Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1178208 - [f21] wrong selinux contexts after atomic upgrade
Summary: [f21] wrong selinux contexts after atomic upgrade
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: ostree
Version: 21
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Colin Walters
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-02 21:30 UTC by Dusty Mabe
Modified: 2015-01-14 14:14 UTC (History)
3 users (show)

Fixed In Version: ostree-2014.13-2.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of: 1164058
Environment:
Last Closed: 2015-01-13 00:05:18 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
GNOME Bugzilla 742289 0 None None None 2019-06-19 13:13:06 UTC

Description Dusty Mabe 2015-01-02 21:30:29 UTC 
Description of problem:

selinux contexts on files like /etc/passwd are incorrect after upgrade. 


Version-Release number of selected component (if applicable):

Started with the fedora 21 atomic image from 20141203 and upgraded to:

-bash-4.3# atomic status
  TIMESTAMP (UTC)         ID             OSNAME            REFSPEC                                                
* 2015-01-02 03:42:21     3a4a44bc82     fedora-atomic     fedora-atomic:fedora-atomic/f21/x86_64/docker-host     
  2014-12-03 01:30:09     ba7ee9475c     fedora-atomic     fedora-atomic:fedora-atomic/f21/x86_64/docker-host

How reproducible:
Always


Steps to Reproduce:
1. Download image and boot and follow output below:

-bash-4.3# atomic status
  TIMESTAMP (UTC)         ID             OSNAME            REFSPEC                                                
* 2014-12-03 01:30:09     ba7ee9475c     fedora-atomic     fedora-atomic:fedora-atomic/f21/x86_64/docker-host     
-bash-4.3# rpm -q rpm-ostree
rpm-ostree-2014.104-3.fc21.x86_64
-bash-4.3# ls  -Z /etc/passwd
-rw-rw-r--. root root system_u:object_r:passwd_file_t:s0 /etc/passwd
-bash-4.3# 
-bash-4.3# atomic upgrade
Updating from: fedora-atomic:fedora-atomic/f21/x86_64/docker-host

695 metadata, 3205 content objects fetched; 140527 KiB transferred in 157 seconds
Copying /etc changes: 26 modified, 4 removed, 39 added
Transaction complete; bootconfig swap: yes deployment count change: 1
Changed:
  NetworkManager-1:0.9.10.0-14.git20140704.fc21.x86_64
  NetworkManager-glib-1:0.9.10.0-14.git20140704.fc21.x86_64
  ....<snip>....
  util-linux-2.25.2-2.fc21.x86_64
Added:
  flannel-0.1.0-8.gita7b435a.fc21.x86_64
Updates prepared for next boot; run "systemctl reboot" to start a reboot
-bash-4.3#reboot

AFTER REBOOT
-bash-4.3# atomic status
  TIMESTAMP (UTC)         ID             OSNAME            REFSPEC                                                
* 2015-01-02 03:42:21     3a4a44bc82     fedora-atomic     fedora-atomic:fedora-atomic/f21/x86_64/docker-host     
  2014-12-03 01:30:09     ba7ee9475c     fedora-atomic     fedora-atomic:fedora-atomic/f21/x86_64/docker-host
-bash-4.3# ls -Z /etc/shadow
----------. root root unconfined_u:object_r:etc_t:s0   /etc/shadow
-bash-4.3# 
-bash-4.3# echo foopass | passwd --stdin root
Changing password for user root.
passwd: Authentication token manipulation error
-bash-4.3#
-bash-4.3# restorecon -Rv /etc/
restorecon reset /etc/locale.conf context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:locale_t:s0
restorecon reset /etc/shadow- context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:shadow_t:s0
restorecon reset /etc/localtime context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:locale_t:s0
restorecon reset /etc/.updated context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:etc_runtime_t:s0
restorecon reset /etc/hostname context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:hostname_etc_t:s0
restorecon reset /etc/ssh/ssh_host_rsa_key context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:sshd_key_t:s0
restorecon reset /etc/ssh/ssh_host_rsa_key.pub context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:sshd_key_t:s0
restorecon reset /etc/ssh/ssh_host_ecdsa_key context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:sshd_key_t:s0
restorecon reset /etc/ssh/ssh_host_ecdsa_key.pub context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:sshd_key_t:s0
restorecon reset /etc/ssh/ssh_host_ed25519_key context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:sshd_key_t:s0
restorecon reset /etc/ssh/ssh_host_ed25519_key.pub context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:sshd_key_t:s0
restorecon reset /etc/group context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:passwd_file_t:s0
restorecon reset /etc/adjtime context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:adjtime_t:s0
restorecon reset /etc/gshadow- context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:shadow_t:s0
restorecon reset /etc/group- context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:passwd_file_t:s0
restorecon reset /etc/gshadow context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:shadow_t:s0
restorecon reset /etc/hosts context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:net_conf_t:s0
restorecon reset /etc/passwd context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:passwd_file_t:s0
restorecon reset /etc/passwd- context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:passwd_file_t:s0
restorecon reset /etc/shadow context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:shadow_t:s0
restorecon reset /etc/resolv.conf context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:net_conf_t:s0
restorecon reset /etc/vconsole.conf context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:locale_t:s0
Comment 1 Colin Walters 2015-01-04 01:15:51 UTC 
Should be fixed by https://bugzilla.gnome.org/show_bug.cgi?id=742289

This regression has been sitting around a while.  There were two factors conspiring to hide it:

1) Modern SELinux (RHEL7 era) supports kernel filename-based labeling defaults, so if e.g. you create "sysctl.conf" in a directory of type etc_t, it's labeled system_conf_t.  So many of the labels were right due to that.
2) All of *my* Atomic usage is ssh pubkey based, I don't use passwords, so the permissions on /etc/shadow didn't matter.
Comment 2 Colin Walters 2015-01-04 01:53:32 UTC 
Building for rawhide in http://koji.fedoraproject.org/koji/taskinfo?taskID=8520347

I'd like to wait until the patch has review upstream before submitting to F21 updates.
Comment 3 Fedora Update System 2015-01-06 16:37:10 UTC 
ostree-2014.13-2.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/ostree-2014.13-2.fc21
Comment 4 Dusty Mabe 2015-01-06 16:44:40 UTC 
I accidentally cloned 11178208 from 164058. This was a mistake.
Comment 5 Fedora Update System 2015-01-07 01:26:51 UTC 
Package ostree-2014.13-2.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ostree-2014.13-2.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-0285/ostree-2014.13-2.fc21
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2015-01-13 00:05:18 UTC 
ostree-2014.13-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Colin Walters 2015-01-14 14:14:39 UTC 
To correctly clean up from this issue:

1) "atomic upgrade" to the latest (2015-01-14 or newer)
2) reboot
3) restorecon -R -v /etc/
Note You need to log in before you can comment on or make changes to this bug.