search

osbuild / osbuild-composer

An HTTP service for building bootable OS images.
https://www.osbuild.org
Apache License 2.0
162 stars 107 forks source link

Image build fails with an SELinux denial #798

Closed jeremycline closed 4 years ago

jeremycline commented 4 years ago

On a Fedora 32 host with builds from the tip of osbuild my build fails with:

Stage: org.osbuild.selinux
{
  "file_contexts": "etc/selinux/targeted/contexts/files/file_contexts"
}

Output:
[/usr/lib/tmpfiles.d/journal-nocow.conf:26] Failed to resolve specifier: uninitialized /etc detected, skipping
All rules containing unresolvable specifiers will be skipped.
setfiles: Could not set context for /run/osbuild/tree/usr/bin/ejabberdctl:  Invalid argument
Traceback (most recent call last):
  File "/run/osbuild/lib/stages/org.osbuild.selinux", line 61, in <module>
    r = main(args["tree"], args["options"])
  File "/run/osbuild/lib/stages/org.osbuild.selinux", line 52, in main
    subprocess.run(["setfiles", "-F", "-r", f"{tree}", f"{file_contexts}", f"{tree}"], check=True)
  File "/usr/lib64/python3.8/subprocess.py", line 512, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['setfiles', '-F', '-r', '/run/osbuild/tree', '/run/osbuild/tree/etc/selinux/targeted/contexts/files/file_contexts', '/run/osbuild/tree']' returned non-zero exit status 255.

The root cause is:

AVC avc:  denied  { mac_admin } for  pid=110119 comm="setfiles" capability=33  scontext=system_u:system_r:osbuild_t:s0 tcontext=system_u:system_r:osbuild_t:s0 tclass=capability2 permissive=0

The blueprint, generated by adding ejabberd-19.09.1-2.fc32:

SDL2-2.0.12-1.fc32
abattis-cantarell-fonts-0.201-2.fc32
acl-2.2.53-5.fc32
adobe-source-code-pro-fonts-2.030.1.050-8.fc32
alternatives-1.11-6.fc32
at-spi2-atk-2.34.2-1.fc32
at-spi2-core-2.36.0-1.fc32
atk-2.36.0-1.fc32
audit-libs-3.0-0.19.20191104git1c2f876.fc32
avahi-libs-0.7-23.fc32
basesystem-11-9.fc32
bzip2-libs-1.0.8-2.fc32
checkpolicy-3.0-3.fc32
colord-libs-1.4.4-4.fc32
cpio-2.13-4.fc32
cracklib-2.9.6-22.fc32
cracklib-dicts-2.9.6-22.fc32
cyrus-sasl-lib-2.1.27-4.fc32
dconf-0.36.0-1.fc32
device-mapper-1.02.171-1.fc32
device-mapper-libs-1.02.171-1.fc32
diffutils-3.7-4.fc32
double-conversion-3.1.5-2.fc32
ejabberd-19.09.1-2.fc32
ejabberd-selinux-19.09.1-2.fc32
elixir-1.9.2-2.fc32
emacs-filesystem-26.3-2.fc32
erlang-base64url-1.0.1-3.fc32
erlang-cache_tab-1.0.20-3.fc32
erlang-eimp-1.0.12-3.fc32
erlang-epam-1.0.6-3.fc32
erlang-esip-1.0.30-3.fc32
erlang-ezlib-1.0.6-3.fc32
erlang-fast_tls-1.1.2-3.fc32
erlang-fast_xml-1.1.37-3.fc32
erlang-fast_yaml-1.0.21-3.fc32
erlang-goldrush-0.2.0-6.fc32
erlang-idna-6.0.0-2.fc32
erlang-jiffy-1.0.1-3.fc32
erlang-jose-1.8.4-8.fc32
erlang-lager-3.8.0-2.fc32
erlang-luerl-0.3-5.fc32
erlang-mqtree-1.0.5-3.fc32
erlang-p1_acme-1.0.1-2.fc32
erlang-p1_mysql-1.0.11-4.fc32
erlang-p1_oauth2-0.6.5-4.fc32
erlang-p1_pgsql-1.1.8-4.fc32
erlang-p1_utils-1.0.16-2.fc32
erlang-pkix-1.0.4-2.fc32
erlang-sd_notify-1.0-14.fc32
erlang-stringprep-1.0.17-3.fc32
erlang-stun-1.0.29-2.fc32
erlang-unicode_util_compat-0.5.0-2.fc32
erlang-xmpp-1.4.2-3.fc32
erlang-yconf-1.0.1-2.fc32
expat-2.2.8-2.fc32
file-5.38-2.fc32
file-libs-5.38-2.fc32
filesystem-3.14-2.fc32
fonts-filesystem-2.0.3-1.fc32
freetype-2.10.1-2.fc32
fribidi-1.0.9-1.fc32
fuse-libs-2.9.9-9.fc32
gawk-5.0.1-7.fc32
gd-2.3.0-1.fc32
gdbm-libs-1.18.1-3.fc32
gdk-pixbuf2-2.40.0-2.fc32
gdk-pixbuf2-modules-2.40.0-2.fc32
glibc-2.31-2.fc32
glibc-all-langpacks-2.31-2.fc32
glibc-common-2.31-2.fc32
gmp-6.1.2-13.fc32
grep-3.3-4.fc32
grubby-8.40-40.fc32
gzip-1.10-2.fc32
harfbuzz-2.6.4-3.fc32
hicolor-icon-theme-0.17-8.fc32
iptables-libs-1.8.4-7.fc32
jasper-libs-2.0.16-2.fc32
jbigkit-libs-2.1-18.fc32
json-glib-1.4.4-4.fc32
kbd-2.2.0-1.fc32
kbd-legacy-2.2.0-1.fc32
kbd-misc-2.2.0-1.fc32
keyutils-libs-1.6-4.fc32
kmod-27-1.fc32
kmod-libs-27-1.fc32
krb5-libs-1.18-1.fc32
langpacks-core-font-en-3.0-3.fc32
lcms2-2.9-7.fc32
libICE-1.0.10-3.fc32
libSM-1.2.3-5.fc32
libX11-1.6.9-3.fc32
libX11-common-1.6.9-3.fc32
libX11-xcb-1.6.9-3.fc32
libXau-1.0.9-3.fc32
libXcomposite-0.4.5-2.fc32
libXcursor-1.2.0-2.fc32
libXdamage-1.1.5-2.fc32
libXext-1.3.4-3.fc32
libXfixes-5.0.3-11.fc32
libXft-2.3.3-3.fc32
libXi-1.7.10-3.fc32
libXinerama-1.1.4-5.fc32
libXpm-3.5.13-2.fc32
libXrandr-1.5.2-3.fc32
libXrender-0.9.10-11.fc32
libXtst-1.2.3-11.fc32
libXxf86vm-1.1.4-13.fc32
libacl-2.2.53-5.fc32
libargon2-20171227-4.fc32
libattr-2.4.48-8.fc32
libbrotli-1.0.7-10.fc32
libcap-2.26-7.fc32
libcap-ng-0.7.10-2.fc32
libcom_err-1.45.5-3.fc32
libcroco-0.6.13-3.fc32
libdatrie-0.2.9-11.fc32
libdb-5.3.28-40.fc32
libdb-utils-5.3.28-40.fc32
libdrm-2.4.100-2.fc32
libepoxy-1.5.4-2.fc32
libffi-3.1-24.fc32
libgcrypt-1.8.5-3.fc32
libglvnd-1.3.1-1.fc32
libglvnd-glx-1.3.1-1.fc32
libgpg-error-1.36-3.fc32
libgusb-0.3.4-1.fc32
libidn2-2.3.0-2.fc32
libimagequant-2.12.6-2.fc32
libkcapi-1.1.5-2.fc32
libkcapi-hmaccalc-1.1.5-2.fc32
libmetalink-0.1.3-10.fc32
libmnl-1.0.4-11.fc32
libmodman-2.0.1-21.fc32
libmspack-0.10.1-0.3.alpha.fc32
libnetfilter_conntrack-1.0.7-4.fc32
libnfnetlink-1.0.1-17.fc32
libnsl2-1.2.0-6.20180605git4a062cf.fc32
libpcap-1.9.1-3.fc32
libpciaccess-0.16-2.fc32
libpng-1.6.37-3.fc32
libproxy-0.4.15-17.fc32
libpsl-0.21.0-4.fc32
libpwquality-1.4.2-2.fc32
libraqm-0.7.0-5.fc32
libseccomp-2.4.2-3.fc32
libselinux-3.0-3.fc32
libselinux-utils-3.0-3.fc32
libsemanage-3.0-3.fc32
libsepol-3.0-3.fc32
libsigsegv-2.11-10.fc32
libsoup-2.70.0-1.fc32
libtasn1-4.16.0-1.fc32
libthai-0.1.28-4.fc32
libtiff-4.1.0-2.fc32
libtool-ltdl-2.4.6-33.fc32
libunistring-0.9.10-7.fc32
libusbx-1.0.23-1.fc32
libutempter-1.1.6-18.fc32
libverto-0.3.0-9.fc32
libwayland-client-1.18.0-1.fc32
libwayland-cursor-1.18.0-1.fc32
libwayland-egl-1.18.0-1.fc32
libxcb-1.13.1-4.fc32
libxkbcommon-0.10.0-2.fc32
libxml2-2.9.10-3.fc32
libxshmfence-1.3-6.fc32
libyaml-0.2.2-3.fc32
lksctp-tools-1.0.18-4.fc32
logrotate-3.15.1-3.fc32
lua-libs-5.3.5-7.fc32
lz4-libs-1.9.1-2.fc32
mesa-libGLU-9.0.1-2.fc32
mkpasswd-5.5.6-1.fc32
mozjs60-60.9.0-5.fc32
ncurses-6.1-15.20191109.fc32
ncurses-base-6.1-15.20191109.fc32
ncurses-libs-6.1-15.20191109.fc32
nettle-3.5.1-5.fc32
openldap-2.4.47-4.fc32
os-prober-1.77-4.fc32
p11-kit-0.23.20-1.fc32
p11-kit-trust-0.23.20-1.fc32
pango-1.44.7-2.fc32
pcre-8.44-1.fc32
pigz-2.4-6.fc32
policycoreutils-3.0-2.fc32
policycoreutils-python-utils-3.0-2.fc32
polkit-0.116-7.fc32
polkit-libs-0.116-7.fc32
polkit-pkla-compat-0.1-16.fc32
popt-1.16-19.fc32
procps-ng-3.3.15-7.fc32
publicsuffix-list-dafsa-20190417-3.fc32
python-setuptools-wheel-41.6.0-2.fc32
python3-audit-3.0-0.19.20191104git1c2f876.fc32
python3-libselinux-3.0-3.fc32
python3-libsemanage-3.0-3.fc32
python3-policycoreutils-3.0-2.fc32
python3-setools-4.3.0-1.fc32
python3-setuptools-41.6.0-2.fc32
qrencode-libs-4.0.2-5.fc32
readline-8.0-4.fc32
rest-0.8.1-7.fc32
sed-4.5-5.fc32
setup-2.13.6-2.fc32
shadow-utils-4.8.1-2.fc32
shared-mime-info-1.15-3.fc32
unixODBC-2.3.7-6.fc32
which-2.21-19.fc32
whois-nls-5.5.6-1.fc32
wxBase3-3.0.4-13.fc32
wxGTK3-3.0.4-13.fc32
wxGTK3-gl-3.0.4-13.fc32
wxGTK3-i18n-3.0.4-13.fc32
xkeyboard-config-2.29-1.fc32
xz-5.2.5-1.fc32
xz-libs-5.2.5-1.fc32
zlib-1.2.11-21.fc32
adwaita-cursor-theme-3.36.1-1.fc32
adwaita-icon-theme-3.36.1-1.fc32
bash-5.0.17-1.fc32
ca-certificates-2020.2.41-1.1.fc32
cairo-1.16.0-8.fc32
cairo-gobject-1.16.0-8.fc32
compat-f32-dejavu-sans-fonts-2.37-8.fc32
coreutils-8.32-4.fc32.1
coreutils-common-8.32-4.fc32.1
crypto-policies-20200610-1.git7f9d474.fc32
crypto-policies-scripts-20200610-1.git7f9d474.fc32
cryptsetup-libs-2.3.3-1.fc32
cups-libs-2.3.3-6.fc32
curl-7.69.1-3.fc32
dbus-1.12.18-1.fc32
dbus-broker-23-2.fc32
dbus-common-1.12.18-1.fc32
dbus-libs-1.12.18-1.fc32
dejavu-sans-fonts-2.37-8.fc32
dracut-050-61.git20200529.fc32
elfutils-debuginfod-client-0.179-2.fc32
elfutils-default-yama-scope-0.179-2.fc32
elfutils-libelf-0.179-2.fc32
elfutils-libs-0.179-2.fc32
erlang-asn1-22.3.4.1-1.fc32
erlang-common_test-22.3.4.1-1.fc32
erlang-compiler-22.3.4.1-1.fc32
erlang-crypto-22.3.4.1-1.fc32
erlang-debugger-22.3.4.1-1.fc32
erlang-edoc-22.3.4.1-1.fc32
erlang-erts-22.3.4.1-1.fc32
erlang-et-22.3.4.1-1.fc32
erlang-eunit-22.3.4.1-1.fc32
erlang-hipe-22.3.4.1-1.fc32
erlang-inets-22.3.4.1-1.fc32
erlang-kernel-22.3.4.1-1.fc32
erlang-mnesia-22.3.4.1-1.fc32
erlang-observer-22.3.4.1-1.fc32
erlang-odbc-22.3.4.1-1.fc32
erlang-os_mon-22.3.4.1-1.fc32
erlang-parsetools-22.3.4.1-1.fc32
erlang-public_key-22.3.4.1-1.fc32
erlang-runtime_tools-22.3.4.1-1.fc32
erlang-sasl-22.3.4.1-1.fc32
erlang-snmp-22.3.4.1-1.fc32
erlang-ssh-22.3.4.1-1.fc32
erlang-ssl-22.3.4.1-1.fc32
erlang-stdlib-22.3.4.1-1.fc32
erlang-syntax_tools-22.3.4.1-1.fc32
erlang-tools-22.3.4.1-1.fc32
erlang-wx-22.3.4.1-1.fc32
erlang-xmerl-22.3.4.1-1.fc32
fedora-gpg-keys-32-3
fedora-release-32-3
fedora-release-common-32-3
fedora-repos-32-3
findutils-4.7.0-4.fc32
fips-mode-setup-20200610-1.git7f9d474.fc32
fontconfig-2.13.92-9.fc32
gettext-0.20.2-1.fc32
gettext-libs-0.20.2-1.fc32
glib-networking-2.64.3-1.fc32
glib2-2.64.3-2.fc32
gnutls-3.6.14-2.fc32
graphite2-1.3.14-1.fc32
grub2-common-2.04-21.fc32
grub2-tools-2.04-21.fc32
grub2-tools-minimal-2.04-21.fc32
gsettings-desktop-schemas-3.36.1-1.fc32
gtk-update-icon-cache-3.24.20-1.fc32
gtk3-3.24.20-1.fc32
hwdata-0.336-1.fc32
json-c-0.13.1-13.fc32
kpartx-0.8.2-4.fc32
libarchive-3.4.3-1.fc32
libblkid-2.35.2-1.fc32
libcurl-7.69.1-3.fc32
libfdisk-2.35.2-1.fc32
libgcc-10.1.1-1.fc32
libgomp-10.1.1-1.fc32
libjpeg-turbo-2.0.4-3.fc32
libmount-2.35.2-1.fc32
libnghttp2-1.41.0-1.fc32
libsmartcols-2.35.2-1.fc32
libssh-0.9.4-2.fc32
libssh-config-0.9.4-2.fc32
libstdc++-10.1.1-1.fc32
libtextstyle-0.20.2-1.fc32
libtirpc-1.2.6-0.fc32
libuuid-2.35.2-1.fc32
libwebp-1.1.0-3.fc32
libxcrypt-4.4.16-3.fc32
libxcrypt-compat-4.4.16-3.fc32
libzstd-1.4.5-3.fc32
mesa-libGL-20.1.1-1.fc32
mesa-libglapi-20.1.1-1.fc32
mpfr-4.0.2-4.fc32
openssl-1.1.1g-1.fc32
openssl-libs-1.1.1g-1.fc32
openssl-pkcs11-0.4.10-6.fc32
pam-1.3.1-25.fc32
pcre2-10.35-3.fc32
pcre2-syntax-10.35-3.fc32
pixman-0.40.0-1.fc32
python-pip-wheel-19.3.1-3.fc32
python-unversioned-command-3.8.3-2.fc32
python3-3.8.3-2.fc32
python3-libs-3.8.3-2.fc32
python3-pip-19.3.1-3.fc32
rpm-4.15.1-3.fc32.1
rpm-libs-4.15.1-3.fc32.1
rpm-plugin-selinux-4.15.1-3.fc32.1
selinux-policy-3.14.5-40.fc32
selinux-policy-minimum-3.14.5-40.fc32
sqlite-libs-3.32.2-1.fc32
systemd-245.6-2.fc32
systemd-libs-245.6-2.fc32
systemd-pam-245.6-2.fc32
systemd-rpm-macros-245.6-2.fc32
systemd-udev-245.6-2.fc32
trousers-0.3.13-15.fc32
trousers-lib-0.3.13-15.fc32
tzdata-2020a-1.fc32
util-linux-2.35.2-1.fc32

ejabberd ships its own selinux policy which is what I assume is triggering this particular issue. Adjusting the SELinux policy with something like:

require {
    type osbuild_t;
    class capability2 mac_admin;
}

allow osbuild_t self:capability2 mac_admin;

fixes the issue. https://selinuxproject.org/page/NB_ObjectClassesPermissions describes mac_admin as "Allow MAC configuration state changes. For SELinux allow contexts not defined in the policy to be assigned. This is called 'deferred mapping of security contexts' and is explained at: http://www.nsa.gov/research/selinux/list-archive/0805/26046.shtml".

The link is dead and I've not bothered digging in other archives for the explanation, but the brief description makes sense and sounds like a capability osbuild would need.

dvdhrm commented 4 years ago

Yeah, if I read this correctly, we ran into the same issue just some weeks ago. osbuild now ships custom selinux policies which grant it mac_admin. I am unsure whether this has hit F32, yet. @gicmo probably knows more on that?

Nevertheless, mac_admin is definitely needed for custom selinux policies which are not available on the host-kernel. This is one of the things that leaks into any sandbox or container and little we can do about it. The mac_admin policy avoids this, but at the same time grants way too broad permissions for the things required.

gicmo commented 4 years ago

Yeah, if I read this correctly, we ran into the same issue just some weeks ago. osbuild now ships custom selinux policies which grant it mac_admin. I am unsure whether this has hit F32, yet. @gicmo probably knows more on that?

We do have a custom selinux policy, but we don't grant osbuild (i.e. osbuild_t/osbuild_exec_t) mac_admin, but the custom policy allows the transitioning of setfiles into setfiles_mac_t via seutil_domtrans_setfiles_mac. The latter has mac_admin. Additionally we also allow transitioning from osbuild_t to install_t, which also has mac_admin, which fixes the custom selinux (and thus unknown labels) issue for ostree (which is install_exec_t). So this is all good.

Nevertheless, mac_admin is definitely needed for custom selinux policies which are not available on the host-kernel. This is one of the things that leaks into any sandbox or container and little we can do about it. The mac_admin policy avoids this, but at the same time grants way too broad permissions for the things required.

For now we are ok. There is still the issue of cp being just bin_t and thus also unable to read and copy unknown labels but that can be fixed with the labeling cp as install_exec_t in the build root (see e80130a830c351b71e34d2e5b5e6e967e286bd9b).

The reason osbuild is failing here is very likely because for all of the selinux custom labelling to work, the binaries in the build root need to be labelled correctly, i.e. the build pipeline needs to have an SELinux stage, which osbuild-composer currently does not have. This is the plan though, and also to get it into the next release so it ends up in RHEL as well.

So this is either a dup of osbuild/osbuild#400 or we move it to composer?

gicmo commented 4 years ago

Just checked, composer is not adding the SELinux stages in the build pipeline for Fedora 31, 32 yet, only RHEL. Pretty sure that is why you are seeing that issue. Moving to composer.

msehnout commented 4 years ago

This should be fixed once #799 get merged. The PR is currently blocked by the fact that we test Azure upload only in Travis but the SELinux stage makes the image build fail when running on Ubuntu (Travis). Once the test is migrated to Jenkins, this PR should be ready to go.