1697667 – Many services fail, network does not start on current Rawhide due to SELinux denials

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1697667 - Many services fail, network does not start on current Rawhide due to SELinux denials

Summary: Many services fail, network does not start on current Rawhide due to SELinux ...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	high
Severity:	urgent
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	openqa
Duplicates (1):	1697548 (view as bug list)
Depends On:
Blocks:	F31BetaBlocker
TreeView+	depends on / blocked

Reported:	2019-04-09 00:06 UTC by Adam Williamson
Modified:	2019-04-29 18:09 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-04-29 18:09:14 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Adam Williamson 2019-04-09 00:06:09 UTC

Since the Fedora-Rawhide-20190407.n.1 compose, many services fail to start on boot of a freshly-installed Rawhide system, and the network does not come up.

This seems to be clearly an SELinux issue, likely introduced by selinux-policy-3.14.4-8.fc31 : booting with 'enforcing=0' solves all the problems, all services start successfully and the network comes up.

Here are all the denials shown by ausearch from the permissive boot:

----
time->Mon Apr  8 16:57:11 2019
type=AVC msg=audit(1554767831.028:97): avc:  denied  { mounton } for  pid=662 comm="(d-logind)" path="/run/systemd/unit-root/proc/sys/kernel/domainname" dev="proc" ino=1545 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0
----
time->Mon Apr  8 16:57:11 2019
type=AVC msg=audit(1554767831.052:101): avc:  denied  { mounton } for  pid=665 comm="(d-logind)" path="/run/systemd/unit-root/proc/sys/kernel/domainname" dev="proc" ino=1545 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0
----
time->Mon Apr  8 16:57:11 2019
type=AVC msg=audit(1554767831.081:105): avc:  denied  { mounton } for  pid=668 comm="(d-logind)" path="/run/systemd/unit-root/proc/sys/kernel/domainname" dev="proc" ino=1545 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0
----
time->Mon Apr  8 16:57:11 2019
type=AVC msg=audit(1554767831.107:109): avc:  denied  { mounton } for  pid=671 comm="(d-logind)" path="/run/systemd/unit-root/proc/sys/kernel/domainname" dev="proc" ino=1545 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0
----
time->Mon Apr  8 16:57:11 2019
type=AVC msg=audit(1554767831.146:114): avc:  denied  { mounton } for  pid=677 comm="(d-logind)" path="/run/systemd/unit-root/proc/sys/kernel/domainname" dev="proc" ino=1545 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0
----
time->Mon Apr  8 16:57:58 2019
type=AVC msg=audit(1554767878.936:212): avc:  denied  { setattr } for  pid=1 comm="systemd" name="tty1" dev="devtmpfs" ino=1044 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0
----
time->Mon Apr  8 16:57:58 2019
type=AVC msg=audit(1554767878.936:213): avc:  denied  { setattr } for  pid=1 comm="systemd" name="tty1" dev="devtmpfs" ino=1044 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0
----
time->Mon Apr  8 16:58:25 2019
type=AVC msg=audit(1554767905.909:67): avc:  denied  { mounton } for  pid=682 comm="(d-logind)" path="/run/systemd/unit-root/proc/sys/kernel/domainname" dev="proc" ino=12788 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1

Proposing as an F31 Beta blocker - this violates all criteria related to network-based functions on the installed system (e.g. package install).

Comment 1 Lukas Vrabec 2019-04-09 08:22:12 UTC

Will be fixed in next version of selinux-policy rpm package.

commit 639e317c9b53a6b1f520a0e02bf489c6b173eaae (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Tue Apr 9 10:21:04 2019 +0200

    Allow systemd labeled as init_t to setattr on unallocated ttys BZ(1697667)


commit 68d5b6395399b4b4a04d2fc4fc37dd91a6b54450
Author: Lukas Vrabec <lvrabec>
Date:   Mon Apr 8 12:29:36 2019 +0200

    Allow systemd to mounton kernel sysctls BZ(1696201)

Comment 2 Jan Pokorný [poki] 2019-04-09 18:03:49 UTC

This is likely the problem behind [bug 1697548] I reported earlier,
at systemd component.

Comment 3 Jan Pokorný [poki] 2019-04-09 18:04:35 UTC

[bug 1697370], I mean.

Comment 4 Zbigniew Jędrzejewski-Szmek 2019-04-10 21:50:55 UTC

*** Bug 1697548 has been marked as a duplicate of this bug. ***

Comment 5 Adam Williamson 2019-04-11 15:03:28 UTC

The selinux-policy package build failed:

https://koji.fedoraproject.org/koji/buildinfo?buildID=1247012

can you please check and fix it? Thanks.

Comment 6 Lukas Vrabec 2019-04-13 10:37:27 UTC

https://koji.fedoraproject.org/koji/buildinfo?buildID=1248381

Fixed.

Comment 7 Adam Williamson 2019-04-29 18:09:14 UTC

This does indeed seem resolved in current Rawhide, thanks.

Note You need to log in before you can comment on or make changes to this bug.