Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1514795
Summary: | SELinux is preventing systemd from 'create' accesses on the unix_stream_socket Unknown. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Predrag <predrag.zvijerac> |
Component: | container-selinux | Assignee: | Lokesh Mandvekar <lsm5> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | amurdaca, csteele81, dwalsh, fkluknav, gtwilliams, jchaloup, jlebon, kanezor+bugzilla.redhat.com, lsm5, lvrabec, mgrepl, noobusinghacks, obliterator666, plautrba, pmoore, pparsons, predrag.zvijerac, terence.callaghan |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:3105d14f21e59edb726bf898f9802a354518963c750a7e1cd2349c661e1c3dba;VARIANT_ID=workstation; | ||
Fixed In Version: | container-selinux-2.40-1.fc26 container-selinux-2.42-1.fc27 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-01-23 21:17:38 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Predrag
2017-11-18 17:19:43 UTC
*** Bug 1515990 has been marked as a duplicate of this bug. *** Description of problem: Tyring to start docker service using the command systemctl start docker.service Version-Release number of selected component: selinux-policy-3.13.1-283.17.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.16-302.fc27.x86_64 type: libreport Hi, Could you attach output of: # ps -efZ | grep unconfined_service_t Thanks. As requested here are the details - [root@ideapad ~]# ps -efZ | grep unconfined_service_t unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 9225 9191 0 10:47 pts/1 00:00:00 grep --color=auto unconfined_service_t Hmm, I don't see any service runs as unconfined_service_t. Are you able to reproduce the AVC? Issuing the command 'systemctl start docker.service' from sudo user I got the AVC again. ----------------------------------------------------------------------- SELinux is preventing systemd-logind from unlink access on the file ora_XE_32768_66. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-logind should be allowed unlink access on the ora_XE_32768_66 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-logind' --raw | audit2allow -M my-systemdlogind # semodule -X 300 -i my-systemdlogind.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:object_r:initrc_state_t:s0 Target Objects ora_XE_32768_66 [ file ] Source systemd-logind Source Path systemd-logind Port <Unknown> Host ideapad Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.17.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ideapad Platform Linux ideapad 4.14.5-300.fc27.x86_64 #1 SMP Mon Dec 11 16:00:36 UTC 2017 x86_64 x86_64 Alert Count 1791 First Seen 2017-11-19 20:33:58 EST Last Seen 2017-12-18 07:31:55 EST Local ID 65edb0ed-3569-4b8f-bdec-7e62049d2bd2 Raw Audit Messages type=AVC msg=audit(1513600315.683:382): avc: denied { unlink } for pid=1010 comm="systemd-logind" name="ora_XE_32768_66" dev="tmpfs" ino=29798 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=file permissive=0 Hash: systemd-logind,systemd_logind_t,initrc_state_t,file,unlink ----------------------------------------------------------------------- And this time around I was able to get something different as the output for the command you had requested - system_u:system_r:unconfined_service_t:s0 root 909 1 0 07:29 ? 00:00:02 /usr/libexec/docker/docker-containerd-current --listen unix:///run/containerd.sock --shim /usr/libexec/docker/docker-containerd-shim-current --start-timeout 2m unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 7329 6771 0 21:57 pts/1 00:00:00 grep --color=auto unconfined_service_t ----------------------------------------------------------------------- Please note, its quite possible that with the docker/kubernetes package still not verified with Fedora 27 I'm encountering the error. Godfrey, What is output of command: # rpm -q container-selinux If this package is not installed please install it and try to reproduce the issue. Also please add output of: # ls -Z /usr/libexec/docker/docker-containerd-current # semodule -lfull | grep container Thanks, Lukas. The container-selinux seems to be installed - [root@ideapad ~]# rpm -q container-selinux container-selinux-2.36-1.fc27.noarch As requested here is the output of the other two commands - [root@ideapad ~]# ls -Z /usr/libexec/docker/docker-containerd-current system_u:object_r:bin_t:s0 /usr/libexec/docker/docker-containerd-current [root@ideapad ~]# semodule -lfull | grep container 200 container pp Please use: # semanage fcontext -a -t container_runtime_exec_t /usr/libexec/docker/docker-containerd-current # restorecon -v /usr/libexec/docker/docker-containerd-current It looks like in F27 there is no labeling for docker-containerd-current, but in Rawhide it looks fine. Guys could you backport it? Thanks, Lukas. I think we have labeling for those # matchpathcon /usr/libexec/docker/docker-* /usr/libexec/docker/docker-containerd-current system_u:object_r:container_runtime_exec_t:s0 /usr/libexec/docker/docker-containerd-shim-current system_u:object_r:container_runtime_exec_t:s0 /usr/libexec/docker/docker-ctr-current system_u:object_r:container_runtime_exec_t:s0 /usr/libexec/docker/docker-init-current system_u:object_r:container_runtime_exec_t:s0 /usr/libexec/docker/docker-proxy-current system_u:object_r:container_runtime_exec_t:s0 /usr/libexec/docker/docker-runc-current system_u:object_r:container_runtime_exec_t:s0 (reverse-i-search)`': ^ # ls -lZ /usr/libexec/docker/docker-* -rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 7885728 Nov 17 10:26 /usr/libexec/docker/docker-containerd-current -rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 1919840 Nov 17 10:26 /usr/libexec/docker/docker-containerd-shim-current -rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 7290360 Nov 17 10:26 /usr/libexec/docker/docker-ctr-current -rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 781904 Nov 17 10:25 /usr/libexec/docker/docker-init-current -rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 1707240 Nov 17 10:26 /usr/libexec/docker/docker-proxy-current -rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 5189024 Nov 17 10:26 /usr/libexec/docker/docker-runc-current sh-4.4# exit # rpm -q container-selinux container-selinux-2.36-1.fc27.noarch grep /usr/libexec/docker /etc/selinux/targeted/contexts/files/file_contexts /usr/libexec/docker/.* -- system_u:object_r:container_runtime_exec_t:s0 /usr/libexec/docker/docker.* -- system_u:object_r:container_runtime_exec_t:s0 Godfrey can you reinstall container-selinux dnf reinstall container-selinux matchpathcon /usr/libexec/docker/* Daniel, That did not help. Here is the AVC update that got in the SELinux Alert Browser - -------- SELinux is preventing systemd from create access on the unix_stream_socket Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd should be allowed create access on the Unknown unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:system_r:unconfined_service_t:s0 Target Objects Unknown [ unix_stream_socket ] Source systemd Source Path systemd Port <Unknown> Host ideapad Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.17.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ideapad Platform Linux ideapad 4.14.6-300.fc27.x86_64 #1 SMP Thu Dec 14 15:31:24 UTC 2017 x86_64 x86_64 Alert Count 2 First Seen 2017-12-21 07:18:58 EST Last Seen 2017-12-21 07:20:20 EST Local ID 3c4369fa-79e5-42da-b91e-13300956728c Raw Audit Messages type=AVC msg=audit(1513858820.772:511): avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0 Hash: systemd,init_t,unconfined_service_t,unix_stream_socket,create --------- Trying to generate the policy rule -- [root@ideapad ~]# ausearch -c 'systemd' --raw | audit2allow -M my-systemd ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-systemd.pp [root@ideapad ~]# semodule -X 300 -i my-systemd.pp libsemanage.semanage_make_sandbox: Could not copy files to sandbox /var/lib/selinux/targeted/tmp. (Input/output error). semodule: Failed on my-systemd.pp! [root@ideapad ~]# systemctl start docker.service A dependency job for docker.service failed. See 'journalctl -xe' for details. What is the output of matchpathcon /usr/libexec/docker/* [root@ideapad ~]# matchpathcon /usr/libexec/docker/* /usr/libexec/docker/docker-containerd-current system_u:object_r:bin_t:s0 /usr/libexec/docker/docker-containerd-shim-current system_u:object_r:bin_t:s0 /usr/libexec/docker/docker-ctr-current system_u:object_r:bin_t:s0 /usr/libexec/docker/docker-init-current system_u:object_r:bin_t:s0 /usr/libexec/docker/docker-proxy-current system_u:object_r:bin_t:s0 /usr/libexec/docker/docker-runc-current system_u:object_r:bin_t:s0 /usr/libexec/docker/rhel-push-plugin system_u:object_r:bin_t:s0 I receive the same AVC whenever I run the fedora kernel-tests. Nothing here remotely related to docker. And when you executed dnf reinstall container-selinux do you see any errors? [root@ideapad ~]# dnf reinstall container-selinux Last metadata expiration check: 1:41:37 ago on Thu 21 Dec 2017 05:29:13 AM EST. Dependencies resolved. ======================================================================================================================================================================== Package Arch Version Repository Size ======================================================================================================================================================================== Reinstalling: container-selinux noarch 2:2.36-1.fc27 updates 36 k Transaction Summary ======================================================================================================================================================================== Total download size: 36 k Is this ok [y/N]: y Downloading Packages: container-selinux-2.36-1.fc27.noarch.rpm 70 kB/s | 36 kB 00:00 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Total 27 kB/s | 36 kB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Reinstalling : container-selinux-2:2.36-1.fc27.noarch 1/2 Running scriptlet: container-selinux-2:2.36-1.fc27.noarch 1/2 libsemanage.semanage_make_sandbox: Could not copy files to sandbox /var/lib/selinux/targeted/tmp. (Input/output error). /usr/sbin/semodule: Failed on /usr/share/selinux/packages/container.pp.bz2! Erasing : container-selinux-2:2.36-1.fc27.noarch 2/2 Running scriptlet: container-selinux-2:2.36-1.fc27.noarch 2/2 Verifying : container-selinux-2:2.36-1.fc27.noarch 1/2 Verifying : container-selinux-2:2.36-1.fc27.noarch 2/2 Reinstalled: container-selinux.noarch 2:2.36-1.fc27 Complete! So that is the issue for some reason container-selinux is failing to install. Lukas do you have any idea what is going on here? (In reply to Godfrey from comment #12) > [root@ideapad ~]# semodule -X 300 -i my-systemd.pp > libsemanage.semanage_make_sandbox: Could not copy files to sandbox > /var/lib/selinux/targeted/tmp. (Input/output error). > semodule: Failed on my-systemd.pp! Something in /var/lib/selinux seems to be broken. EIO A low-level I/O error occurred while modifying the inode. This error may relate to the write-back of data written by an earlier write(2), which may have been issued to a different file descriptor on the same file. Since Linux 4.13, errors from write-back come with a promise that they may be reported by subsequent. write(2) requests, and will be reported by a subsequent fsync(2) (whether or not they were also reported by write(2)). Is there /var/lib/selinux/targeted/tmp directory in your filesystem? If it's there, try to remove it and run reinstall again. No tmp directory in the targeted folder - [root@ideapad ~]# ls -ltr /var/lib/selinux/targeted/tmp ls: cannot access '/var/lib/selinux/targeted/tmp': No such file or directory [root@ideapad ~]# ls -ltr /var/lib/selinux/targeted total 4 -rw-------. 1 root root 0 Nov 21 11:05 semanage.trans.LOCK -rw-------. 1 root root 0 Nov 21 11:05 semanage.read.LOCK drwx------. 3 root root 4096 Nov 29 20:09 active I created the /var/lib/selinux/targeted/tmp directory to check if that may be the reason but reinstalling seems to be removing that directory and again causing it to fail - Running transaction Preparing : 1/1 Reinstalling : container-selinux-2:2.36-1.fc27.noarch 1/2 Running scriptlet: container-selinux-2:2.36-1.fc27.noarch 1/2 libsemanage.semanage_make_sandbox: Could not copy files to sandbox /var/lib/selinux/targeted/tmp. (Input/output error). /usr/sbin/semodule: Failed on /usr/share/selinux/packages/container.pp.bz2! Erasing : container-selinux-2:2.36-1.fc27.noarch 2/2 Running scriptlet: container-selinux-2:2.36-1.fc27.noarch 2/2 Verifying : container-selinux-2:2.36-1.fc27.noarch 1/2 Verifying : container-selinux-2:2.36-1.fc27.noarch Description of problem: I ran Fedora kernel tests from the command line. Version-Release number of selected component: selinux-policy-3.13.1-224.fc25.noarch selinux-policy-3.13.1-225.1.fc25.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.14.8-300.fc27.x86_64 type: libreport container-selinux-2.39-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1d288c81a2 container-selinux-2.39-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e513053ca9 container-selinux-2.39-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1d288c81a2 container-selinux-2.39-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e513053ca9 container-selinux-2.41-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-8d78cc34a3 container-selinux-2.40-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-827888cfdd container-selinux-2.40-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-827888cfdd container-selinux-2.41-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-8d78cc34a3 container-selinux-2.42-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-324df658f1 container-selinux-2.42-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-324df658f1 container-selinux-2.40-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. container-selinux-2.42-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. Description of problem: https://bugzilla.redhat.com/show_bug.cgi?id=1539213 Version-Release number of selected component: selinux-policy-3.13.1-224.fc25.noarch selinux-policy-3.13.1-225.23.fc25.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.14.14-300.fc27.i686+PAE type: libreport Description of problem: Occured at boot time Version-Release number of selected component: selinux-policy-3.13.1-224.fc25.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.14.14-300.fc27.x86_64 type: libreport |