Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[rawhide][branched] SELinux AVC denials cause multiple installation methods to fail #1779

Open
marmijo opened this issue Aug 16, 2024 · 1 comment
Open

[rawhide][branched] SELinux AVC denials cause multiple installation methods to fail #1779

marmijo opened this issue Aug 16, 2024 · 1 comment
Labels
area/selinux pipeline failure This issue or pull request is derived from CI failures

Comments

@marmijo
Copy link
Member

marmijo commented Aug 16, 2024

This was investigated using selinux-policy-41.14-1.fc41 in the branched stream tracking Fedora 41.

The following AVC denials are observed in several kola ISO tests. The denials are blocking CoreOS Installer from creating directories under /etc as well as it's ability to interact with udevadm.

AVC avc:  denied  { write } for  pid=1056 comm="mkdir" name="etc" dev="loop0" ino=131 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
AVC avc:  denied  { getattr } for  pid=1201 comm="coreos-installe" path="/usr/bin/udevadm" dev="loop1" ino=4263 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=0
AVC avc:  denied  { getattr } for  pid=1201 comm="coreos-installe" path="/usr/bin/udevadm" dev="loop1" ino=4263 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=0

Test Failures

These denials cause the following kola ISO tests to all fail with the exact same AVC denials:

iso-install.bios
iso-offline-install.bios
iso-offline-install.mpath.bios
iso-offline-install-fromram.4k.uefi
miniso-install.bios
miniso-install.nm.bios
miniso-install.4k.nm.uefi
pxe-offline-install.bios
pxe-offline-install.4k.uefi
pxe-online-install.bios
pxe-online-install.4k.uefi

Log Files

Here's a full journal.txt and console.txt from two of these tests.
pxe-online-install.bios.console.txt
pxe-online-install.bios.journal.txt

iso-offline-install.bios.console.txt
iso-offline-install.bios.journal.txt

Also, for completeness, here's a journal.txt file from a test with the enforcing=0 karg used:
iso-offline-install.bios.enforcing-0.journal.txt

Additional Note

Other packages had to be pinned in the branched/rawhide stream to get around another failure with systemd-256.

  • systemd-255.5-1.fc41
  • lvm2-2.03.23-1.fc40

BugZilla Issue with selinux-policy
marmijo added a commit to marmijo/fedora-coreos-config that referenced this issue Aug 16, 2024
@marmijo
denylist: branched: add kola-iso tests failing due to SELinux denials
1ab7554 
These tests are all experiencing SELinux AVC denials causing
CoreOS Installer to fail in these installation configurations.
Denylist them for now until we can get the issue resolved:

coreos/fedora-coreos-tracker#1779
This was referenced Aug 16, 2024
Merged
Merged
@marmijo marmijo reopened this Aug 19, 2024
@marmijo marmijo added the meeting topics for meetings label Aug 19, 2024
marmijo added a commit to marmijo/fedora-coreos-config that referenced this issue Aug 19, 2024
@marmijo
denylist: rawhide: add kola-iso tests failing due to SELinux denials
2fc693b 
These tests are all experiencing SELinux AVC denials causing
CoreOS Installer to fail in these installation configurations.
Denylist them for now until we can get the issue resolved:

coreos/fedora-coreos-tracker#1779
@marmijo marmijo mentioned this issue Aug 19, 2024
Merged
@marmijo marmijo removed the meeting topics for meetings label Aug 19, 2024
@marmijo marmijo reopened this Aug 19, 2024
@marmijo marmijo added the pipeline failure This issue or pull request is derived from CI failures label Aug 20, 2024
@marmijo marmijo mentioned this issue Aug 29, 2024
Merged
marmijo added a commit to marmijo/fedora-coreos-config that referenced this issue Sep 3, 2024
@marmijo
denylist: remove entries for kola-ISO tests
706d1e6 
The selinux-workaround.yaml manifest reverts the coreos_installer_t
domain to workaround
coreos/fedora-coreos-tracker#1779 for now.
Remove the affected kola-ISO tests so we can run them again in CI.
marmijo added a commit to marmijo/fedora-coreos-config that referenced this issue Sep 3, 2024
@marmijo
denylist: extend expires snoozes
9f4ca05 
- `coreos.ignition.ssh.key`
  - pending afterburn release: coreos/afterburn#1095

- kola-iso tests
  - coreos/fedora-coreos-tracker#1779 is still
    unresolved.
  - coreos#3127
    might unblock these tests for now.

- `ext.config.kdump.crash`
  - this test is still failing in rawhide and branched.
@marmijo marmijo mentioned this issue Sep 3, 2024
Merged
marmijo added a commit to marmijo/fedora-coreos-config that referenced this issue Sep 3, 2024
@marmijo
denylist: extend expired snoozes
02510dd 
- `coreos.ignition.ssh.key`
  - pending afterburn release: coreos/afterburn#1095

- kola-iso tests
  - coreos/fedora-coreos-tracker#1779 is still
    unresolved.
  - coreos#3127
    might unblock these tests for now.

- `ext.config.kdump.crash`
  - this test is still failing in rawhide and branched.
dustymabe pushed a commit to coreos/fedora-coreos-config that referenced this issue Sep 3, 2024
@marmijo @dustymabe
denylist: extend expired snoozes
d26c9ba 
- `coreos.ignition.ssh.key`
  - pending afterburn release: coreos/afterburn#1095

- kola-iso tests
  - coreos/fedora-coreos-tracker#1779 is still
    unresolved.
  - #3127
    might unblock these tests for now.

- `ext.config.kdump.crash`
  - this test is still failing in rawhide and branched.
marmijo added a commit to marmijo/fedora-coreos-config that referenced this issue Sep 3, 2024
@marmijo
denylist: remove entries for kola-ISO tests
77c1f9a 
The selinux-workaround.yaml manifest reverts the coreos_installer_t
domain to workaround
coreos/fedora-coreos-tracker#1779 for now.
Remove the affected kola-ISO tests so we can run them again in CI.
marmijo added a commit to marmijo/fedora-coreos-config that referenced this issue Sep 3, 2024
@marmijo
denylist: remove entries for kola-ISO tests
4cc0404 
The selinux-workaround.yaml manifest reverts the coreos_installer_t
domain to workaround
coreos/fedora-coreos-tracker#1779 for now.
Remove the affected kola-ISO tests so we can run them again in CI.
marmijo added a commit to coreos/fedora-coreos-config that referenced this issue Sep 4, 2024
@marmijo
denylist: remove entries for kola-ISO tests
0720411 
The selinux-workaround.yaml manifest reverts the coreos_installer_t
domain to workaround
coreos/fedora-coreos-tracker#1779 for now.
Remove the affected kola-ISO tests so we can run them again in CI.
@marmijo marmijo changed the title [branched] SELinux AVC denials cause multiple installation methods to fail [rawhide][branched] SELinux AVC denials cause multiple installation methods to fail Sep 5, 2024
@marmijo
Copy link
Member Author

marmijo commented Sep 5, 2024

A workaround was added for this in: coreos/fedora-coreos-config#3127.
We're now able to run the affected kola-ISO tests in rawhide and branched.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/selinux pipeline failure This issue or pull request is derived from CI failures
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dustymabe @marmijo