Bug 923497 (mcelog) - Generated live image has many incorrect SELinux contexts, possibly due to missing l2tp.pp file in host's selinux-policy-targeted
Summary: Generated live image has many incorrect SELinux contexts, possibly due to mis...
Keywords:
Status: CLOSED ERRATA
Alias: mcelog
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:3f481a4f369f9c5fa777a67290b...
: 923471 923472 923473 923475 923477 923479 923480 923482 923483 923484 923485 923486 923487 923488 923489 923490 923492 923493 923494 923495 923496 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-03-20 00:19 UTC by Adam Williamson
Modified: 2015-01-03 15:27 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-19 05:53:06 UTC
Type: ---


Attachments (Terms of Use)

Description Adam Williamson 2013-03-20 00:19:02 UTC
Description of problem:
Occurs on boot of a Fedora 19 live image built from current repositories.
SELinux is preventing /usr/sbin/mcelog from 'read' accesses on the file mcelog.conf.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mcelog should be allowed read access on the mcelog.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mcelog /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mcelog_t:s0
Target Context                unconfined_u:object_r:net_conf_t:s0
Target Objects                mcelog.conf [ file ]
Source                        mcelog
Source Path                   /usr/sbin/mcelog
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mcelog-1.0-0.7.6e4e2a00.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-22.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.9.0-0.rc3.git0.3.fc19.x86_64 #1
                              SMP Mon Mar 18 21:39:31 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-03-19 19:39:21 EDT
Last Seen                     2013-03-19 19:39:21 EDT
Local ID                      e95b8628-cf41-472c-b086-01177fd326e6

Raw Audit Messages
type=AVC msg=audit(1363736361.481:20): avc:  denied  { read } for  pid=575 comm="mcelog" name="mcelog.conf" dev="dm-0" ino=304368 scontext=system_u:system_r:mcelog_t:s0 tcontext=unconfined_u:object_r:net_conf_t:s0 tclass=file


type=AVC msg=audit(1363736361.481:20): avc:  denied  { open } for  pid=575 comm="mcelog" path="/etc/mcelog/mcelog.conf" dev="dm-0" ino=304368 scontext=system_u:system_r:mcelog_t:s0 tcontext=unconfined_u:object_r:net_conf_t:s0 tclass=file


type=SYSCALL msg=audit(1363736361.481:20): arch=x86_64 syscall=open success=yes exit=ESRCH a0=40df30 a1=0 a2=1b6 a3=1 items=0 ppid=557 pid=575 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mcelog exe=/usr/sbin/mcelog subj=system_u:system_r:mcelog_t:s0 key=(null)

Hash: mcelog,mcelog_t,net_conf_t,file,read

audit2allow

#============= mcelog_t ==============
allow mcelog_t net_conf_t:file { read open };

audit2allow -R
require {
	type mcelog_t;
}

#============= mcelog_t ==============
sysnet_read_config(mcelog_t)


Additional info:
hashmarkername: setroubleshoot
kernel:         3.9.0-0.rc3.git0.3.fc19.x86_64
type:           libreport

Comment 1 Adam Williamson 2013-03-20 00:19:13 UTC
Final blocker: "In most cases, there must be no SELinux 'AVC: denied' messages or abrt crash notifications on initial boot and subsequent login"

Comment 2 Daniel Walsh 2013-03-20 00:33:54 UTC
Is this file being created by networkmanager?

Comment 3 Daniel Walsh 2013-03-20 00:34:36 UTC
How is /etc/mcelog being labeled.

ls -lZd /etc/mcelog

Comment 4 Daniel Walsh 2013-03-20 00:35:14 UTC
*** Bug 923496 has been marked as a duplicate of this bug. ***

Comment 5 Daniel Walsh 2013-03-20 00:36:15 UTC
*** Bug 923495 has been marked as a duplicate of this bug. ***

Comment 6 Daniel Walsh 2013-03-20 00:36:32 UTC
*** Bug 923494 has been marked as a duplicate of this bug. ***

Comment 7 Daniel Walsh 2013-03-20 00:36:50 UTC
*** Bug 923493 has been marked as a duplicate of this bug. ***

Comment 8 Daniel Walsh 2013-03-20 00:37:01 UTC
*** Bug 923492 has been marked as a duplicate of this bug. ***

Comment 9 Daniel Walsh 2013-03-20 00:37:42 UTC
*** Bug 923490 has been marked as a duplicate of this bug. ***

Comment 10 Daniel Walsh 2013-03-20 00:38:50 UTC
*** Bug 923489 has been marked as a duplicate of this bug. ***

Comment 11 Daniel Walsh 2013-03-20 00:38:59 UTC
*** Bug 923488 has been marked as a duplicate of this bug. ***

Comment 12 Daniel Walsh 2013-03-20 00:40:26 UTC
*** Bug 923487 has been marked as a duplicate of this bug. ***

Comment 13 Daniel Walsh 2013-03-20 00:40:39 UTC
*** Bug 923486 has been marked as a duplicate of this bug. ***

Comment 14 Daniel Walsh 2013-03-20 00:51:18 UTC
Miroslav something is going wrong with the building of a livecd for F19, the labeling is screwed up.

Adam reports seeing this in the logs.

    /etc/selinux/targeted/contexts/files/file_contexts: line 28 has invalid context system_u:object_r:l2tp_conf_t:s0
    /etc/selinux/targeted/contexts/files/file_contexts: line 285 has invalid context system_u:object_r:l2tpd_var_run_t:s0
    /etc/selinux/targeted/contexts/files/file_contexts: line 290 has invalid context system_u:object_r:l2tpd_var_run_t:s0
    /etc/selinux/targeted/contexts/files/file_contexts: line 404 has invalid context system_u:object_r:l2tpd_exec_t:s0
    /etc/selinux/targeted/contexts/files/file_contexts: line 1176 has invalid context system_u:object_r:l2tp_conf_t:s0
    /etc/selinux/targeted/contexts/files/file_contexts: line 1547 has invalid context system_u:object_r:l2tpd_initrc_exec_t:s0
    /etc/selinux/targeted/contexts/files/file_contexts: line 4007 has invalid context system_u:object_r:l2tpd_var_run_t:s0
    12.0%/etc/selinux/targeted/contexts/files/file_contexts: has invalid context system_u:object_r:l2tpd_exec_t:s0

Could you investigate what is causing this.

Comment 15 Daniel Walsh 2013-03-20 00:53:38 UTC
*** Bug 923483 has been marked as a duplicate of this bug. ***

Comment 16 Daniel Walsh 2013-03-20 00:53:48 UTC
*** Bug 923484 has been marked as a duplicate of this bug. ***

Comment 17 Daniel Walsh 2013-03-20 00:53:58 UTC
*** Bug 923485 has been marked as a duplicate of this bug. ***

Comment 18 Daniel Walsh 2013-03-20 00:55:14 UTC
*** Bug 923482 has been marked as a duplicate of this bug. ***

Comment 19 Daniel Walsh 2013-03-20 00:55:24 UTC
*** Bug 923480 has been marked as a duplicate of this bug. ***

Comment 20 Daniel Walsh 2013-03-20 00:55:38 UTC
*** Bug 923479 has been marked as a duplicate of this bug. ***

Comment 21 Daniel Walsh 2013-03-20 00:55:45 UTC
*** Bug 923477 has been marked as a duplicate of this bug. ***

Comment 22 Daniel Walsh 2013-03-20 00:56:00 UTC
*** Bug 923475 has been marked as a duplicate of this bug. ***

Comment 23 Daniel Walsh 2013-03-20 00:56:08 UTC
*** Bug 923473 has been marked as a duplicate of this bug. ***

Comment 24 Daniel Walsh 2013-03-20 00:56:18 UTC
*** Bug 923472 has been marked as a duplicate of this bug. ***

Comment 25 Daniel Walsh 2013-03-20 00:56:27 UTC
*** Bug 923471 has been marked as a duplicate of this bug. ***

Comment 26 Adam Williamson 2013-03-20 01:40:01 UTC
Further to comment #14:

[root@adam liferea (master)]# rpm -V selinux-policy-targeted-3.12.1-22.fc19.noarch
missing     /etc/selinux/targeted/modules/active/modules/l2tp.pp
[root@adam liferea (master)]# yum reinstall selinux-policy-targeted
Loaded plugins: auto-update-debuginfo, langpacks, refresh-packagekit
...
Installed:
  selinux-policy-targeted.noarch 0:3.12.1-22.fc19                               

Complete!
[root@adam liferea (master)]# rpm -V selinux-policy-targeted-3.12.1-22.fc19.noarch
missing     /etc/selinux/targeted/modules/active/modules/l2tp.pp
[root@adam liferea (master)]# yum downgrade http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/21.fc19/noarch/selinux-policy-3.12.1-21.fc19.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/21.fc19/noarch/selinux-policy-devel-3.12.1-21.fc19.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/21.fc19/noarch/selinux-policy-targeted-3.12.1-21.fc19.noarch.rpm
...
[root@adam liferea (master)]# rpm -V selinux-policy-targeted
missing     /etc/selinux/targeted/modules/active/modules/l2tp.pp

So that l2tp.pp file seems to be missing, and reinstalling or downgrading selinux-policy does not help.

Comment 27 Daniel Walsh 2013-03-20 01:47:23 UTC
in selinux_policy.spec I see
          (cd /etc/selinux/%2/modules/active/modules; rm -f shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp l2tp.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \                 ^^^^^^^   


Looks like you are deleting it. Although on my F19 box I have the file.

[root@redsox ~]# rpm -ql selinux-policy-targeted | grep l2tp
/etc/selinux/targeted/modules/active/modules/l2tp.pp
[root@redsox ~]# ls /etc/selinux/targeted/modules/active/modules/l2tp.pp
/etc/selinux/targeted/modules/active/modules/l2tp.pp

Comment 28 Daniel Walsh 2013-03-20 01:47:50 UTC
My arrows did not work...

Comment 29 Adam Williamson 2013-03-20 01:53:28 UTC
They do in a monospaced email :) I saw the same thing, but assumed the subsequent semodule -B -n -s re-created them or something. But I have no idea what the hell's going on there.

Comment 30 Adam Williamson 2013-03-20 05:13:52 UTC
So in a fresh F19 install (done from F18 netinst with F19 repos, as F19 install images are bust atm) l2tp.pp appears to be present, and 'yum reinstall selinux-policy-targeted' doesn't kill it. So it seems somehow specific to my desktop. But I have no idea why it's missing on my desktop, or even the correct way to get it back...

Comment 31 Adam Williamson 2013-03-20 06:05:38 UTC
removing blocker nomination for now.

Comment 32 Miroslav Grepl 2013-03-20 07:12:01 UTC
Adam,
what kickstarts are you using to build a F19 livecd?

Comment 33 Adam Williamson 2013-03-20 07:21:41 UTC
mgrepl: current f19 branch of spin-kickstarts.

It's almost certainly the missing l2tp.pp file that's causing this. I did another live image build in a clean VM - as described in c#30 - using exactly the same configuration, and that doesn't have the problem. So the problem is the missing l2tp.pp file on my desktop. But I've no idea why that's missing, or how to get it back.

Comment 34 Miroslav Grepl 2013-03-20 11:33:18 UTC
(In reply to comment #27)
> in selinux_policy.spec I see
>           (cd /etc/selinux/%2/modules/active/modules; rm -f shutdown.pp
> amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp
> execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp
> mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp
> polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp
> telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp
> pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp l2tp.pp
> rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \                 ^^^^^^^
> 
> 
> 
> Looks like you are deleting it. Although on my F19 box I have the file.
> 
> [root@redsox ~]# rpm -ql selinux-policy-targeted | grep l2tp
> /etc/selinux/targeted/modules/active/modules/l2tp.pp
> [root@redsox ~]# ls /etc/selinux/targeted/modules/active/modules/l2tp.pp
> /etc/selinux/targeted/modules/active/modules/l2tp.pp

Well I also don't have the policy file and not sure why we delete it. Should be there.

Comment 35 Miroslav Grepl 2013-03-20 11:33:37 UTC
Fixed in selinux-policy-3.12.1-23.fc19

Comment 36 Fedora Update System 2013-04-08 11:42:12 UTC
selinux-policy-3.12.1-28.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19

Comment 37 Fedora Update System 2013-04-08 15:50:57 UTC
Package selinux-policy-3.12.1-28.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-28.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19
then log in and leave karma (feedback).

Comment 38 Fedora Update System 2013-04-19 05:53:09 UTC
selinux-policy-3.12.1-28.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 39 ILMostro 2014-02-09 01:13:08 UTC
I'm getting the same messages in the syslog:
SELinux is preventing /usr/bin/python2.7 from open access on the file /var/log/mcelog.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python2.7 should be allowed open access on the mcelog file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-action-che /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:mcelog_log_t:s0
Target Objects                /var/log/mcelog [ file ]
Source                        abrt-action-che
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          FedPadSSD
Source RPM Packages           python-2.7.5-9.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-122.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     FedPadSSD
Platform                      Linux FedPadSSD 3.12.10-300.fc20.x86_64 #1 SMP Thu
                              Feb 6 22:11:48 UTC 2014 x86_64 x86_64
Alert Count                   8
First Seen                    2014-02-07 09:46:30 CST
Last Seen                     2014-02-08 18:51:20 CST
Local ID                      84161e23-d7bb-408c-bf4e-48042a3cc721

Raw Audit Messages
type=AVC msg=audit(1391907080.588:437): avc:  denied  { open } for  pid=2521 comm="abrt-action-che" path="/var/log/mcelog" dev="sda2" ino=130955 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mcelog_log_t:s0 tclass=file


type=SYSCALL msg=audit(1391907080.588:437): arch=x86_64 syscall=open success=no exit=EACCES a0=210e630 a1=0 a2=1b6 a3=0 items=0 ppid=2510 pid=2521 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=abrt-action-che exe=/usr/bin/python2.7 subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)

Hash: abrt-action-che,abrt_t,mcelog_log_t,file,open

=========================================================================

I'm not sure why, abrt-action-che is denied access to /var/log/mcelog with the SELinux context label "mcelog_log_t".  Kernel version 3.12.10-300, as well as previous kernel version.  I only "noticed" them since the recent selinux-policy upgrades, though I'm not sure if it's related to that.

Comment 40 Daniel Walsh 2014-02-14 00:37:50 UTC
This avc has nothing to do with this bugzilla, please open a new one.


Note You need to log in before you can comment on or make changes to this bug.