search

QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
533 stars 46 forks source link

Fedora template with selinux enabled built using docker executor doesn't work #8192

Open marmarek opened 1 year ago

marmarek commented 1 year ago

How to file a helpful issue

Qubes OS release

R4.2

Brief summary

The Fedora (37) template built with "selinux" option, but using "docker" executor (on ubuntu host, which doesn't have SELinux enabled), not "qubes" one, results in a broken template.

Steps to reproduce

Build the fedora-37 template using example-configs/qubes-os-r4.2.yml but with docker executor instead of qubes one (there is a commented out section for it already there).

Expected behavior

Fully functional template, or a build error if docker cannot be used for building selinux-enabled template.

Actual behavior

The system fails to boot. Highlights from the log:

[    3.258712] audit: type=1403 audit(1683806420.306:3): auid=4294967295 ses=4294967295 lsm=selinux res=1
[    3.260155] systemd[1]: Successfully loaded SELinux policy in 47.376ms.
[    3.270853] systemd[1]: Relabelled /dev, /dev/shm, /run, /sys/fs/cgroup in 4.356ms.
[    3.275999] systemd[1]: systemd 251.14-2.fc37 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP -GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
[    3.276071] systemd[1]: Detected virtualization xen.
[    3.276085] systemd[1]: Detected architecture x86-64.

Welcome to Fedora Linux 37 (Thirty Seven)!

[    3.277333] systemd[1]: No hostname configured, using default hostname.
[    3.277382] systemd[1]: Hostname set to <fedora>.
[    3.302945] systemd[1]: bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported
[    3.401358] systemd-gpt-auto-generator[213]: Failed to dissect: Permission denied
[    3.403207] (sd-execut[205]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1.

and

[    4.001953] audit: type=1400 audit(1683806421.049:4): avc:  denied  { write } for  pid=254 comm="qubesdb-daemon" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:qubes_qubesdb_daemon_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0
[    4.004098] systemd[1]: qubes-db.service: Main process exited, code=exited, status=1/FAILURE
[    4.004204] systemd[1]: qubes-db.service: Failed with result 'exit-code'.
[    4.004342] systemd[1]: Failed to start qubes-db.service - Qubes DB agent.
[FAILED] Failed to start qubes-db.service - Qubes DB agent.
See 'systemctl status qubes-db.service' for details.
[    4.004752] systemd[1]: Dependency failed for qubes-sysinit.service - Init Qubes Services settings.

full log at https://gist.github.com/marmarek/39abce5927bfaf76c15652ccc79d4ff3

Some labels are seemingly set (full file listing is 12MB, but you can see some of them in the log above): https://gist.github.com/marmarek/ddffbe87717eff30e9424925d70f35e4 (generated with find /mnt -printf '%M %U %G %Z %p\n')

marmarek commented 1 year ago

There are some errors during selinux policy install during template build:

``` 2023-04-28 13:28:52,945 [executor:docker:bae54c1b05] output: Last metadata expiration check: 0:00:11 ago on Fri Apr 28 11:28:41 2023. 2023-04-28 13:28:53,081 [executor:docker:bae54c1b05] output: Running in chroot, ignoring command 'is-active' 2023-04-28 13:28:53,081 [executor:docker:bae54c1b05] output: Dependencies resolved. 2023-04-28 13:28:53,104 [executor:docker:bae54c1b05] output: ================================================================================ 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: Package Arch Version Repository Size 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: ================================================================================ 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: Installing: 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: selinux-policy-targeted noarch 37.19-1.fc37 updates 6.6 M 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: Installing dependencies: 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: checkpolicy x86_64 3.5-1.fc37 updates 347 k 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: flatpak-selinux noarch 1.14.4-1.fc37 updates 22 k 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: libselinux-utils x86_64 3.5-1.fc37 updates 160 k 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: policycoreutils x86_64 3.5-1.fc37 updates 240 k 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: policycoreutils-python-utils noarch 3.5-1.fc37 updates 80 k 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: python3-audit x86_64 3.1-2.fc37 updates 87 k 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: python3-libselinux x86_64 3.5-1.fc37 updates 196 k 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: python3-libsemanage x86_64 3.5-2.fc37 updates 83 k 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: python3-policycoreutils noarch 3.5-1.fc37 updates 2.2 M 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: python3-setools x86_64 4.4.0-9.fc37 fedora 618 k 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: qubes-core-agent-selinux noarch 4.2.9-1.fc37 template-builder-repo 30 k 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: qubes-core-qrexec-vm-selinux x86_64 4.2.3-1.fc37 template-builder-repo 24 k 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: qubes-db-vm-selinux x86_64 4.2.1-1.fc37 template-builder-repo 24 k 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: qubes-gui-agent-selinux noarch 4.2.2-1.fc37 template-builder-repo 23 k 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: qubes-utils-selinux x86_64 4.2.6-1.fc37 template-builder-repo 23 k 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: rpm-plugin-selinux x86_64 4.18.0-1.fc37 fedora 20 k 2023-04-28 13:28:53,105 [executor:docker:bae54c1b05] output: selinux-policy noarch 37.19-1.fc37 updates 51 k 2023-04-28 13:28:53,106 [executor:docker:bae54c1b05] output: 2023-04-28 13:28:53,106 [executor:docker:bae54c1b05] output: Transaction Summary 2023-04-28 13:28:53,106 [executor:docker:bae54c1b05] output: ================================================================================ 2023-04-28 13:28:53,106 [executor:docker:bae54c1b05] output: Install 18 Packages 2023-04-28 13:28:53,106 [executor:docker:bae54c1b05] output: 2023-04-28 13:28:53,106 [executor:docker:bae54c1b05] output: Total size: 11 M 2023-04-28 13:28:53,106 [executor:docker:bae54c1b05] output: Installed size: 31 M 2023-04-28 13:28:53,106 [executor:docker:bae54c1b05] output: Downloading Packages: 2023-04-28 13:28:53,202 [executor:docker:bae54c1b05] output: Running transaction check 2023-04-28 13:28:53,220 [executor:docker:bae54c1b05] output: Transaction check succeeded. 2023-04-28 13:28:53,220 [executor:docker:bae54c1b05] output: Running transaction test 2023-04-28 13:28:53,360 [executor:docker:bae54c1b05] output: Transaction test succeeded. 2023-04-28 13:28:53,360 [executor:docker:bae54c1b05] output: Running transaction 2023-04-28 13:28:53,865 [executor:docker:bae54c1b05] output: Running scriptlet: selinux-policy-targeted-37.19-1.fc37.noarch 1/1 2023-04-28 13:28:54,000 [executor:docker:bae54c1b05] output: Preparing : 1/1 2023-04-28 13:28:54,046 [executor:docker:bae54c1b05] output: Installing : libselinux-utils-3.5-1.fc37.x86_64 1/18 2023-04-28 13:28:54,066 [executor:docker:bae54c1b05] output: Installing : policycoreutils-3.5-1.fc37.x86_64 2/18 2023-04-28 13:28:54,081 [executor:docker:bae54c1b05] output: Running scriptlet: policycoreutils-3.5-1.fc37.x86_64 2/18 2023-04-28 13:28:54,081 [executor:docker:bae54c1b05] output: Created symlink /etc/systemd/system/sysinit.target.wants/selinux-autorelabel-mark.service -> /usr/lib/systemd/system/selinux-autorelabel-mark.service. 2023-04-28 13:28:54,081 [executor:docker:bae54c1b05] output: 2023-04-28 13:28:54,100 [executor:docker:bae54c1b05] output: Installing : selinux-policy-37.19-1.fc37.noarch 3/18 2023-04-28 13:28:54,122 [executor:docker:bae54c1b05] output: Running scriptlet: selinux-policy-37.19-1.fc37.noarch 3/18 2023-04-28 13:28:54,196 [executor:docker:bae54c1b05] output: Running scriptlet: selinux-policy-targeted-37.19-1.fc37.noarch 4/18 2023-04-28 13:28:54,224 [executor:docker:bae54c1b05] output: Installing : selinux-policy-targeted-37.19-1.fc37.noarch 4/18 2023-04-28 13:28:58,889 [executor:docker:bae54c1b05] output: Running scriptlet: selinux-policy-targeted-37.19-1.fc37.noarch 4/18 2023-04-28 13:28:58,906 [executor:docker:bae54c1b05] output: Installing : qubes-core-agent-selinux-4.2.9-1.fc37.noarch 5/18 2023-04-28 13:29:01,305 [executor:docker:bae54c1b05] output: Running scriptlet: qubes-core-agent-selinux-4.2.9-1.fc37.noarch 5/18 2023-04-28 13:29:01,305 [executor:docker:bae54c1b05] output: Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/200/qubes-misc/cil:5 2023-04-28 13:29:01,305 [executor:docker:bae54c1b05] output: Failed to resolve AST 2023-04-28 13:29:01,305 [executor:docker:bae54c1b05] output: /usr/sbin/semodule: Failed! 2023-04-28 13:29:01,305 [executor:docker:bae54c1b05] output: 2023-04-28 13:29:01,335 [executor:docker:bae54c1b05] output: Installing : python3-libselinux-3.5-1.fc37.x86_64 6/18 2023-04-28 13:29:01,353 [executor:docker:bae54c1b05] output: Installing : python3-libsemanage-3.5-2.fc37.x86_64 7/18 2023-04-28 13:29:01,376 [executor:docker:bae54c1b05] output: Installing : python3-audit-3.1-2.fc37.x86_64 8/18 2023-04-28 13:29:01,404 [executor:docker:bae54c1b05] output: Installing : checkpolicy-3.5-1.fc37.x86_64 9/18 2023-04-28 13:29:01,449 [executor:docker:bae54c1b05] output: Installing : python3-setools-4.4.0-9.fc37.x86_64 10/18 2023-04-28 13:29:01,473 [executor:docker:bae54c1b05] output: Installing : python3-policycoreutils-3.5-1.fc37.noarch 11/18 2023-04-28 13:29:01,491 [executor:docker:bae54c1b05] output: Installing : policycoreutils-python-utils-3.5-1.fc37.noarch 12/18 2023-04-28 13:29:01,506 [executor:docker:bae54c1b05] output: Installing : qubes-core-qrexec-vm-selinux-4.2.3-1.fc37.x86_64 13/18 2023-04-28 13:29:03,705 [executor:docker:bae54c1b05] output: Running scriptlet: qubes-core-qrexec-vm-selinux-4.2.3-1.fc37.x86_64 13/18 2023-04-28 13:29:03,705 [executor:docker:bae54c1b05] output: Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/200/qubes-core-qrexec/cil:14 2023-04-28 13:29:03,705 [executor:docker:bae54c1b05] output: Failed to resolve AST 2023-04-28 13:29:03,705 [executor:docker:bae54c1b05] output: /usr/sbin/semodule: Failed! 2023-04-28 13:29:03,705 [executor:docker:bae54c1b05] output: 2023-04-28 13:29:03,735 [executor:docker:bae54c1b05] output: Installing : qubes-gui-agent-selinux-4.2.2-1.fc37.noarch 14/18 2023-04-28 13:29:05,955 [executor:docker:bae54c1b05] output: Running scriptlet: qubes-gui-agent-selinux-4.2.2-1.fc37.noarch 14/18 2023-04-28 13:29:05,956 [executor:docker:bae54c1b05] output: Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/200/qubes-gui-agent/cil:5 2023-04-28 13:29:05,956 [executor:docker:bae54c1b05] output: Failed to resolve AST 2023-04-28 13:29:05,956 [executor:docker:bae54c1b05] output: /usr/sbin/semodule: Failed! 2023-04-28 13:29:05,956 [executor:docker:bae54c1b05] output: 2023-04-28 13:29:05,986 [executor:docker:bae54c1b05] output: Installing : qubes-db-vm-selinux-4.2.1-1.fc37.x86_64 15/18 2023-04-28 13:29:10,833 [executor:docker:bae54c1b05] output: Running scriptlet: qubes-db-vm-selinux-4.2.1-1.fc37.x86_64 15/18 2023-04-28 13:29:10,849 [executor:docker:bae54c1b05] output: Installing : qubes-utils-selinux-4.2.6-1.fc37.x86_64 16/18 2023-04-28 13:29:15,653 [executor:docker:bae54c1b05] output: Running scriptlet: qubes-utils-selinux-4.2.6-1.fc37.x86_64 16/18 2023-04-28 13:29:15,670 [executor:docker:bae54c1b05] output: Installing : flatpak-selinux-1.14.4-1.fc37.noarch 17/18 2023-04-28 13:29:20,440 [executor:docker:bae54c1b05] output: Running scriptlet: flatpak-selinux-1.14.4-1.fc37.noarch 17/18 2023-04-28 13:29:20,458 [executor:docker:bae54c1b05] output: Installing : rpm-plugin-selinux-4.18.0-1.fc37.x86_64 18/18 2023-04-28 13:29:20,467 [executor:docker:bae54c1b05] output: Running scriptlet: selinux-policy-targeted-37.19-1.fc37.noarch 18/18 2023-04-28 13:29:20,487 [executor:docker:bae54c1b05] output: Running scriptlet: qubes-core-agent-selinux-4.2.9-1.fc37.noarch 18/18 2023-04-28 13:29:20,487 [executor:docker:bae54c1b05] output: Created symlink /etc/systemd/system/multi-user.target.wants/qubes-relabel-root.service -> /usr/lib/systemd/system/qubes-relabel-root.service. 2023-04-28 13:29:20,487 [executor:docker:bae54c1b05] output: Created symlink /etc/systemd/system/selinux-autorelabel.target.wants/qubes-relabel-root.service -> /usr/lib/systemd/system/qubes-relabel-root.service. 2023-04-28 13:29:20,487 [executor:docker:bae54c1b05] output: Created symlink /etc/systemd/system/multi-user.target.wants/qubes-relabel-rw.service -> /usr/lib/systemd/system/qubes-relabel-rw.service. 2023-04-28 13:29:20,487 [executor:docker:bae54c1b05] output: Running in chroot, ignoring command 'start' 2023-04-28 13:29:20,487 [executor:docker:bae54c1b05] output: 2023-04-28 13:29:20,493 [executor:docker:bae54c1b05] output: Running scriptlet: qubes-core-qrexec-vm-selinux-4.2.3-1.fc37.x86_64 18/18 2023-04-28 13:29:20,498 [executor:docker:bae54c1b05] output: Running scriptlet: qubes-gui-agent-selinux-4.2.2-1.fc37.noarch 18/18 2023-04-28 13:29:20,502 [executor:docker:bae54c1b05] output: Running scriptlet: qubes-db-vm-selinux-4.2.1-1.fc37.x86_64 18/18 2023-04-28 13:29:20,561 [executor:docker:bae54c1b05] output: Running scriptlet: qubes-utils-selinux-4.2.6-1.fc37.x86_64 18/18 2023-04-28 13:29:20,756 [executor:docker:bae54c1b05] output: Running scriptlet: rpm-plugin-selinux-4.18.0-1.fc37.x86_64 18/18 2023-04-28 13:29:20,756 [executor:docker:bae54c1b05] output: Verifying : qubes-core-agent-selinux-4.2.9-1.fc37.noarch 1/18 2023-04-28 13:29:20,756 [executor:docker:bae54c1b05] output: Verifying : qubes-core-qrexec-vm-selinux-4.2.3-1.fc37.x86_64 2/18 2023-04-28 13:29:20,756 [executor:docker:bae54c1b05] output: Verifying : qubes-db-vm-selinux-4.2.1-1.fc37.x86_64 3/18 2023-04-28 13:29:20,756 [executor:docker:bae54c1b05] output: Verifying : qubes-gui-agent-selinux-4.2.2-1.fc37.noarch 4/18 2023-04-28 13:29:20,756 [executor:docker:bae54c1b05] output: Verifying : qubes-utils-selinux-4.2.6-1.fc37.x86_64 5/18 2023-04-28 13:29:20,756 [executor:docker:bae54c1b05] output: Verifying : python3-setools-4.4.0-9.fc37.x86_64 6/18 2023-04-28 13:29:20,756 [executor:docker:bae54c1b05] output: Verifying : rpm-plugin-selinux-4.18.0-1.fc37.x86_64 7/18 2023-04-28 13:29:20,756 [executor:docker:bae54c1b05] output: Verifying : checkpolicy-3.5-1.fc37.x86_64 8/18 2023-04-28 13:29:20,756 [executor:docker:bae54c1b05] output: Verifying : flatpak-selinux-1.14.4-1.fc37.noarch 9/18 2023-04-28 13:29:20,756 [executor:docker:bae54c1b05] output: Verifying : libselinux-utils-3.5-1.fc37.x86_64 10/18 2023-04-28 13:29:20,756 [executor:docker:bae54c1b05] output: Verifying : policycoreutils-3.5-1.fc37.x86_64 11/18 2023-04-28 13:29:20,756 [executor:docker:bae54c1b05] output: Verifying : policycoreutils-python-utils-3.5-1.fc37.noarch 12/18 2023-04-28 13:29:20,756 [executor:docker:bae54c1b05] output: Verifying : python3-audit-3.1-2.fc37.x86_64 13/18 2023-04-28 13:29:20,756 [executor:docker:bae54c1b05] output: Verifying : python3-libselinux-3.5-1.fc37.x86_64 14/18 2023-04-28 13:29:20,756 [executor:docker:bae54c1b05] output: Verifying : python3-libsemanage-3.5-2.fc37.x86_64 15/18 2023-04-28 13:29:20,756 [executor:docker:bae54c1b05] output: Verifying : python3-policycoreutils-3.5-1.fc37.noarch 16/18 2023-04-28 13:29:20,756 [executor:docker:bae54c1b05] output: Verifying : selinux-policy-37.19-1.fc37.noarch 17/18 2023-04-28 13:29:21,143 [executor:docker:bae54c1b05] output: Verifying : selinux-policy-targeted-37.19-1.fc37.noarch 18/18Running in chroot, ignoring command 'is-active' ... 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: Installed: 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: checkpolicy-3.5-1.fc37.x86_64 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: flatpak-selinux-1.14.4-1.fc37.noarch 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: libselinux-utils-3.5-1.fc37.x86_64 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: policycoreutils-3.5-1.fc37.x86_64 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: policycoreutils-python-utils-3.5-1.fc37.noarch 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: python3-audit-3.1-2.fc37.x86_64 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: python3-libselinux-3.5-1.fc37.x86_64 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: python3-libsemanage-3.5-2.fc37.x86_64 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: python3-policycoreutils-3.5-1.fc37.noarch 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: python3-setools-4.4.0-9.fc37.x86_64 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: qubes-core-agent-selinux-4.2.9-1.fc37.noarch 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: qubes-core-qrexec-vm-selinux-4.2.3-1.fc37.x86_64 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: qubes-db-vm-selinux-4.2.1-1.fc37.x86_64 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: qubes-gui-agent-selinux-4.2.2-1.fc37.noarch 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: qubes-utils-selinux-4.2.6-1.fc37.x86_64 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: rpm-plugin-selinux-4.18.0-1.fc37.x86_64 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: selinux-policy-37.19-1.fc37.noarch 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: selinux-policy-targeted-37.19-1.fc37.noarch 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: 2023-04-28 13:29:22,719 [executor:docker:bae54c1b05] output: Complete! 2023-04-28 13:29:22,818 [executor:docker:bae54c1b05] output: + retval=0 ```