1333176 – Cannot start rpm-ostree with SELinux in enforcing mode

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1333176 - Cannot start rpm-ostree with SELinux in enforcing mode

Summary: Cannot start rpm-ostree with SELinux in enforcing mode

Keywords:
Status:	CLOSED DUPLICATE of bug 1330318
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rpm-ostree
Sub Component:
Version:	24
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Colin Walters
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-05-04 20:53 UTC by Lukas Slebodnik
Modified:	2016-05-04 21:29 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-04 21:09:05 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lukas Slebodnik 2016-05-04 20:53:03 UTC

Description of problem:
I upgraded my fedora 23 atomic host to the latest fedora 24 atomic host
and I'm not able to start service rpm-ostreed.
I know it's caused by SELinux policy but I would like to have a confirmation
from maintainer whether it's expected and selinux-policy should be updated. 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Boot fedora 23 atomic image (https://getfedora.org/en/cloud/download/atomic.html)
2. rebase to fedora 24 atomic
-bash-4.3# ostree remote add --no-gpg-verify fedora24-atomic \
        https://dl.fedoraproject.org/pub/fedora/linux/atomic/24/
-bash-4.3# ostree pull fedora24-atomic:fedora-atomic/24/x86_64/docker-host
-bash-4.3# rpm-ostree rebase fedora24-atomic:fedora-atomic/24/x86_64/docker-host

3. systemctl reboot
4. start service rpm-ostreed (directly using systemctl or indirectly via rpm-ostree)  
-bash-4.3# systemctl start rpm-ostreed

Actual results:
Job for rpm-ostreed.service failed because the control process exited with error code. See "systemctl status rpm-ostreed.service" and "journalctl -xe" for details.

+ avcs
-bash-4.3# ausearch -m avc -i
----
type=PROCTITLE msg=audit(05/04/2016 20:51:37.914:199) : proctitle=(-ostreed) 
type=SYSCALL msg=audit(05/04/2016 20:51:37.914:199) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x555f6f4f4e60 a1=0x555f6f470100 a2=0x555f6f4bbbc0 a3=0x555f6f4f5090 items=0 ppid=1 pid=1721 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(-ostreed) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/04/2016 20:51:37.914:199) : avc:  denied  { execute } for  pid=1721 comm=(-ostreed) name=rpm-ostreed dev="dm-0" ino=5296258 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=0

Expected results:
service is successfully started and therefore command rpm-ostree is usable.

Additional info:

Comment 1 Lukas Slebodnik 2016-05-04 20:54:07 UTC

AVC in permissive mode

-bash-4.3# > /var/log/audit/audit.log 
-bash-4.3# setenforce 0
-bash-4.3# systemctl start rpm-ostreed
-bash-4.3# ausearch -m avc -i
----
type=PROCTITLE msg=audit(05/04/2016 20:53:23.013:206) : proctitle=/usr/libexec/rpm-ostreed 
type=SYSCALL msg=audit(05/04/2016 20:53:23.013:206) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x555f6f4f4e60 a1=0x555f6f4bbaa0 a2=0x555f6f4bd5f0 a3=0x555f6f4dede0 items=0 ppid=1 pid=1738 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpm-ostreed exe=/usr/libexec/rpm-ostreed subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/04/2016 20:53:23.013:206) : avc:  denied  { execute_no_trans } for  pid=1738 comm=(-ostreed) path=/usr/libexec/rpm-ostreed dev="dm-0" ino=5296258 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(05/04/2016 20:53:23.013:206) : avc:  denied  { read open } for  pid=1738 comm=(-ostreed) path=/usr/libexec/rpm-ostreed dev="dm-0" ino=5296258 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(05/04/2016 20:53:23.013:206) : avc:  denied  { execute } for  pid=1738 comm=(-ostreed) name=rpm-ostreed dev="dm-0" ino=5296258 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(05/04/2016 20:53:23.035:207) : proctitle=/usr/libexec/rpm-ostreed 
type=SYSCALL msg=audit(05/04/2016 20:53:23.035:207) : arch=x86_64 syscall=faccessat success=yes exit=0 a0=0xd a1=0x7f29924f37ca a2=W_OK a3=0x0 items=0 ppid=1 pid=1738 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpm-ostreed exe=/usr/libexec/rpm-ostreed subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/04/2016 20:53:23.035:207) : avc:  denied  { write } for  pid=1738 comm=rpm-ostreed name=objects dev="dm-0" ino=102 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=dir permissive=1

Comment 2 Lukas Slebodnik 2016-05-04 21:00:33 UTC

There are also many AVCs in permissive mode after calling  rolllback
-bash-4.3# > /var/log/audit/audit.log
-bash-4.3# rpm-ostree rollback

-bash-4.3# ausearch -m avc -i | audit2allow 


#============= init_t ==============

#!!!! WARNING: 'boot_t' is a base type.
allow init_t boot_t:dir { create rmdir };
allow init_t boot_t:file { create rename unlink write };
allow init_t boot_t:lnk_file { create rename unlink };
allow init_t bootloader_exec_t:file { execute execute_no_trans getattr ioctl open read };

#!!!! WARNING: 'system_conf_t' is a base type.
allow init_t system_conf_t:dir { add_name create remove_name rmdir write };
allow init_t system_conf_t:file { create rename unlink write };

#!!!! WARNING: 'usr_t' is a base type.
allow init_t usr_t:dir { create rmdir };

#!!!! WARNING: 'usr_t' is a base type.
allow init_t usr_t:file { create unlink write };
allow init_t usr_t:lnk_file { create rename unlink };

Comment 3 Colin Walters 2016-05-04 21:09:05 UTC


*** This bug has been marked as a duplicate of bug 1330318 ***

Comment 4 Lukas Slebodnik 2016-05-04 21:29:18 UTC

I think that the main problem is that service rpm-ostreed is running with init_t type 

-bash-4.3# rpm -q selinux-policy rpm-ostree
selinux-policy-3.13.1-182.fc24.noarch
rpm-ostree-2015.11-2.fc24.x86_64
-bash-4.3# ps auxZ | grep tre[e]
system_u:system_r:init_t:s0     root      1738  0.2  2.0 478452 41264 ?        Ssl  20:53   0:01 /usr/libexec/rpm-ostreed


But it works with the same selinux type on fedora 23 atomic
and enforcing mode
-bash-4.3# rpm -q selinux-policy rpm-ostree
selinux-policy-3.13.1-158.14.fc23.noarch
rpm-ostree-2015.11-1.fc23.x86_64
-bash-4.3# ps auxZ | grep tre[e]
system_u:system_r:init_t:s0     root      1180  0.0  0.6 396904 13216 ?        Ssl  21:08   0:00 /usr/libexec/rpm-ostreed

Note You need to log in before you can comment on or make changes to this bug.