Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1156378 - SELinux denies package install for rolekit
Summary: SELinux denies package install for rolekit
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedBlocker
Depends On:
Blocks: F21BetaBlocker
TreeView+ depends on / blocked
 
Reported: 2014-10-24 10:52 UTC by Stephen Gallagher
Modified: 2014-11-03 09:41 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-91.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-31 07:40:56 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Stephen Gallagher 2014-10-24 10:52:29 UTC 
Description of problem:
rolekit (actually roled) forks and exec()s 'yum install' to ensure that all of the packages it needs for a role deployment are in place.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-90.fc21.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Install a completely pristine Fedora Server 21 Beta system with all defaults.
2. run 'rolectl deploy --settings-file=/root/settings.json domaincontroller' with an appropriate settings.json (see https://fedorahosted.org/rolekit/wiki/DomainController)

Actual results:
The deployment fails during package installation, throwing script errors in the logs.

Expected results:
The deployment should succeed.

Additional info:

found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing yum from using the transition access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that yum should be allowed transition access on processes labeled rpm_script_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep yum /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:rolekit_t:s0
Target Context                system_u:system_r:rpm_script_t:s0
Target Objects                /usr/bin/bash [ process ]
Source                        yum
Source Path                   yum
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           bash-4.3.30-2.fc21.x86_64
Policy RPM                    selinux-policy-3.13.1-90.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     freeipa.rc1.beta.validation
Platform                      Linux freeipa.rc1.beta.validation
                              3.17.1-302.fc21.x86_64 #1 SMP Fri Oct 17 20:05:46
                              UTC 2014 x86_64 x86_64
Alert Count                   70
First Seen                    2014-10-24 06:29:11 EDT
Last Seen                     2014-10-24 06:30:51 EDT
Local ID                      74efb75d-0eeb-4ac6-917f-3319c5955648

Raw Audit Messages
type=AVC msg=audit(1414146651.343:464): avc:  denied  { transition } for  pid=1213 comm="yum" path="/usr/bin/bash" dev="dm-0" ino=267821 scontext=system_u:system_r:rolekit_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process permissive=0


Hash: yum,rolekit_t,rpm_script_t,process,transition
Comment 1 Fedora Blocker Bugs Application 2014-10-24 10:55:04 UTC 
Proposed as a Blocker for 21-beta by Fedora user sgallagh using the blocker tracking app because:

 "Unless explicitly specified otherwise, after system installation SELinux must be enabled and in enforcing mode." and "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully started, stopped, brought to a working configuration, and queried."
Comment 2 Adam Williamson 2014-10-24 11:00:23 UTC 
in case I don't wake up in time for the meeting tomorrow, I'm +1 blocker.
Comment 3 Miroslav Grepl 2014-10-24 13:49:52 UTC 
We need to add

optional_policy(`
    rpm_transition_script(rolekit_t, system_r)
')
Comment 4 Miroslav Grepl 2014-10-24 13:50:42 UTC 
commit cf74a399b86a6244a4927446a72aad7f955db03d
Author: Miroslav Grepl <mgrepl>
Date:   Fri Oct 24 15:50:24 2014 +0200

    Allow rolekit transition to rpm_script_t.
Comment 5 Adam Williamson 2014-10-24 17:46:30 UTC 
Discussed at 2014-10-24 Go/No-Go meeting: http://meetbot.fedoraproject.org/fedora-meeting-2/2014-10-24/f21_beta_gono-go_meeting.2014-10-24-17.01.log.txt . Accepted as a blocker per criterion cited in c#1.
Comment 6 Adam Williamson 2014-10-27 18:13:34 UTC 
sgallagh reports that the -91 build resolves the issue, so setting  VERIFIED for blocker tracking purposes. We need an update submitted with that build in it.
Comment 7 Lukas Vrabec 2014-10-29 10:30:23 UTC 
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-92.fc21?_csrf_token=eac04ed70627cfb42637cbabfc3629c7a1036ba9

build added to updates.
Comment 8 Adam Williamson 2014-10-30 19:12:34 UTC 
Lukas, for future reference, we really need you to submit the *exact build that was pulled through the freeze*, not a later one. It's usually not critical for Beta, but it absolutely is for Final, because the frozen tree *has* to match what's on the ISOs.
Comment 9 Adam Williamson 2014-10-31 07:40:56 UTC 
Actually it turns out it is critical for Beta, as we wanted to provide a frozen Beta tree for secondary arches to base their Beta build on.

dgilmore has tagged -91 for stable manually, so this should be OK now, but we really need to have the correct build submitted to Bodhi in future, thanks.
Comment 10 Lukas Vrabec 2014-11-03 09:41:05 UTC 
Adam, 
Sorry, my mistake, I'll avoid this.
Note You need to log in before you can comment on or make changes to this bug.