Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1703083 - /dev filesystem gets no selinux label on FC30 dist-upgrades on Raspberry Pi3
Summary: /dev filesystem gets no selinux label on FC30 dist-upgrades on Raspberry Pi3
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: fedora-arm-installer
Version: 30
Hardware: armv7hl
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Paul Whalen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-25 13:27 UTC by chotaire+fedora
Modified: 2019-07-03 12:24 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-25 17:32:04 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description chotaire+fedora 2019-04-25 13:27:53 UTC
Description of problem:

After dist-upgrading to Fedora 30 and issueing a fixfiles onboot on Raspberry Pi 3, the installation will no longer have functional networking among other issues due to issues with /dev not being labelled. 

NetworkManager, DBus and other services will refuse to work with SELinux enabled. This will effectively take the device offline after dist-upgrade and filesystem relabelling. Auditing this issue brings the following result:

type=AVC msg=audit(1555082275.639:82): avc:  denied  { mounton } for  pid=696 comm="(r-launch)" path="/run/systemd/unit-root/dev" dev="mmcblk0p4" ino=7634 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1

It seems that the installer labels the filesystem devtmpfs in mounted on /dev and so the /dev mountpoint gets no label.

Fixed by:

mount --bind / /mnt && chcon system_u:object_r:device_t:s0 /mnt/dev
umount

Comment 1 Peter Robinson 2019-04-25 17:32:04 UTC
So a number of things here:
1) a dist upgrade is completely unrelated to arm-image-installer.
2) which process did you use to "dist-upgrade"?
3) You'd be better off doing a complete relabel if you see issues with SELinux by doing the following:
"touch /.autorelabel; reboot"

Comment 2 Michal Ambroz 2019-07-03 11:52:30 UTC
Pity that this one is closed as NOTABUG. I believe it is one - seems that dist upgrading from some previous versions of fedora results in some mountpoints being mislabeled, which is now set as issue in Fedora 30. 

It seems to affect the mountpoints, which are normally mounted during boot, so things like "touch /.autorelabel; reboot" or "fixfiles onboot" wont help.

See other related bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1706451
https://bugzilla.redhat.com/show_bug.cgi?id=1708991
https://bugzilla.redhat.com/show_bug.cgi?id=1663040

Comment 3 Peter Robinson 2019-07-03 12:24:57 UTC
(In reply to Michal Ambroz from comment #2)
> Pity that this one is closed as NOTABUG. I believe it is one - seems that

It's unrelated to arm-image-installer, and hence isn't a bug in the component you've filed it under.

> See other related bugs:
> https://bugzilla.redhat.com/show_bug.cgi?id=1706451

This is a bug against selinux-policy-targeted (probably the right component for you to file a bug)

> https://bugzilla.redhat.com/show_bug.cgi?id=1708991

This is against snapd which is a containerisation technology. Not sure how that relates to /dev/ issues on upgrade

> https://bugzilla.redhat.com/show_bug.cgi?id=1663040

And lorax is a component used as part of the compose process making in the installer.

The bug should probably be filed against the dist-upgrade component, or possibly selinux-policy-targeted, and it should be nothing to do specifically with the Raspberry Pi as we handle all HW the same in that regard.


Note You need to log in before you can comment on or make changes to this bug.