Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fedora 33: "Generating initramfs" causes AVC denial and SELINUX_ERR #2343

Closed
Mershl opened this issue Dec 1, 2020 · 4 comments · Fixed by #2371
Closed

Fedora 33: "Generating initramfs" causes AVC denial and SELINUX_ERR #2343

Mershl opened this issue Dec 1, 2020 · 4 comments · Fixed by #2371

Comments

@Mershl
Copy link
Contributor

Mershl commented Dec 1, 2020
edited
Loading

Host system details
selinux-policy-3.14.6-30.fc33.noarch
rpm-ostree-2020.8-1.fc33.x86_64

Seen Behavior

rpm-ostree override replace kernel*.rpm
...
Generating initramfs...    // AVC denial and SELINUX_ERR reported

ausearch -i -m avc,user_avc,selinux_err,user_selinux_err:
----
type=AVC msg=audit(29.11.2020 23:35:58.798:534) : avc:  denied  { nnp_transition nosuid_transition } for  pid=42690 comm=dracut scontext=system_u:system_r:install_t:s0 tcontext=system_u:system_r:setfiles_mac_t:s0 tclass=process2 permissive=0 
----
type=SELINUX_ERR msg=audit(29.11.2020 23:35:58.798:535) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:install_t:s0 newcontext=system_u:system_r:setfiles_mac_t:s0

Fedora Bugzilla ticket
https://bugzilla.redhat.com/show_bug.cgi?id=1902522
@cgwalters
Copy link
Member

Thanks for filing this! We have tests for this but...this one slips through an unfortunate gap because:

@cgwalters cgwalters mentioned this issue Dec 10, 2020
Open
cgwalters added a commit to cgwalters/rpm-ostree that referenced this issue Dec 10, 2020
@cgwalters
upgrader: Inject --no-hostonly again if no initramfs-args
a748e01 
Fixes: e901153

Fedora Silverblue doesn't specify any `initramfs-args` in the
treefile.   The above commit then caused us to omit `--no-hostonly`
which completely fails today because we sandbox dracut off
from seeing the real hardware and thinks like the host filesystem.

It wasn't noticed because Fedora CoreOS does always specify
arguments in the treefile.

Closes: coreos#2343
@cgwalters cgwalters mentioned this issue Dec 10, 2020
Merged
@cgwalters
Copy link
Member

Coincidentally I happened to hit this in a different way and then figured out it was the same bug:
#2371

cgwalters added a commit to cgwalters/rpm-ostree that referenced this issue Dec 10, 2020
@cgwalters
upgrader: Inject --no-hostonly again if no initramfs-args
862a842 
Fixes: e901153

Fedora Silverblue doesn't specify any `initramfs-args` in the
treefile.   The above commit then caused us to omit `--no-hostonly`
which completely fails today because we sandbox dracut off
from seeing the real hardware and the host filesystems, so
it omits a lot of modules.

It wasn't noticed because Fedora CoreOS does always specify
arguments in the treefile.

Closes: coreos#2343
openshift-merge-robot pushed a commit that referenced this issue Dec 10, 2020
@cgwalters @openshift-merge-robot
upgrader: Inject --no-hostonly again if no initramfs-args
0c29f51 
Fixes: e901153

Fedora Silverblue doesn't specify any `initramfs-args` in the
treefile.   The above commit then caused us to omit `--no-hostonly`
which completely fails today because we sandbox dracut off
from seeing the real hardware and the host filesystems, so
it omits a lot of modules.

It wasn't noticed because Fedora CoreOS does always specify
arguments in the treefile.

Closes: #2343
@Mershl
Copy link
Contributor Author

Mershl commented Dec 15, 2020
edited
Loading

Hi @cgwalters, just tested rpm-ostree-2020.10-1.fc33.x86_64 and rpm-ostree-libs-2020.10-1.fc33.x86_64. The AVC denial is still popping up for "rpm-ostree override replace kernel*.rpm".

$ rpm -qa | grep rpm-ostree
gnome-software-rpm-ostree-3.38.0-2.fc33.x86_64
rpm-ostree-libs-2020.10-1.fc33.x86_64
rpm-ostree-2020.10-1.fc33.x86_64

$ rpm -qa | grep "^selinux"
selinux-policy-targeted-3.14.6-31.fc33.noarch
selinux-policy-3.14.6-31.fc33.noarch

$ rpm-ostree override replace kernel-5.10.0-0.rc6.20201204git34816d20f173.92.fc34.x86_64.rpm kernel-core-5.10.0-0.rc6.20201204git34816d20f173.92.fc34.x86_64.rpm kernel-modules-5.10.0-0.rc6.20201204git34816d20f173.92.fc34.x86_64.rpm kernel-modules-extra-5.10.0-0.rc6.20201204git34816d20f173.92.fc34.x86_64.rpm
Checking out tree 9e7a339... done
[...]
Importing rpm-md... done
Resolving dependencies... done
Applying 13 overrides and 332 overlays
Processing packages... done
Running pre scripts... done
Running post scripts... done
Running posttrans scripts... done
Writing rpmdb... done
Generating initramfs... done
Writing OSTree commit... done
Staging deployment... done
Freed: 941,3 MB (pkgcache branches: 19)
Upgraded:
  kernel 5.9.13-200.fc33 -> 5.10.0-0.rc6.20201204git34816d20f173.92.fc34
  kernel-core 5.9.13-200.fc33 -> 5.10.0-0.rc6.20201204git34816d20f173.92.fc34
  kernel-modules 5.9.13-200.fc33 -> 5.10.0-0.rc6.20201204git34816d20f173.92.fc34
  kernel-modules-extra 5.9.13-200.fc33 -> 5.10.0-0.rc6.20201204git34816d20f173.92.fc34
Run "systemctl reboot" to start a reboot

$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts boot
type=AVC msg=audit(15.12.2020 17:07:25.752:536) : avc:  denied  { nnp_transition nosuid_transition } for  pid=19800 comm=dracut scontext=system_u:system_r:install_t:s0 tcontext=system_u:system_r:setfiles_mac_t:s0 tclass=process2 permissive=1

@cgwalters
Copy link
Member

Moved that to https://bugzilla.redhat.com/show_bug.cgi?id=1911505

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

upgrader: Inject --no-hostonly again if no initramfs-args cgwalters/rpm-ostree
2 participants
@cgwalters @Mershl