search

coreos / fedora-coreos-tracker

Issue tracker for Fedora CoreOS
https://fedoraproject.org/coreos/
264 stars 59 forks source link

[rawhide][branched] SELinux AVC denials cause multiple installation methods to fail #1779

Open marmijo opened 2 months ago

marmijo commented 2 months ago

This was investigated using selinux-policy-41.14-1.fc41 in the branched stream tracking Fedora 41.

The following AVC denials are observed in several kola ISO tests. The denials are blocking CoreOS Installer from creating directories under /etc as well as it's ability to interact with udevadm. 

AVC avc:  denied  { write } for  pid=1056 comm="mkdir" name="etc" dev="loop0" ino=131 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
AVC avc:  denied  { getattr } for  pid=1201 comm="coreos-installe" path="/usr/bin/udevadm" dev="loop1" ino=4263 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=0
AVC avc:  denied  { getattr } for  pid=1201 comm="coreos-installe" path="/usr/bin/udevadm" dev="loop1" ino=4263 scontext=system_u:system_r:coreos_installer_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=0

Test Failures

These denials cause the following kola ISO tests to all fail with the exact same AVC denials:

iso-install.bios
iso-offline-install.bios
iso-offline-install.mpath.bios
iso-offline-install-fromram.4k.uefi
miniso-install.bios
miniso-install.nm.bios
miniso-install.4k.nm.uefi
pxe-offline-install.bios
pxe-offline-install.4k.uefi
pxe-online-install.bios
pxe-online-install.4k.uefi

Log Files

Here's a full journal.txt and console.txt from two of these tests. pxe-online-install.bios.console.txt pxe-online-install.bios.journal.txt

iso-offline-install.bios.console.txt iso-offline-install.bios.journal.txt

Also, for completeness, here's a journal.txt file from a test with the enforcing=0 karg used: iso-offline-install.bios.enforcing-0.journal.txt

Additional Note

Other packages had to be pinned in the branched/rawhide stream to get around another failure with systemd-256.

BugZilla Issue with selinux-policy

marmijo commented 2 months ago

A workaround was added for this in: https://github.com/coreos/fedora-coreos-config/pull/3127. We're now able to run the affected kola-ISO tests in rawhide and branched.