Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1435310
Summary: | avc denial during F26 Atomic Host and Cloud Base boot - 'error_name=org.freedesktop.systemd1.NoSuchDynamicUser' | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Micah Abbott <miabbott> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 26 | CC: | awilliam, dominick.grift, dustymabe, dwalsh, gmarr, lvrabec, mgrepl, mruckman, plautrba, pmoore, robatino, ssekidde, walters, zbyszek |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | AcceptedFreezeException AcceptedBlocker | ||
Fixed In Version: | selinux-policy-3.13.1-249.fc26 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-03-29 05:05:52 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1349185, 1349188 |
Description
Micah Abbott
2017-03-23 14:15:02 UTC
Since systemd added an nss module, *every* single process that does a username look up is going to end up speaking dbus to init_t. I think we should just globally allow this. Proposed as a Blocker for 26-final by Fedora user roshi using the blocker tracking app because: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop" - https://fedoraproject.org/wiki/Fedora_26_Final_Release_Criteria#SELinux_and_crash_notifications Sorry, wasn't thinking. Atomic doesn't block release so it can't be a blocker. Apologies for the noise. What? Is that really still true? Why? https://fedoraproject.org/wiki/Releases/26/ReleaseBlocking?rd=Fedora_Program_Management/ReleaseBlocking/Fedora26 It looks like the only blocking image in the Cloud space is the 'Fedora Cloud Base' cloud image. I'd expect this to be seen everywhere. None of this code or packages is specific to Atomic. That said, I thought we had the selinux issues with systemd-233 already fixed, so I'm a bit surprised to see this. FYI this also affects the cloud base image Fedora-Cloud-Base-26_Alpha-1.2.x86_64.qcow2 from alpha 1.2 RC. ``` [root@cloudhost ~]# journalctl | grep USER_AVC Mar 23 18:27:00 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.12 spid=1 tpid=689 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus Mar 23 18:27:25 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.13 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus Mar 23 18:27:50 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.14 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus Mar 23 18:28:15 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.15 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus Mar 23 18:28:40 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.16 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus Mar 23 18:29:05 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.17 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus Mar 23 18:29:30 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.18 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus Mar 23 18:29:55 cloudhost.localdomain audit[447]: USER_AVC pid=447 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.19 spid=1 tpid=765 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus [root@cloudhost ~]# cat /etc/os-release NAME=Fedora VERSION="26 (Cloud Edition)" ID=fedora VERSION_ID=26 PRETTY_NAME="Fedora 26 (Cloud Edition)" ANSI_COLOR="0;34" CPE_NAME="cpe:/o:fedoraproject:fedora:26" HOME_URL="https://fedoraproject.org/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Fedora" REDHAT_BUGZILLA_PRODUCT_VERSION=26 REDHAT_SUPPORT_PRODUCT="Fedora" REDHAT_SUPPORT_PRODUCT_VERSION=26 PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy VARIANT="Cloud Edition" VARIANT_ID=cloud ``` from previous comment here are the versions that are in that image: ``` [root@cloudhost ~]# rpm -q systemd selinux-policy systemd-233-2.fc26.x86_64 selinux-policy-3.13.1-247.fc26.noarch ``` (In reply to Colin Walters from comment #4) > What? Is that really still true? Why? Because we're on the 2 week release schedule, and we don't build an atomic image with TC/RC requests, I don't know how it could be a blocker. At least not in the traditional sense of the term. Since it affects the Base image, I've reapplied the blocker nomination. looks like this bug is the root cause of https://bugzilla.redhat.com/show_bug.cgi?id=1433459 as well. cloud-init is the thing that is making the call that is being denied by systemd. Transferring Alpha accepted FE status here from #1433459 , since we were really voting on the symptom there. Colin: yes, right now, no Atomic images are release blocking. There's a simple reason for that and a complicated one. Simple: no-one has actually jumped through the correct hoops to get it changed. The way that works, IIRC, is the FPM asks each WG each cycle which of its deliverables it thinks should be 'release blocking', and the list gets updated. I believe that's already happened for F26. The contact would have been to the Cloud WG, for the Atomic images. The list is https://fedoraproject.org/wiki/Releases/26/ReleaseBlocking . Complex: as Mike suggested, if we were to get to actually discussing the change, it'd get a bit fuzzy. Atomic has its own release cycle, effectively: two-week Atomic. While two-week Atomic has been going on, we have not used the main distro release date as the date we cut over two-week Atomic builds. That is, we didn't move two-week Atomic builds from Fedora 24 to Fedora 25 on the day we released the rest of F25, it happened a bit later. We do not ship any Atomic images as part of the main Fedora release, at present - they are left out of those composes entirely. Given that, it doesn't seem to make a lot of sense for an Atomic image to be 'release blocking', in the way we currently define and implement that. What it means for an image to be 'release blocking' is that if there's a release criteria violation related to that image, we hold the release until it's fixed, basically. But what's the point of holding the Fedora 26 (say) release to fix an Atomic-specific bug, if we're not shipping any Atomic images as part of the main Fedora 26 release? Similarly, we don't at present ship Atomic images with Alpha or Beta releases. We don't really have a formal delivery mechanism for Atomic deliverables during pre-release phases *at all* besides 'grab the images from a nightly compose', which is arguably a problem, but it's where we're at right now. So again, it doesn't make any sense to block Alpha or Beta releases on Atomic bugs, since Alphas and Betas don't have Atomic in them at all. Basically, the current 'release blocking' concept is tied to the main distro release process, which Atomic just isn't a part of. What we should really do is come up with some process for 'releasing' Atomic during the pre-release phase that everyone's happy with (there was some discussion of this on #fedora-releng last week, IIRC, but it didn't come to any solid conclusions), and take a wider look at the process documentation for that process together with the post-stable 'two-week Atomic' release process itself, since properly conceived, that's really a whole separate release process we should have documented in parallel to the 'main' release cycle. That'd probably involve rather wider changes to the wiki than just updating the 'release blocking deliverables' list. Discussed during the 2017-03-27 blocker review meeting: [1] The decision was made to classify this bug as an AcceptedBlocker was made as it violates the following Final criteria: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-03-27/f26-blocker-review.2017-03-27-16.01.txt Confirmed that the build at [1] fixes the problem for me: ``` [root@cloudhost ~]# systemd-analyze Startup finished in 965ms (kernel) + 1.247s (initrd) + 12.989s (userspace) = 15.203s [root@cloudhost ~]# [root@cloudhost ~]# rpm -q selinux-policy selinux-policy-3.13.1-248.fc26.noarch [root@cloudhost ~]# [root@cloudhost ~]# ausearch -m avc,user_avc <no matches> ``` Can we get the update submitted into bodhi? [1] https://koji.fedoraproject.org/koji/buildinfo?buildID=873056 selinux-policy-3.13.1-249.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f34640326f selinux-policy-3.13.1-249.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f34640326f selinux-policy-3.13.1-249.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. |