type=USER_AVC msg=audit(1403091302.776:91): pid=375 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.12 spid=366 tpid=572 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1403091327.803:95): avc:  denied  { transition } for  pid=579 comm="cockpit-session" path="/usr/libexec/cockpit-agent" dev="vda3" ino=413131 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
type=USER_AVC msg=audit(1403091341.716:102): pid=375 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.14 spid=366 tpid=586 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1403091341.729:105): avc:  denied  { transition } for  pid=590 comm="cockpit-session" path="/usr/libexec/cockpit-agent" dev="vda3" ino=413131 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
type=AVC msg=audit(1403091341.932:106): avc:  denied  { connectto } for  pid=375 comm="dbus-daemon" path="/run/systemd/journal/stdout" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
type=USER_AVC msg=audit(1403091342.008:107): pid=375 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.16 spid=340 tpid=598 scontext=system_u:system_r:accountsd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1403091342.091:109): avc:  denied  { read } for  pid=607 comm="systemd-hostnam" name="urandom" dev="tmpfs" ino=41134 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1403091342.091:109): avc:  denied  { open } for  pid=607 comm="systemd-hostnam" path="/dev/urandom" dev="tmpfs" ino=41134 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=1
type=USER_AVC msg=audit(1403091342.241:113): pid=375 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.16 spid=607 tpid=598 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Note that we have an unconfined *user/session* dbus-daemon which runs an unconfined cockpitd, which in turn connects out to system dbus services.

*** Bug 1121761 has been marked as a duplicate of this bug. ***

It looks like the cockpit selinux policy in the rawhide-contrib branch of selinux-policy-targeted is very old:

https://git.fedorahosted.org/cgit/selinux-policy.git/tree/cockpit.fc?h=rawhide-contrib

In addition the policy is very liberal, and runs public system services (ie: cockpit-ws) as unconfined.

Created attachment 919929 [details]
Initial try at updating cockpit rawhide selinux policy

Here's an update of the cockpit selinux policy to what it should look like. I haven't been able to test this because of bug #1122052 ... but I figured I'd post the patch here anyway.

Stef, 
are these policy changes the same on which we were working together?

Also we can leave cockpit policy from the Fedora policy and you can ship it as cockpit-selinux.rpm but we will keep policy files in our repo where you make pull requests.

https://github.com/selinux-policy/selinux-policy

Yes the same ones. I'm fine with making a new rpm with the cockpit selinux policy. Do I have to wait for you to remove the broken one from selinux-policy-targeted first? Will it conflict? I think just the 'cockpit' module name is the same.

Lets first to get it working again and then I am going to make all changes to github repo.

Here's a build of cockpit which includes a cockpit-selinux-policy subpackage containing the policy:

http://koji.fedoraproject.org/koji/taskinfo?taskID=7184809

I guess I'll push to f21 and master in a few hours unless you tell me not to.

Ok but what source files do you use?

Also I don't think we want to do it in F21 in this phase.

(In reply to Miroslav Grepl from comment #11)
> Also I don't think we want to do it in F21 in this phase.

Well in F21 (and rawhide) cockpit is completely broken due to selinux, and that will likely make it a blocker issue. How do you think we should solve the blocker?

These are the source files:

https://github.com/cockpit-project/cockpit/tree/master/src/selinux

I really don't care at all whether cockpit distributes the policy, or whether it comes with selinux-policy-targeted ... as long as it's, correct, doesn't break cockpit, and we have a reliable policy update mechanism for when we make changes.

Discussed at 2014-07-23 Alpha blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2014-07-23/f21-blocker-review.2014-07-23-15.59.log.txt . Accepted as a blocker per criterion "Unless explicitly specified otherwise, after system installation the Cockpit web management interface must be running and accessible on its default port (XX).", https://fedoraproject.org/wiki/Fedora_21_Alpha_Release_Criteria#Cockpit_management_interface .

Having a separate package on rawhide but a not separate package on F21 feels quite odd to me.  It's (theoretically) easier to change policy in rawhide than F21.

I'd vote for not having a separate package personally; very few other userspace bits do it.

FWIW I pushed http://pkgs.fedoraproject.org/cgit/cockpit.git/commit/?id=95188aea07359071f1b2c15516ee14d4d32e92b3 since it was breaking the atomic composes.

We should have the latest cockpit policy in Rawhide/F21 now.

Alright, will remove the package. Not a big deal either way. I guess I misunderstood comment #11

is an selinux-policy build scheduled soon? we like to get blocker issues fixed up ASAP. thanks!

Should be already in selinux-policy-3.13.1-67.fc21

Can someone please test and confirm whether this is fixed, then? Thanks.

As far as I can tell this is fixed. I did the following:

1. Distro sync and Reboot, make sure enforcing

2. Verify no custom selinux modules installed:

  # semanage module --list --locallist

  Modules Name             Version   

3. Check for rpm versions

  # rpm -q selinux-policy-targeted
  selinux-policy-targeted-3.13.1-67.fc21.noarch
  # rpm -q cockpit
  cockpit-0.17-1.fc21.x86_64

4. No AVC's when starting or logging into cockpit

let's close it then, there's no bodhi step for f21 yet. thanks!

On a netinstall, I still see AVCs:

> cockpit-0.18-1.fc21.x86_64
> selinux-policy-3.13.1-68.fc21.noarch

> type=USER_AVC msg=audit(1406909011.860:360): pid=578 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.14 spid=571 tpid=1031 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
> type=AVC msg=audit(1406909036.883:363): avc:  denied  { transition } for  pid=1041 comm="cockpit-session" path="/usr/libexec/cockpit-agent" dev="dm-0" ino=534959 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0

Confirming. Setup a new system and see the same thing. It seems that the cockpit changes are completely missing from the policy:

# ps -xaZ | grep cockpit
system_u:system_r:unconfined_service_t:s0 547 ? Ssl   0:00 /usr/libexec/cockpit-ws
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 596 pts/1 S+   0:00 grep --color=auto cockpit
# rpm -q cockpit
cockpit-0.18-1.fc21.x86_64
# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-68.fc21.noarch

The file system labels are all wrong:

# rpm -q selinux-policy-targeted 
selinux-policy-targeted-3.13.1-68.fc21.noarch
# ls -lZ /usr/libexec/cockpit*
-rwxr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpit-agent
-rwxr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpitd
-rwsr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpit-polkit
-rwsr-x---. root cockpit-ws system_u:object_r:bin_t:s0       /usr/libexec/cockpit-session
-rwxr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpit-ws
# restorecon -rv /usr/libexec/cockpit*
# ls -lZ /usr/libexec/cockpit*
-rwxr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpit-agent
-rwxr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpitd
-rwsr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpit-polkit
-rwsr-x---. root cockpit-ws system_u:object_r:bin_t:s0       /usr/libexec/cockpit-session
-rwxr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpit-ws

Strange. I see on my system

# ls -lZ /usr/libexec/cockpit*
-rwxr-xr-x. root root       system_u:object_r:shell_exec_t:s0 /usr/libexec/cockpit-agent
-rwxr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpitd
-rwsr-xr-x. root root       system_u:object_r:bin_t:s0       /usr/libexec/cockpit-polkit
-rwsr-x---. root cockpit-ws system_u:object_r:cockpit_session_exec_t:s0 /usr/libexec/cockpit-session
-rwxr-xr-x. root root       system_u:object_r:cockpit_ws_exec_t:s0 /usr/libexec/cockpit-ws

(In reply to Miloslav Trmač from comment #23)
> On a netinstall, I still see AVCs:
> 
> > cockpit-0.18-1.fc21.x86_64
> > selinux-policy-3.13.1-68.fc21.noarch
> 
> > type=USER_AVC msg=audit(1406909011.860:360): pid=578 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.14 spid=571 tpid=1031 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
> > type=AVC msg=audit(1406909036.883:363): avc:  denied  { transition } for  pid=1041 comm="cockpit-session" path="/usr/libexec/cockpit-agent" dev="dm-0" ino=534959 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0

The problem we have

system_u:system_r:unconfined_service_t:s0 1013 ? 00:00:00 cockpit-ws

# ls -lZ /usr/libexec/cockpit-ws
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/libexec/cockpit-ws
# matchpathcon /usr/libexec/cockpit-ws
/usr/libexec/cockpit-ws	system_u:object_r:cockpit_ws_exec_t:s0


so we have again a labeling issue here.

Ok I have just installed a fresh f21 and updated selinux-policy-targeted pkg and see the correct labels.

I am not sure how it could happen. We might want to re-test with newer images.

(In reply to Miroslav Grepl from comment #29)
> Ok I have just installed a fresh f21 and updated selinux-policy-targeted pkg
> and see the correct labels.
> 
> I am not sure how it could happen. We might want to re-test with newer
> images.

Could you post the exact commands you used to configure your f21 fresh install? Meanwhile, I'm uploading an image that exhibits the bug.

Discussed at the 2014-08-13 blocker review meeting:
http://meetbot.fedoraproject.org/fedora-blocker-review/2014-08-13/
<danofsatx-work> this one is being actively worked. I haven't test it lately, though due to my "other" issues :(
<pschindl> #info There is an active work on bug 1110758

Using the netinst f21 iso here, I managed to make this work: 

ISO: http://alt.fedoraproject.org/pub/alt/stage/21-Alpha-T2/Server/x86_64/iso/Server-21-Alpha-T2-x86_64-netinst.iso
Network Source: http://alt.fedoraproject.org/pub/alt/stage/21-Alpha-T2/Server/x86_64/os

Processes and files both have correct labels. Can log in via cockpit without issue, and no 'denied' audit events.

However... The other path, upgrading from f20 -> f21 results in broken selinux labels.

It seems there are some serious selinux issues upgrading from f20 to f21. After an upgrade I can't log in:

Warning: Permanently added '192.168.12.236' (ECDSA) to the list of known hosts.
root.12.236's password: 
Last login: Thu Aug 14 13:06:25 2014
... hang ...
/bin/bash: Permission denied
Connection to 192.168.12.236 closed.

On an f20 -> f21 system. I have to first 'restorecon -Rv /' and reboot, after which i can again log in via ssh.

This is likely related to what I experienced, perhaps due to having cockpit installed during the upgrade.

so if this was fixed in TC2 I think we can close it by now, but can you verify if issues remain with the upgrade path and if so file them separately, possible as Beta release blockers? Thanks!