search

QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
543 stars 48 forks source link

SELinux failures on Fedora 40 update #9503

Open marmarek opened 1 month ago

marmarek commented 1 month ago

How to file a helpful issue

Qubes OS release

R4.2

Brief summary

fedora-40 update fails

Steps to reproduce

Run fedora-40 update using qubes-vm-update or qubes-update-gui

Expected behavior

Update completes normally

Actual behavior

Update fails. On the updater side, there is:

2024-10-12 14:25:50.238 qrexec-client[16214]: process_io.c:39:handle_vchan_error: Error while vchan read, exiting

And on the fedora-40 console there is:

[2024-10-12 14:19:04] [  256.737215] SELinux:  Converting 403 SID table entries...
[2024-10-12 14:19:04] [  256.737290] SELinux:  Context system_u:object_r:snappy_unit_file_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737380] SELinux:  Context system_u:object_r:qubes_qubesdb_daemon_exec_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737399] SELinux:  Context system_u:system_r:qubes_qubesdb_daemon_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737420] SELinux:  Context system_u:object_r:qubes_var_run_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737439] SELinux:  Context system_u:object_r:qubes_qubesdb_socket_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737541] SELinux:  Context system_u:object_r:snappy_cli_exec_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737679] SELinux:  Context system_u:object_r:snappy_exec_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737696] SELinux:  Context system_u:system_r:snappy_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737712] SELinux:  Context system_u:object_r:snappy_var_run_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737731] SELinux:  Context system_u:object_r:snappy_var_lib_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737751] SELinux:  Context system_u:object_r:qubes_meminfo_writer_exec_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737769] SELinux:  Context system_u:system_r:qubes_meminfo_writer_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737788] SELinux:  Context system_u:object_r:qubes_meminfo_writer_var_run_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737856] SELinux:  Context system_u:object_r:qubes_qrexec_agent_exec_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737952] SELinux:  Context system_u:object_r:qubes_qrexec_socket_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.738028] SELinux:  Context system_u:system_r:qubes_qubesdb_daemon_t:s0-s0:c0.c1023 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.738169] SELinux:  Context unconfined_u:object_r:snappy_var_lib_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.738188] SELinux:  Context unconfined_u:object_r:qubes_var_run_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.782079] audit: type=1403 audit(1728735544.616:275): auid=0 ses=9 lsm=selinux res=1
[2024-10-12 14:19:04] [  256.782514] audit: type=1300 audit(1728735544.616:275): arch=c000003e syscall=1 success=yes exit=3809034 a0=4 a1=7e77f9600000 a2=3a1f0a a3=0 items=0 ppid=1411 pid=1416 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm="load_policy" exe="/usr/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null)
...
[2024-10-12 14:19:04] [  256.837494] audit: type=1400 audit(1728735544.735:277): avc:  denied  { read } for  pid=483 comm="meminfo-writer" path="/sys/devices/system/xen_memory/xen_memory0/info/current_kb" dev="sysfs" ino=2893 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 srawcon="system_u:system_r:qubes_meminfo_writer_t:s0"
[2024-10-12 14:19:04] [  256.837559] audit: type=1300 audit(1728735544.735:277): arch=c000003e syscall=17 success=no exit=-13 a0=4 a1=7ffd43f5ab40 a2=1f a3=0 items=0 ppid=1 pid=483 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="meminfo-writer" exe="/usr/sbin/meminfo-writer" subj=system_u:object_r:unlabeled_t:s0 key=(null)
[2024-10-12 14:19:04] [  256.837632] audit: type=1327 audit(1728735544.735:277): proctitle=2F7573722F7362696E2F6D656D696E666F2D77726974657200333030303000313030303030002F72756E2F6D656D696E666F2D7772697465722E706964
[2024-10-12 14:19:04] [  256.837666] audit: type=1400 audit(1728735544.735:278): avc:  denied  { use } for  pid=483 comm="meminfo-writer" path="socket:[4599]" dev="sockfs" ino=4599 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0 srawcon="system_u:system_r:qubes_meminfo_writer_t:s0"
[2024-10-12 14:19:04] [  256.837715] audit: type=1300 audit(1728735544.735:278): arch=c000003e syscall=72 success=no exit=-13 a0=6 a1=3 a2=7b7a6198fec3 a3=0 items=0 ppid=1 pid=483 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="meminfo-writer" exe="/usr/sbin/meminfo-writer" subj=system_u:object_r:unlabeled_t:s0 key=(null)
...
[2024-10-12 14:19:59] [  312.028884] audit: type=1400 audit(1728735599.927:333): avc:  denied  { getattr } for  pid=9295 comm="systemd-gpt-aut" path="/efi" dev="autofs" ino=1581 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:autofs_t:s0 tclass=dir permissive=0

I'm not 100% sure those two are related, but it seems likely. The last denial looks to be not strictly qubes-related, so maybe the issue is in the upstream selinux policy?

Update summary

``` Packages Altered: Install kernel-6.10.12-200.fc40.x86_64 @updates Install kernel-core-6.10.12-200.fc40.x86_64 @updates Install kernel-modules-6.10.12-200.fc40.x86_64 @updates Install kernel-modules-core-6.10.12-200.fc40.x86_64 @updates Upgrade ansible-srpm-macros-1-16.fc40.noarch @updates Upgraded ansible-srpm-macros-1-14.fc40.noarch @@System Upgrade chromium-129.0.6668.100-1.fc40.x86_64 @updates Upgraded chromium-129.0.6668.70-1.fc40.x86_64 @@System Upgrade chromium-common-129.0.6668.100-1.fc40.x86_64 @updates Upgraded chromium-common-129.0.6668.70-1.fc40.x86_64 @@System Upgrade firefox-131.0.2-1.fc40.x86_64 @updates Upgraded firefox-131.0-2.fc40.x86_64 @@System Upgrade firefox-langpacks-131.0.2-1.fc40.x86_64 @updates Upgraded firefox-langpacks-131.0-2.fc40.x86_64 @@System Upgrade fmt-10.2.1-5.fc40.x86_64 @updates Upgraded fmt-10.2.1-4.fc40.x86_64 @@System Upgrade ghc-srpm-macros-1.9.1-1.fc40.noarch @updates Upgraded ghc-srpm-macros-1.9-1.fc40.noarch @@System Upgrade git-2.47.0-1.fc40.x86_64 @updates Upgraded git-2.46.2-1.fc40.x86_64 @@System Upgrade git-core-2.47.0-1.fc40.x86_64 @updates Upgraded git-core-2.46.2-1.fc40.x86_64 @@System Upgrade git-core-doc-2.47.0-1.fc40.noarch @updates Upgraded git-core-doc-2.46.2-1.fc40.noarch @@System Upgrade hwdata-0.388-1.fc40.noarch @updates Upgraded hwdata-0.387-1.fc40.noarch @@System Upgrade javascriptcoregtk4.1-2.46.1-1.fc40.x86_64 @updates Upgraded javascriptcoregtk4.1-2.44.3-2.fc40.x86_64 @@System Upgrade javascriptcoregtk6.0-2.46.1-1.fc40.x86_64 @updates Upgraded javascriptcoregtk6.0-2.44.3-2.fc40.x86_64 @@System Upgrade libwnck3-43.1-1.fc40.x86_64 @updates Upgraded libwnck3-43.0-9.fc40.x86_64 @@System Upgrade ostree-libs-2024.8-1.fc40.x86_64 @updates Upgraded ostree-libs-2024.7-1.fc40.x86_64 @@System Upgrade perl-Git-2.47.0-1.fc40.noarch @updates Upgraded perl-Git-2.46.2-1.fc40.noarch @@System Upgrade perl-Module-CoreList-1:5.20240920-1.fc40.noarch @updates Upgraded perl-Module-CoreList-1:5.20240829-1.fc40.noarch @@System Upgrade perl-Module-CoreList-tools-1:5.20240920-1.fc40.noarch @updates Upgraded perl-Module-CoreList-tools-1:5.20240829-1.fc40.noarch @@System Upgrade python-pip-wheel-23.3.2-2.fc40.noarch @updates Upgraded python-pip-wheel-23.3.2-1.fc40.noarch @@System Upgrade python3-pyasn1-0.6.0-1.fc40.noarch @updates Upgraded python3-pyasn1-0.5.1-3.fc40.noarch @@System Upgrade python3-pyasn1-modules-0.6.0-1.fc40.noarch @updates Upgraded python3-pyasn1-modules-0.5.1-3.fc40.noarch @@System Upgrade python3-unbound-1.21.1-3.fc40.x86_64 @updates Upgraded python3-unbound-1.20.0-1.fc40.x86_64 @@System Upgrade rav1e-libs-0.7.1-4.fc40.x86_64 @updates Upgraded rav1e-libs-0.7.1-2.fc40.x86_64 @@System Upgrade selinux-policy-40.28-1.fc40.noarch @updates Upgraded selinux-policy-40.27-1.fc40.noarch @@System Upgrade selinux-policy-targeted-40.28-1.fc40.noarch @updates Upgraded selinux-policy-targeted-40.27-1.fc40.noarch @@System Upgrade thunderbird-128.3.1-1.fc40.x86_64 @updates Upgraded thunderbird-128.2.0-1.fc40.x86_64 @@System Upgrade thunderbird-librnp-rnp-128.3.1-1.fc40.x86_64 @updates Upgraded thunderbird-librnp-rnp-128.2.0-1.fc40.x86_64 @@System Upgrade unbound-anchor-1.21.1-3.fc40.x86_64 @updates Upgraded unbound-anchor-1.20.0-1.fc40.x86_64 @@System Upgrade unbound-libs-1.21.1-3.fc40.x86_64 @updates Upgraded unbound-libs-1.20.0-1.fc40.x86_64 @@System Upgrade webkit2gtk4.1-2.46.1-1.fc40.x86_64 @updates Upgraded webkit2gtk4.1-2.44.3-2.fc40.x86_64 @@System Upgrade webkitgtk6.0-2.46.1-1.fc40.x86_64 @updates Upgraded webkitgtk6.0-2.44.3-2.fc40.x86_64 @@System Upgrade xen-hypervisor-4.18.3-2.fc40.x86_64 @updates Upgraded xen-hypervisor-4.18.3-1.fc40.x86_64 @@System Upgrade xen-libs-4.18.3-2.fc40.x86_64 @updates Upgraded xen-libs-4.18.3-1.fc40.x86_64 @@System Upgrade xen-licenses-4.18.3-2.fc40.x86_64 @updates Upgraded xen-licenses-4.18.3-1.fc40.x86_64 @@System Upgrade xen-runtime-4.18.3-2.fc40.x86_64 @updates Upgraded xen-runtime-4.18.3-1.fc40.x86_64 @@System Upgrade xxhash-libs-0.8.2-4.fc40.x86_64 @updates Upgraded xxhash-libs-0.8.2-2.fc40.x86_64 @@System Upgrade qubes-pdf-converter-2.1.22-1.fc40.noarch @qubes-vm-r4.2-current Upgraded qubes-pdf-converter-2.1.21-1.fc40.noarch @@System Upgrade qubes-usb-proxy-1.3.2-1.fc40.noarch @qubes-vm-r4.2-current Upgraded qubes-usb-proxy-1.3.1-1.fc40.noarch @@System Reason Change kernel-6.10.10-200.fc40.x86_64 @updates Removed kernel-6.10.7-200.fc40.x86_64 @@System Reason Change kernel-core-6.10.10-200.fc40.x86_64 @updates Removed kernel-core-6.10.7-200.fc40.x86_64 @@System Reason Change kernel-modules-6.10.10-200.fc40.x86_64 @updates Removed kernel-modules-6.10.7-200.fc40.x86_64 @@System Reason Change kernel-modules-core-6.10.10-200.fc40.x86_64 @updates Removed kernel-modules-core-6.10.7-200.fc40.x86_64 @@System ```

marmarek commented 1 month ago

It looks like all updates were actually installed anyway. And contexts seems to be set correctly, for example:

-rwxr-xr-x. 1 root root system_u:object_r:qubes_qrexec_agent_exec_t:s0 41072 Jul  5 02:00 /usr/lib/qubes/qrexec-agent

So, maybe it's just some transient issue? But the fact that update was reported as failed, and also its output was cut is still a problem.

And also, it looks like SELinux labels issue crashed qubes-gui:

Oct 12 14:19:04 fedora-40 qubes-gui[585]: xc_evtchn_status: Permission denied
Oct 12 14:19:04 fedora-40 qubes-gui[585]: libvchan_is_eof
Oct 12 14:19:04 fedora-40 audit[585]: AVC avc:  denied  { ioctl } for  pid=585 comm="qubes-gui" path="/dev/xen/privcmd" dev="devtmpfs" ino=174 ioctlcmd=0x5000 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xen_device_t:s0 tclass=chr_file permissive=0
Oct 12 14:19:04 fedora-40 audit[585]: SYSCALL arch=c000003e syscall=16 success=no exit=-13 a0=5 a1=305000 a2=7ffd60fbeaa0 a3=64f55c086150 items=0 ppid=1 pid=585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7 ses=4294967295 comm="qubes-gui" exe="/usr/bin/qubes-gui" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Oct 12 14:19:04 fedora-40 audit: PROCTITLE proctitle=2F7573722F62696E2F71756265732D677569002D640030
Oct 12 14:19:04 fedora-40 audit[585]: AVC avc:  denied  { ioctl } for  pid=585 comm="qubes-gui" path="/dev/xen/evtchn" dev="devtmpfs" ino=170 ioctlcmd=0x4504 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xen_device_t:s0 tclass=chr_file permissive=0
Oct 12 14:19:04 fedora-40 audit[585]: SYSCALL arch=c000003e syscall=16 success=no exit=-13 a0=4 a1=44504 a2=7ffd60fbe9c4 a3=0 items=0 ppid=1 pid=585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7 ses=4294967295 comm="qubes-gui" exe="/usr/bin/qubes-gui" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Oct 12 14:19:04 fedora-40 audit: PROCTITLE proctitle=2F7573722F62696E2F71756265732D677569002D640030
Oct 12 14:19:04 fedora-40 audit[585]: AVC avc:  denied  { getattr } for  pid=585 comm="qubes-gui" path="/dev/xen/xenbus" dev="devtmpfs" ino=94 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xen_device_t:s0 tclass=chr_file permissive=0
Oct 12 14:19:04 fedora-40 audit[585]: SYSCALL arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=7453c086c07d a2=7ffd60fbe8c0 a3=0 items=0 ppid=1 pid=585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7 ses=4294967295 comm="qubes-gui" exe="/usr/bin/qubes-gui" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Oct 12 14:19:04 fedora-40 audit: PROCTITLE proctitle=2F7573722F62696E2F71756265732D677569002D640030
Oct 12 14:19:04 fedora-40 audit[585]: AVC avc:  denied  { read write } for  pid=585 comm="qubes-gui" name="gntalloc" dev="devtmpfs" ino=172 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xen_device_t:s0 tclass=chr_file permissive=0
Oct 12 14:19:04 fedora-40 audit[585]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7453c08560a7 a2=2 a3=0 items=0 ppid=1 pid=585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7 ses=4294967295 comm="qubes-gui" exe="/usr/bin/qubes-gui" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Oct 12 14:19:04 fedora-40 audit: PROCTITLE proctitle=2F7573722F62696E2F71756265732D677569002D640030
Oct 12 14:19:04 fedora-40 audit[585]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 pid=585 comm="qubes-gui" exe="/usr/bin/qubes-gui" sig=11 res=1

And was the reason for qrexec error:

Oct 12 14:19:05 fedora-40 audit[574]: AVC avc:  denied  { ioctl } for  pid=574 comm="qrexec-agent" path="/dev/xen/evtchn" dev="devtmpfs" ino=170 ioctlcmd=0x4504 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xen_device_t:s0 tclass=chr_file permissive=0
Oct 12 14:19:05 fedora-40 audit[574]: SYSCALL arch=c000003e syscall=16 success=no exit=-13 a0=4 a1=44504 a2=7fff9ac7b4d4 a3=2 items=0 ppid=1 pid=574 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qrexec-agent" exe="/usr/lib/qubes/qrexec-agent" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
Oct 12 14:19:05 fedora-40 audit: PROCTITLE proctitle="/usr/lib/qubes/qrexec-agent"
Oct 12 14:19:05 fedora-40 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@0-1419-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 12 14:19:05 fedora-40 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=qubes-qrexec-agent comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Oct 12 14:19:05 fedora-40 dbus-broker-launch[748]: avc:  op=load_policy lsm=selinux seqno=2 res=1
Oct 12 14:19:05 fedora-40 qrexec-agent[574]: 2024-10-12 14:19:05.256 qrexec-agent[574]: qrexec-agent.c:332:handle_vchan_error: Error while vchan send (MSG_CONNECTION_TERMINATED), exiting
Oct 12 14:19:05 fedora-40 systemd[1]: qubes-qrexec-agent.service: Main process exited, code=exited, status=1/FAILURE
Oct 12 14:19:05 fedora-40 systemd[1]: qubes-qrexec-agent.service: Failed with result 'exit-code'.

QubesDB was not happy either:

Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { ioctl } for  pid=285 comm="qubesdb-daemon" path="/dev/xen/gntdev" dev="devtmpfs" ino=173 ioctlcmd=0x4702 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:xen_device_t:s0 tclass=chr_file permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { ioctl } for  pid=285 comm="qubesdb-daemon" path="/dev/xen/evtchn" dev="devtmpfs" ino=170 ioctlcmd=0x4504 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:xen_device_t:s0 tclass=chr_file permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { use } for  pid=285 comm="qubesdb-daemon" path="socket:[2775]" dev="sockfs" ino=2775 ioctlcmd=0x5401 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { search } for  pid=285 comm="qubesdb-daemon" name="/" dev="xvda3" ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { use } for  pid=285 comm="qubesdb-daemon" path="socket:[2775]" dev="sockfs" ino=2775 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { use } for  pid=285 comm="qubesdb-daemon" path="socket:[2775]" dev="sockfs" ino=2775 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { use } for  pid=285 comm="qubesdb-daemon" path="socket:[2775]" dev="sockfs" ino=2775 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { use } for  pid=285 comm="qubesdb-daemon" path="socket:[2775]" dev="sockfs" ino=2775 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { use } for  pid=285 comm="qubesdb-daemon" path="socket:[2775]" dev="sockfs" ino=2775 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { use } for  pid=285 comm="qubesdb-daemon" path="socket:[2775]" dev="sockfs" ino=2775 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { getattr } for  pid=285 comm="qubesdb-daemon" path="/run/qubes/qubesdb.sock" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=unix_stream_socket permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0" trawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=qubes-db comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 12 14:19:05 fedora-40 systemd[1]: qubes-db.service: Deactivated successfully.

And pipewire got crashed as a side effect too:

Oct 12 14:19:05 fedora-40 audit[650]: AVC avc:  denied  { connectto } for  pid=650 comm="pipewire" path="/run/qubes/qubesdb.sock" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=unix_stream_socket permissive=0 trawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[650]: SYSCALL arch=c000003e syscall=42 success=no exit=-13 a0=1c a1=7ffddb92ecc0 a2=1d a3=ffffffff items=0 ppid=622 pid=650 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="pipewire" exe="/usr/bin/pipewire" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Oct 12 14:19:05 fedora-40 audit: PROCTITLE proctitle="/usr/bin/pipewire"
Oct 12 14:19:05 fedora-40 pipewire[650]: mod.qubes-audio: unable to obtain /qubes-audio-domain-xid entry from QubesDB
Oct 12 14:19:05 fedora-40 pipewire[650]: mod.qubes-audio: Cannot obtain new peer domain ID (Broken pipe), disconnecting from 0
Oct 12 14:19:05 fedora-40 pipewire[650]: mod.qubes-audio: Control vchan closed, cannot issue control command
Oct 12 14:19:05 fedora-40 pipewire[649]: mod.qubes-audio: unable to obtain /qubes-audio-domain-xid entry from QubesDB
Oct 12 14:19:05 fedora-40 pipewire[649]: mod.qubes-audio: Cannot obtain new peer domain ID (Broken pipe), disconnecting from 0
Oct 12 14:19:05 fedora-40 pipewire[650]: mod.qubes-audio: unknown peer domain, cannot create stream
Oct 12 14:19:05 fedora-40 pipewire[649]: mod.qubes-audio: unknown peer domain, cannot create stream
Oct 12 14:19:05 fedora-40 pipewire[649]: mod.qubes-audio: Control vchan closed, cannot issue control command
Oct 12 14:19:05 fedora-40 pipewire[649]: mod.qubes-audio: unknown peer domain, cannot create stream
Oct 12 14:19:05 fedora-40 pipewire[650]: mod.qubes-audio: unknown peer domain, cannot create stream

After all this, I see the SELinux policy got reloaded few more times, and at later time it said:

Oct 12 14:19:57 fedora-40 kernel: SELinux:  Converting 422 SID table entries...
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:snappy_unit_file_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:qubes_qubesdb_daemon_exec_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:system_r:qubes_qubesdb_daemon_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:qubes_var_run_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:qubes_qubesdb_socket_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:snappy_cli_exec_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:snappy_exec_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:system_r:snappy_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:snappy_var_run_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:snappy_var_lib_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:qubes_meminfo_writer_exec_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:system_r:qubes_meminfo_writer_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:qubes_meminfo_writer_var_run_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:qubes_qrexec_agent_exec_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:qubes_qrexec_socket_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:system_r:qubes_qubesdb_daemon_t:s0-s0:c0.c1023 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context unconfined_u:object_r:snappy_var_lib_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context unconfined_u:object_r:qubes_var_run_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  policy capability network_peer_controls=1
Oct 12 14:19:57 fedora-40 kernel: SELinux:  policy capability open_perms=1
Oct 12 14:19:57 fedora-40 kernel: SELinux:  policy capability extended_socket_class=1
Oct 12 14:19:57 fedora-40 kernel: SELinux:  policy capability always_check_network=0
Oct 12 14:19:57 fedora-40 kernel: SELinux:  policy capability cgroup_seclabel=1
Oct 12 14:19:57 fedora-40 kernel: SELinux:  policy capability nnp_nosuid_transition=1
Oct 12 14:19:57 fedora-40 kernel: SELinux:  policy capability genfs_seclabel_symlinks=1
Oct 12 14:19:57 fedora-40 kernel: SELinux:  policy capability ioctl_skip_cloexec=0
Oct 12 14:19:57 fedora-40 audit: MAC_POLICY_LOAD auid=0 ses=9 lsm=selinux res=1

So the end state is correct I think, but at this point a bunch of services were crashed already...

marmarek commented 1 month ago

The best solution would be obviously to not invalidate a bunch of contexts during update. But if that cannot be avoided, maybe some workaround would be to temporarily enable permissive mode for the update time (for example if selinux-policy-targeted is part of the update)? Can it be done using rpm triggers?