can you please submit -63 as an update so we can pull it into builds? thanks.

Comment 14 Miroslav Grepl 2012-12-17 11:19:07 UTC

I am going to submit a newer build today. There were more issues to fix.

Comment 15 Fedora Update System 2012-12-17 17:39:15 UTC

selinux-policy-3.11.1-66.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-66.fc18

Comment 16 Adam Williamson 2012-12-17 19:41:01 UTC

Discussed at 2012-12-17 NTH review meeting: http://meetbot.fedoraproject.org/fedora-bugzappers/2012-12-17/f18final-blocker-review-5.2012-12-17-16.40.log.txt . Accepted as NTH - selinux-policy -60 went stable, so we could possibly run into issues building live images with it, we should ensure that doesn't happen.

Comment 17 Adam Williamson 2012-12-17 20:59:51 UTC

Looks fixed with -66. Thanks.

Comment 18 Fedora Update System 2012-12-18 06:53:53 UTC

selinux-policy-3.11.1-66.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.