[Bug 1230643] New: [SELinux] semodule removal issues
https://bugzilla.suse.com/show_bug.cgi?id=1230643 Bug ID: 1230643 Summary: [SELinux] semodule removal issues Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: cathy.hu@suse.com Reporter: cathy.hu@suse.com QA Contact: security-team@suse.de CC: anton.smorodskyi@suse.com Target Milestone: --- Found By: --- Blocker: --- there are some issues with module removal on microos probably related to https://build.opensuse.org/package/rdiff/security:SELinux/selinux-policy?linkrev=base&rev=271 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230643 https://bugzilla.suse.com/show_bug.cgi?id=1230643#c2 --- Comment #2 from Anton Smorodskyi <anton.smorodskyi@suse.com> --- ``` semodule -l libsemanage.semanage_direct_get_module_info: Unable to open ajaxterm module lang ext file at /var/lib/selinux/targeted/active/modules/100/ajaxterm/lang_ext. (No such file or directory). semodule: Failed on list! ``` Output from the same system as https://gitlab.suse.de/-/snippets/2263 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230643 Felix Niederwanger <felix.niederwanger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |felix.niederwanger@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230643 https://bugzilla.suse.com/show_bug.cgi?id=1230643#c3 --- Comment #3 from Anton Smorodskyi <anton.smorodskyi@suse.com> --- ``` ausearch -m avc -ts today ---- time->Wed Sep 18 08:38:02 2024 type=AVC msg=audit(1726641482.163:7351): avc: denied { read } for pid=62188 comm="sshd-session" name="inactive.motd" dev="tmpfs" ino=1855 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 ---- time->Wed Sep 18 08:42:57 2024 type=AVC msg=audit(1726641777.678:7434): avc: denied { transition } for pid=62659 comm="crun" path="/run.sh" dev="overlay" ino=10322757 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:container_t:s0:c534,c891 tclass=process permissive=0 ---- time->Wed Sep 18 08:42:58 2024 type=AVC msg=audit(1726641778.405:7451): avc: denied { transition } for pid=62763 comm="crun" path="/run.sh" dev="overlay" ino=10322757 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:container_t:s0:c569,c909 tclass=process permissive=0 ---- time->Wed Sep 18 08:42:59 2024 type=AVC msg=audit(1726641779.405:7468): avc: denied { transition } for pid=62868 comm="crun" path="/run.sh" dev="overlay" ino=10322757 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:container_t:s0:c295,c694 tclass=process permissive=0 ---- time->Wed Sep 18 08:43:00 2024 type=AVC msg=audit(1726641780.172:7485): avc: denied { transition } for pid=62974 comm="crun" path="/run.sh" dev="overlay" ino=10322757 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:container_t:s0:c142,c966 tclass=process permissive=0 ---- time->Wed Sep 18 08:43:00 2024 type=AVC msg=audit(1726641780.952:7502): avc: denied { transition } for pid=63088 comm="crun" path="/run.sh" dev="overlay" ino=10322757 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:container_t:s0:c281,c667 tclass=process permissive=0 ``` -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230643 https://bugzilla.suse.com/show_bug.cgi?id=1230643#c4 --- Comment #4 from Felix Niederwanger <felix.niederwanger@suse.com> --- Do we have a reproducer for this issue or at least some clue what went wrong? Asking because I'm investigating if we can extend the test coverage for this and similar issues. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230643 Pavel Dostál <pdostal@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pdostal@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230643 Filippo Bonazzi <filippo.bonazzi@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |filippo.bonazzi@suse.com, | |jsegitz@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1230643 https://bugzilla.suse.com/show_bug.cgi?id=1230643#c6 --- Comment #6 from Felix Niederwanger <felix.niederwanger@suse.com> --- (In reply to Thorsten Kukuk from comment #5)
(In reply to Felix Niederwanger from comment #4)
Do we have a reproducer for this issue or at least some clue what went wrong?
Since this is MicroOS: /var/lib/selinux is not part of the transaction, but part of the selinux-policy RPM. For this reason the visible outside /var/lib/selinux directory is mounted inside the transaction. I assume now happens what I have feared already for a long time: the policy inside the transaction is incompatible to the one outside and both try to access /var/lib/selinux
The issue was that all containers on the host in question failed to start after an update & reboot, so any transient inconsistency would be ruled out. Or do you suggest that the policy conflicts damage the update process in such a way, that the new snapshot is borked? -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com