Re: Last call for selinux userspace 2.8 release

[Jason Zaman <jason@perfinion.com>]

On Fri, May 04, 2018 at 09:36:12AM -0400, Stephen Smalley wrote:
> On 05/04/2018 09:26 AM, Dominick Grift wrote:
> > On Fri, May 04, 2018 at 09:08:36AM -0400, Stephen Smalley wrote:
> >> On 05/04/2018 03:55 AM, Jason Zaman wrote:
> >>> On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote:
> >>>> Hi,
> >>>>
> >>>> If you have encountered any unreported problems with the 2.8-rcX releases or have any
> >>>> pending patches you believe should be included in the 2.8 release, please post them soon.
> >>>
> >>> the rc2 release has been fine for me for several days now. And I havent
> >>> heard any issues from any gentoo users either so we're probably good to
> >>> go. -rc1 failed to boot properly for me because some important things in
> >>> /run or /dev didnt get labeled but that was fixed in rc2.
> >>
> >> Hmm...I'd like to understand that better. The change was verifying file_contexts when using restorecon,
> >> which was reverted in -rc2.  But the fact that it prevented labeling files in -rc1 means that either
> >> you have a bug in your file_contexts configuration or there is some other bug there.
> > 
> > If it cannot validate_context then it will be unhappy:
> > 
> > [root@julius ~]# dnf history info last
> > Transaction ID : 364
> > Begin time     : Fri 04 May 2018 01:12:36 PM CEST
> > Begin rpmdb    : 1404:e739a03c49fec80ed41a1ea4c599d8f877b01d76
> > End time       : Fri 04 May 2018 01:14:01 PM CEST (85 seconds)
> > End rpmdb      : 1404:27bd40dce7edbf226ffad80f482cd75231f1b6ab **
> > User           : kcinimod <kcinimod>
> > Return-Code    : Success
> > Command Line   : update --exclude efi-filesystem
> > Transaction performed with:
> >     Installed     dnf-2.7.5-12.fc29.noarch @rawhide
> >         Installed     rpm-4.14.1-8.fc28.x86_64 @tmp-rawhide
> > 	Packages Altered:
> > 	    Upgraded cockpit-166-1.fc29.x86_64                      @rawhide
> > ... snip ...
> > Scriptlet output:
> >    1 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
> >       2 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
> >          3 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
> > 	    4 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
> > 	       5 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
> 
> So, just to be clear: these contexts are in fact valid but the lack of permission to use the /sys/fs/selinux/context interface (for security_check_context) causes it to think the context is invalid and therefore fails?  If so, then 
> that makes sense and would be another reason for reverting that change.  In any case, -rc2 should have the fix.

Yeah im pretty sure this is what happened. The issues off the top of my
head were some relabelling very early on in boot of /dev/ and /run so
those ended up with completely wrong contexts so nothing afterwards
worked either. There wasnt much output cuz /dev/console was mislabelled.
Dbus and Udev stuff in /run was wrong too so X kind of started but I had
no keyboard or mouse and everything using dbus died too.

It apeared to mostly work if i booted in permissive and then force
relabelled a bunch of stuff then switched to enforcing. I only bumped to
-rc1 a day before -rc2 came out so I pretty much just updated again
immediately as soon as I saw the validation issues and everything was
fine again.

I could try out -rc1 in a VM again if you want to be certain but pretty
sure this is it.

-- Jason