Bug 990910 - SELinux blocks cloud-init from installing/updating RPMs with scripts.
Summary: SELinux blocks cloud-init from installing/updating RPMs with scripts.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedFreezeException
: 1010335 (view as bug list)
Depends On:
Blocks: F20FinalFreezeException
TreeView+ depends on / blocked
 
Reported: 2013-08-01 07:58 UTC by Lukas Zapletal
Modified: 2013-12-10 06:55 UTC (History)
13 users (show)

Fixed In Version: selinux-policy-3.12.1-106.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-10 06:55:27 UTC
Type: Bug


Attachments (Terms of Use)

Description Lukas Zapletal 2013-08-01 07:58:48 UTC
Hello,

as per the discussion here

https://lists.fedoraproject.org/pipermail/devel/2013-July/186952.html

we have found that cloud-init executes everything without PATH set properly. This is an issue mainly for RPM package installation, because scriplets rely on PATH set properly. In this case, some packages which are being installed in user scripts (using yum command) are failing with installation.

I am not sure if this implies another bug - packages in cloud-init YAML file are totally ignored and never installed. If you try this:

packages:
  - vim
  - emacs

they never get installed. No error or warning is issued in logs. Might be related to the PATH.

I was testing this with Fedora 19, but it is likely the same in Rawhide at this moment.

Comment 1 Garrett Holmstrom 2013-09-24 22:58:45 UTC
Systemd sets a default PATH for the programs it runs.  The reason %post scripts are failing seems to be cloud-init's SELinux policy.  For example, here is what I get on a F20 alpha RC3 instance:

time->Tue Sep 24 02:06:29 2013
type=SYSCALL msg=audit(1379988389.628:35): arch=c000003e syscall=59 success=no exit=-13 a0=36680b0 a1=2fe3cf0 a2=7fffdfcd9978 a3=733a745f74706972 items=0 ppid=627 pid=651 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:cloud_init_t:s0 key=(null)
type=AVC msg=audit(1379988389.628:35): avc:  denied  { transition } for  pid=651 comm="yum" path="/usr/sbin/ldconfig" dev="xvda1" ino=4312 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process
----
time->Tue Sep 24 02:06:36 2013
type=SYSCALL msg=audit(1379988396.967:37): arch=c000003e syscall=59 success=no exit=-13 a0=38797b0 a1=3c00cb0 a2=7fffdfcd9978 a3=733a745f74706972 items=0 ppid=627 pid=653 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:cloud_init_t:s0 key=(null)
type=AVC msg=audit(1379988396.967:37): avc:  denied  { transition } for  pid=653 comm="yum" path="/usr/bin/bash" dev="xvda1" ino=4640 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process
----
time->Tue Sep 24 02:06:36 2013
type=SYSCALL msg=audit(1379988396.789:36): arch=c000003e syscall=59 success=no exit=-13 a0=29e5070 a1=2df06b0 a2=7fffdfcd9978 a3=733a745f74706972 items=0 ppid=627 pid=652 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:cloud_init_t:s0 key=(null)
type=AVC msg=audit(1379988396.789:36): avc:  denied  { transition } for  pid=652 comm="yum" path="/usr/sbin/ldconfig" dev="xvda1" ino=4312 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process
----
time->Tue Sep 24 02:06:38 2013
type=SYSCALL msg=audit(1379988398.438:38): arch=c000003e syscall=59 success=no exit=-13 a0=2ed9f60 a1=3ba6fa0 a2=7fffdfcd9978 a3=733a745f74706972 items=0 ppid=627 pid=654 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:cloud_init_t:s0 key=(null)
type=AVC msg=audit(1379988398.438:38): avc:  denied  { transition } for  pid=654 comm="yum" path="/usr/bin/bash" dev="xvda1" ino=4640 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process

Comment 2 Daniel Walsh 2013-09-25 15:07:27 UTC
Clound init needs to be able to install random packages?  This will make it basically an unconfined domain.

Comment 3 Miroslav Grepl 2013-09-25 17:44:58 UTC
Dan, 
we already have

optional_policy(`
    unconfined_domain(cloud_init_t)
')

cloud-init does "everything".

Comment 4 Daniel Walsh 2013-09-25 17:58:03 UTC
Ok in that case add

rpm_domtrans(cloud_init_t) to the same optional_block

We might want to allow unconfined domains to always transition to rpm_t, or at least transition to rpm_script_t.

Comment 5 Miroslav Grepl 2013-09-26 06:08:54 UTC
commit 1222926ca204115e744deac77e5afd16d9b03982
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Sep 26 08:08:38 2013 +0200

    Allow cloud-init to domtrans to rpm

Comment 6 Fedora Update System 2013-09-26 09:41:57 UTC
selinux-policy-3.12.1-74.8.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.8.fc19

Comment 7 Garrett Holmstrom 2013-09-26 23:18:04 UTC
*** Bug 1010335 has been marked as a duplicate of this bug. ***

Comment 8 Fedora Update System 2013-09-27 00:46:53 UTC
Package selinux-policy-3.12.1-74.8.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.8.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-17739/selinux-policy-3.12.1-74.8.fc19
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2013-09-30 00:34:17 UTC
selinux-policy-3.12.1-74.8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Matthew Miller 2013-11-27 16:55:56 UTC
This is still happening in F20 beta. 

type=AVC msg=audit(1385569399.106:57): avc:  denied  { transition } for  pid=580 comm="yum" path="/usr/sbin/ldconfig" dev="xvda1" ino=4269 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process
type=SYSCALL msg=audit(1385569399.106:57): arch=c000003e syscall=59 success=no exit=-13 a0=3ea0ef0 a1=366d580 a2=7fffcc0d1d58 a3=733a745f74706972 items=0 ppid=561 pid=580 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:cloud_init_t:s0 key=(null)
type=AVC msg=audit(1385569404.009:58): avc:  denied  { transition } for  pid=582 comm="yum" path="/usr/bin/bash" dev="xvda1" ino=4597 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process
type=SYSCALL msg=audit(1385569404.009:58): arch=c000003e syscall=59 success=no exit=-13 a0=3066050 a1=3a949f0 a2=7fffcc0d1d58 a3=733a745f74706972 items=0 ppid=561 pid=582 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:cloud_init_t:s0 key=(null)
type=AVC msg=audit(1385569404.054:59): avc:  denied  { transition } for  pid=583 comm="yum" path="/usr/bin/bash" dev="xvda1" ino=4597 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process
type=SYSCALL msg=audit(1385569404.054:59): arch=c000003e syscall=59 success=no exit=-13 a0=30942e0 a1=344dde0 a2=7fffcc0d1d58 a3=733a745f74706972 items=0 ppid=561 pid=583 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:cloud_init_t:s0 key=(null)

Also note that since selinux-policy-targetted has RPM scriptlets, this CANNOT be fixed with an update unless that update is applied by hand.

Comment 12 Matthew Miller 2013-11-27 16:58:55 UTC
I'm marking this as a Freeze Exception. I'd make it a blocker, except we haven't defined release criteria for cloud-init.

Comment 13 Adam Williamson 2013-11-27 20:08:05 UTC
Discussed at 2013-11-27 freeze exception review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-11-27/f20-blocker-review-3.2013-11-27-17.01.log.txt . Accepted as a freeze excpetion issue, this is a significant problem for cloud deployments and can't be fixed post-release.

Comment 14 Daniel Walsh 2013-12-02 14:11:51 UTC
a3007fcf054427b3e4f2c06c77ad783551aae67f fixes this in git.

Comment 15 Daniel Walsh 2013-12-02 15:17:44 UTC
Fixed in selinux-policy-3.12.1-106.fc20

Comment 16 Adam Williamson 2013-12-02 19:16:47 UTC
if you could edit -106 into https://admin.fedoraproject.org/updates/FEDORA-2013-22285/selinux-policy-3.12.1-105.fc20 and mark that update as fixing this bug, it'll make it easier to pull the fix into TC4 and track it - thanks!

Comment 17 Daniel Walsh 2013-12-02 19:45:03 UTC
Could you check if 105 fixes the issue first.  My fix might be irrelevant.

Comment 18 Adam Williamson 2013-12-02 20:05:51 UTC
it's not super easy from a process point of view, because we're post freeze and this is the only blocker or freeze exception bug to justify pulling an selinux-policy build through the freeze. if you're willing to Officially Declare that -105 may fix this issue, that's probably good enough to pull it into TC4 and see how things go. TC4 will likely be built later today.

Comment 19 Matthew Miller 2013-12-02 20:31:27 UTC
Dan, this seems to work with 3.12.1-106

Comment 20 Adam Williamson 2013-12-02 20:58:45 UTC
matt: he wanted to know if it works with *105*, so we don't have to take 106.

Comment 21 Daniel Walsh 2013-12-02 22:23:27 UTC
Taking 106 is fine.  It was only a minor change, with no security ramifications.

If this helps move things along.

Comment 22 Adam Williamson 2013-12-02 22:32:19 UTC
We can take either 105 or 106 for TC4, but:

* to take 105 we'd need an Official Dwalsh Statement that it has a reasonable chance of fixing the bug

OR

* to take 106 it'd be best to have a Bodhi update for it (either edit the 105 update or just make a new one, editing the 105 update would avoid any Bodhi problems where the old update sticks around and we end up with them fighting to go stable)

Comment 23 Fedora Update System 2013-12-03 09:49:22 UTC
selinux-policy-3.12.1-106.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-106.fc20

Comment 24 Fedora Update System 2013-12-03 18:21:53 UTC
Package selinux-policy-3.12.1-106.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-106.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-22646/selinux-policy-3.12.1-106.fc20
then log in and leave karma (feedback).

Comment 25 Fedora Update System 2013-12-10 06:55:27 UTC
selinux-policy-3.12.1-106.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.