diskimage-builder

99-selinux-fixfiles-restore: runcon: chroot: Permission denied

Bug #1710973 reported by Markos Chandras
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
diskimage-builder
New
Undecided
Unassigned

Bug Description

We are seeing the following problem for quite a while now when building centos7 images on centos7 hosts

09:35:57 EDT 2017 99-remove-yum-repo-conf completed\ndib-run-parts Tue Aug 15 09:35:57 EDT 2017 Running /tmp/dib_build.xNWGSL6l/hooks/cleanup.d/99-selinux-fixfiles-restore\nruncon: chroot: Permission denied

The command that triggered this is the following one

disk-image-create --no-tmpfs -o /httpboot/deployment_image.qcow2 -t qcow2 -p "vim,less,bridge-utils,iputils,rsyslog,curl" centos7 vm enable-serial-console simple-init devuser growroot openssh-server

Revision history for this message
Clark Boylan (cboylan) wrote :

The runcon call in this script is done to ensure we can set the selinux context in the chroot regardless of the host policy. Can you provide more information about whether or not selinux was enabled on your build host and distro and version of distro you are using? Guessing that on certain platforms the required context to update selinux contexts has changed in policy somewhere.

Revision history for this message
Markos Chandras (hwoarang) wrote :

The build host is Centos7 and selinux is set to 'Enforcing' according to 'getenforce'.

Revision history for this message
Yolanda Robla (yolanda.robla) wrote :

I was able to make it work with enforcing, but adding this custom module:

module runcon 1.0;

require {
 type bin_t;
 type unconfined_service_t;
 type setfiles_mac_t;
 class process transition;
 class file entrypoint;
}

#============= setfiles_mac_t ==============

#!!!! WARNING: 'bin_t' is a base type.
allow setfiles_mac_t bin_t:file entrypoint;

#============= unconfined_service_t ==============

#!!!! The file '/usr/sbin/chroot' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /usr/sbin/chroot
allow unconfined_service_t setfiles_mac_t:process transition;

Revision history for this message
Ian Wienand (iwienand) wrote :

I experiemented with this today, and I could see this with selinux and enforcing, but only if I did *not* run the "sudo semanage permissive -a setfiles_mac_t" before it

Can you post the full logs? Did that call return anything?

Yolanda -- my audit2allow gave something slightly different

---
module runcon 1.0;

require {
        type bin_t;
        type setfiles_mac_t;
        class file entrypoint;
}

#============= setfiles_mac_t ==============

#!!!! WARNING: 'bin_t' is a base type.
allow setfiles_mac_t bin_t:file entrypoint;
---

for my own reference

$ checkmoudule -M -m -o runcon.mod runcon.te
$ semoule_package -o runcon.pp -m runcon.mod
$ semodule -i runcon.pp

... but; we could also just turn selinux off. I agree we should try to fix it if we can, but I really don't think running with it on is our highest priority

Revision history for this message
Markos Chandras (hwoarang) wrote :

Hi Ian,

I have no logs to share besides

https://build.opnfv.org/ci/view/OPNFV%20XCI/job/opnfv-bifrost-verify-centos7-virtual-master/266/consoleFull

The host that showed this behavior has been fixed by Yolanda but either way I wouldn't have any more logs besides the jenkins one.

Revision history for this message
Adrien Fleury (fleu42) wrote :

Hi,

I have been facing the same issue this morning.

The code called at that time is the following :

```
        sudo ${_runcon} chroot ${TARGET_ROOT} \
            /usr/sbin/setfiles -F ${_dash_m} \
            /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
    fi
done
```

The thing is `sudo` needs the `-t` option to execute commands in an SELinux context.

We could call it like that to fix this bug:

```
        sudo -t "${_runcon}" chroot ${TARGET_ROOT} \
            /usr/sbin/setfiles -F ${_dash_m} \
            /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
    fi
done
```

`-t ""` allows us to run sudo even if there is no context.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.