Open lucab opened 3 years ago
Anything that is unlabeled_t
is likely to cause issues like this. You can use mount -o context=
to set a context.
Now the specific reason a denial is happening is because the file descriptor is passed from client → dbus-broker → rpm-ostreed. The first is unconfined_t
which can apparently interact with unlabeled_t
, but dbus_broker_t
can't.
We could possibly mitigate this if we passed the descriptor directly from client → rpm-ostreed (using a private socket) but it's still likely that install_t
(the context of rpm-ostreed) can't interact with unlabeled_t
either.
So basically I'd use mount -o context=
.
Thanks for the insights!
So, I was missing the fact that SELinux does re-check permissions when passing an already-open FD.
Thus it is now my understanding that the original resource context must be allowed for both the intermediate proxy (dbus-brocker
) and the final receiver (rpm-ostreed
).
It looks like an install_t
resource type could work here.
There is an additional gotcha that -o rootcontext
should be used instead of -o context
, otherwise the relabeling is also blocked:
Aug 28 12:36:15 localhost sudo[1824]: core : TTY=pts/0 ; PWD=/var/home/core ; USER=root ; COMMAND=/usr/bin/mount -t squashfs -o context=system_u:object_r:install_t:s0 --source ostree.img --target /mnt/
Aug 28 12:36:15 localhost audit[1826]: AVC avc: denied { relabelto } for pid=1826 comm="mount" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:install_t:s0 tclass=filesystem permissive=0
Other than that, it seems to work fine:
[core@localhost ~]$ sudo mount -o rootcontext="system_u:object_r:install_t:s0" --source ostree.img --target /mnt/
[core@localhost ~]$ sudo rpm-ostree rebase '/mnt:fedora/x86_64/coreos/stable'
Writing objects: 1... done
Staging deployment... done
...
Run "systemctl reboot" to start a reboot
Another minor thing is that daemon seems to hold the FD even after returning to the client, until it shuts down after idleing:
...
Run "systemctl reboot" to start a reboot
$ sudo lsof +D /mnt/
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpm-ostre 4912 root 16r DIR 7,0 123 20313 /var/mnt
$ sudo umount /mnt/
umount: /mnt/: target is busy.
$ sleep 70
$ sudo umount /mnt/
# OK
Another minor thing is that daemon seems to hold the FD even after returning to the client, until it shuts down after idleing:
Yeah, definitely hit this before when trying to rebase directly from an extracted FCOS OSTree commit tarball. It's not just when using unlabeled things. E.g. testing this now
# mkdir /srv/fcos && cd /srv/fcos
# tar -xf /var/tmp/fedora-coreos-32.20200827.20.0-ostree.x86_64.tar
# rpm-ostree rebase /srv/fcos:fedora/x86_64/coreos/testing-devel
error: The connection is closed
# journalctl -e --no-pager --grep denied
Aug 28 13:42:01 cosa-devsh audit[922]: AVC avc: denied { read } for pid=922 comm="dbus-broker" path="/var/srv/fcos" dev="vda4" ino=11116496 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=0
Aug 28 13:42:01 cosa-devsh kernel: audit: type=1400 audit(1598622121.460:271): avc: denied { read } for pid=922 comm="dbus-broker" path="/var/srv/fcos" dev="vda4" ino=11116496 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=0
So here the denial is between system_dbusd_t
and var_t
.
We can fix this using chcon -t var_run_t -R .
. This comes up in the MCO too, see https://github.com/openshift/machine-config-operator/pull/1979#issuecomment-669008742 and https://github.com/openshift/machine-config-operator/blob/36f37f2d6009affe8174854f5ef5538e0cc49034/pkg/daemon/update.go#L262-L268.
We should probably try to broaden the policy. That'll avoid OCP/OKD having to do a mass relabel each time.
One interesting nit here is that only the top-level directory context mattered in the unlabeled case.
That is, the following mounted repository worked fine (result of the -o rootcontext
mount above):
$ ls -laZ /mnt/
total 5
drwxr-sr-x. 7 root root system_u:object_r:install_t:s0 123 Aug 24 16:30 .
drwxr-xr-x. 23 root root system_u:object_r:var_t:s0 4096 Aug 28 13:25 ..
-rw-r-----. 1 root root system_u:object_r:unlabeled_t:s0 0 Aug 24 16:30 .lock
-rw-r--r--. 1 root root system_u:object_r:unlabeled_t:s0 38 Aug 24 16:30 config
drwxr-sr-x. 2 root root system_u:object_r:unlabeled_t:s0 3 Aug 24 16:30 extensions
drwxr-sr-x. 258 root root system_u:object_r:unlabeled_t:s0 3547 Aug 24 16:30 objects
drwxr-sr-x. 5 root root system_u:object_r:unlabeled_t:s0 58 Aug 24 16:30 refs
drwxr-sr-x. 2 root root system_u:object_r:unlabeled_t:s0 3 Aug 24 16:30 state
drwxr-sr-x. 3 root root system_u:object_r:unlabeled_t:s0 28 Aug 24 16:30 tmp
Right, it's just the file descriptor being passed by the daemon. I think the more robust fix is to pass the FD directly over a private socket between client and daemon - we actually do make a private socket already for each transaction after it starts.
Possibly an even better fix is something like a StartTransaction()
dbus method and then we support grouping multiple operations as part of a single real "transaction". That way we could even make what the MCD is doing today feel like one operation even if it's multiple rpm-ostree ...
calls.
Host system details
Expected vs actual behavior
I have an FCOS ostree-repo-in-squashfs which I'm trying to use as the source for a local rebase. However, SELinux is preventing
rpm-ostree rebase
from using it, and I'm unsure what needs to be adjusted (the context of the mount vs dbus-related logic).The following denial is logged to the journal:
I'm not sure why
dbus-broker
is trying to access the repo directory (as opposed to rpm-ostreed directly), and what the correct context for the resource in this operation would be.