Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1057898 - Update 3.12.1-119 breaks snapperd
Summary: Update 3.12.1-119 breaks snapperd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 20
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: 1066485
TreeView+ depends on / blocked
 
Reported: 2014-01-25 21:25 UTC by Mathieu Chouquet-Stringer
Modified: 2014-04-09 13:22 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.12.1-149.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1066485 (view as bug list)
Environment:
Last Closed: 2014-04-09 13:22:56 UTC


Attachments (Terms of Use)
Compressed audit.log (deleted)
2014-01-28 14:49 UTC, Mathieu Chouquet-Stringer
no flags Details
Compressed audit.log for continuing issues (deleted)
2014-01-31 19:08 UTC, Will Tisdale
no flags Details

Description Mathieu Chouquet-Stringer 2014-01-25 21:25:13 UTC
Description of problem:
With the policy version 3.12.1-106, /usr/sbin/snapperd has the label:

system_u:object_r:bin_t:s0       /usr/sbin/snapperd

After an upgrade to 3.12.1-119, it's:
system_u:object_r:snapperd_exec_t:s0 /usr/sbin/snapperd

At this point, running something like snapper list yields a:
Failure (org.freedesktop.DBus.Error.Spawn.ExecFailed).

SELinux Alert Browser reports this (and yes this is what we want since snapperd is forked by dbus):
SELinux is preventing /usr/lib64/dbus-1/dbus-daemon-launch-helper from execute access on the file /usr/sbin/snapperd.

Let me know if you need more info.

Cheers,
Matt

Comment 1 Miroslav Grepl 2014-01-27 08:39:15 UTC
commit ece7f79c5171243ab329b710fac1d48ef275a5a6
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Jan 27 08:23:37 2014 +0100

    snapperd is D-Bus service

Comment 2 Mathieu Chouquet-Stringer 2014-01-27 10:02:01 UTC
Hello Miroslav,

Out of curiosity, could you tell me where the git repository for the policy is?

I found http://pkgs.fedoraproject.org/cgit/selinux-policy.git/ and https://git.fedorahosted.org/cgit/selinux-policy.git/ but none of these seem to be the right thing?

Thanks again for your prompt reply.

Cheers.

Comment 4 Mathieu Chouquet-Stringer 2014-01-27 10:08:44 UTC
Cool, thanks.

Comment 5 Fedora Update System 2014-01-27 19:17:06 UTC
selinux-policy-3.12.1-121.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-121.fc20

Comment 6 Mathieu Chouquet-Stringer 2014-01-27 20:07:50 UTC
The new build helps but a lot of things are still messed up.

Here are some examples:
- SELinux is preventing /usr/sbin/snapperd from write access on the directory /var/log (snapperd wants to write to /var/log/snapper.log)

- all snapshosts are now mislabeled (or it appears as such):
SELinux is preventing /usr/sbin/snapperd from write access on the directory /.snapshots
SELinux is preventing /usr/sbin/snapperd from setattr access on the directory /.snapshots/1
SELinux is preventing /usr/sbin/snapperd from ioctl access on the directory /.snapshots/1
SELinux is preventing /usr/sbin/snapperd from getattr access on the file /.snapshots/1/info.xml.tmp-afrkCd

Given the sheer number of errors (a 'grep snapperd /var/log/audit/audit.log | audit2allow' returns 349 lines), what would you need from me to help fixing this?

Comment 7 Miroslav Grepl 2014-01-28 07:32:32 UTC
Could you send me compressed /var/log/audit/audit.log file?

Comment 8 Mathieu Chouquet-Stringer 2014-01-28 14:49:43 UTC
Created attachment 856656 [details]
Compressed audit.log

Comment 9 Mathieu Chouquet-Stringer 2014-01-28 14:54:52 UTC
There you go.

Not sure if you know what snapperd does but if you don't, not only it creates regular snapshots (hourly, daily, ...) but it also creates pre and post yum snapshots. And everytime a snapshot is created, it computes the differences to show you what go changed and so on.

It thus means snapperd must be able to walk a whole snapshot of a filesystem...

Comment 10 Fedora Update System 2014-01-29 03:07:07 UTC
Package selinux-policy-3.12.1-121.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-121.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-1700/selinux-policy-3.12.1-121.fc20
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2014-01-30 03:33:12 UTC
Package selinux-policy-3.12.1-122.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-122.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-1700/selinux-policy-3.12.1-122.fc20
then log in and leave karma (feedback).

Comment 12 Will Tisdale 2014-01-31 19:08:57 UTC
Created attachment 857956 [details]
Compressed audit.log for continuing issues

Selinux is still complaining about things that snapper is trying to do...

Unlink on info.xml, remove_name and create on info.xml.tmp-xxxxxx, setattr on #, etc.

Attached compressed audit.log

Comment 13 Will Tisdale 2014-01-31 19:11:43 UTC
*** Bug 1057460 has been marked as a duplicate of this bug. ***

Comment 14 Miroslav Grepl 2014-02-03 07:56:41 UTC
Yes, I am switching it back to assigned. This is more complex bug where we will need to fix brtfs labeling because we end up with file_t.

# btrfs subvolume create /home/.snapshots

Comment 15 Fedora Update System 2014-02-12 14:45:59 UTC
selinux-policy-3.12.1-122.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Mathieu Chouquet-Stringer 2014-02-13 22:35:11 UTC
Wait, this shouldn't be closed, it's still not working at all..

Comment 17 Will Tisdale 2014-02-18 16:21:03 UTC
Seeing as this doesn't look like it is going to be fixed quickly, can we revert to the previous behaviour, which worked, because this current bug makes snapper quite unusable.

I'm seeing cron.daily get stuck every day and cron.weekly get stuck every week because snapper can't do what it wants to do, and this appears in the journal:

Feb 18 06:01:01 Aeolus.local anacron[1898]: Job `cron.daily' locked by another anacron - skipping
Feb 18 06:01:01 Aeolus.local anacron[1898]: Job `cron.weekly' locked by another anacron - skipping

I have to do a 'sudo killall snapper' every morning to get the rest of the cron scripts to run.

The current behaviour is far from optimal.

Comment 18 Miroslav Grepl 2014-02-27 08:34:03 UTC
Could you test it with

http://koji.fedoraproject.org/koji/buildinfo?buildID=500802

Comment 19 Mathieu Chouquet-Stringer 2014-03-15 19:10:04 UTC
That seems to do the trick for me, thanks!

Comment 20 Daniel Walsh 2014-03-16 20:51:00 UTC
Fixed in  selinux-policy-3.12.1-128.fc20

Comment 21 Fedora Update System 2014-03-31 14:06:17 UTC
selinux-policy-3.12.1-149.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-149.fc20

Comment 22 Fedora Update System 2014-04-02 09:04:25 UTC
Package selinux-policy-3.12.1-149.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-149.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-4604/selinux-policy-3.12.1-149.fc20
then log in and leave karma (feedback).

Comment 23 Fedora Update System 2014-04-09 13:22:56 UTC
selinux-policy-3.12.1-149.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.