Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux breaks updating kernel package in a template #8144

Closed
marmarek opened this issue Apr 15, 2023 · 7 comments · Fixed by QubesOS/qubes-core-agent-linux#425 or QubesOS/qubes-core-agent-linux#428
Closed

SELinux breaks updating kernel package in a template #8144

marmarek opened this issue Apr 15, 2023 · 7 comments · Fixed by QubesOS/qubes-core-agent-linux#425 or QubesOS/qubes-core-agent-linux#428
Assignees
@DemiMarie
Labels
affects-4.2 This issue affects Qubes OS 4.2. C: Fedora diagnosed Technical diagnosis has been performed (see issue comments). P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. pr submitted A pull request has been submitted for this issue.
Milestone
Release 4.2

Comments

@marmarek
Copy link
Member

How to file a helpful issue

Qubes OS release

R4.2

Brief summary

With SELinux in enforcing mode, updating kernel packages in a template fails.

Steps to reproduce

sudo dnf update 'kernel*' in a SELinux-enabled template (booted from dom0-provided kernel)

Expected behavior

Kernel packages (including modules) are successfully updated in the root fs.

Actual behavior

Downloading Packages:
(1/4): kernel-6.2.10-300.fc38.x86_64.rpm        766 kB/s | 129 kB     00:00    
(2/4): kernel-core-6.2.10-300.fc38.x86_64.rpm   8.2 MB/s |  15 MB     00:01    
(3/4): kernel-modules-core-6.2.10-300.fc38.x86_  12 MB/s |  37 MB     00:03    
(4/4): kernel-modules-6.2.10-300.fc38.x86_64.rp  16 MB/s |  62 MB     00:03    
--------------------------------------------------------------------------------
Total                                            25 MB/s | 115 MB     00:04     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : kernel-modules-core-6.2.10-300.fc38.x86_64             1/4 
error: lsetfilecon: (37 /lib/modules, system_u:object_r:modules_object_t:s0) Permission denied
error: Plugin selinux: hook fsm_file_prepare failed

Error unpacking rpm package kernel-modules-core-6.2.10-300.fc38.x86_64
  Installing       : kernel-core-6.2.10-300.fc38.x86_64                     2/4 
error: unpacking of archive failed on file /lib/modules: cpio: (error 0x2)
error: kernel-modules-core-6.2.10-300.fc38.x86_64: install failed
error: failed to open dir 6.2.10-300.fc38.x86_64 of /lib/modules/6.2.10-300.fc38.x86_64/: Permission denied

Error unpacking rpm package kernel-core-6.2.10-300.fc38.x86_64
  Installing       : kernel-modules-6.2.10-300.fc38.x86_64                  3/4 
error: unpacking of archive failed on file /lib/modules/6.2.10-300.fc38.x86_64/.vmlinuz.hmac;643afdfd: cpio: open failed - No such file or directory
error: kernel-core-6.2.10-300.fc38.x86_64: install failed
error: failed to open dir 6.2.10-300.fc38.x86_64 of /lib/modules/6.2.10-300.fc38.x86_64/kernel/drivers/acpi/: Permission denied

Error unpacking rpm package kernel-modules-6.2.10-300.fc38.x86_64
  Installing       : kernel-6.2.10-300.fc38.x86_64                          4/4 
error: unpacking of archive failed on file /lib/modules/6.2.10-300.fc38.x86_64/kernel/drivers/acpi/video.ko.xz;643afdfd: cpio: open failed - No such file or directory
error: kernel-modules-6.2.10-300.fc38.x86_64: install failed

  Verifying        : kernel-6.2.10-300.fc38.x86_64                          1/4 
  Verifying        : kernel-core-6.2.10-300.fc38.x86_64                     2/4 
  Verifying        : kernel-modules-6.2.10-300.fc38.x86_64                  3/4 
  Verifying        : kernel-modules-core-6.2.10-300.fc38.x86_64             4/4 
Notifying dom0 about installed applications

Installed:
  kernel-6.2.10-300.fc38.x86_64                                                 
Failed:
  kernel-core-6.2.10-300.fc38.x86_64                                            
  kernel-modules-6.2.10-300.fc38.x86_64                                         
  kernel-modules-core-6.2.10-300.fc38.x86_64

and also

[   26.686894] audit: type=1400 audit(1681587709.801:114): avc:  denied  { create } for  pid=1024 comm="dnf" name="6.2.10-300.fc38.x86_64" scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=dir permissive=0

I believe it's specific to our setup for /lib/modules, not a Fedora upstream issue.
@marmarek marmarek added T: bug C: Fedora P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. labels Apr 15, 2023
@marmarek marmarek added this to the Release 4.2 milestone Apr 15, 2023
@marmarek
Copy link
Member Author

@DemiMarie any idea?

@andrewdavidwong andrewdavidwong added the needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. label Apr 15, 2023
@DemiMarie DemiMarie self-assigned this Apr 16, 2023
@marmarek
Copy link
Member Author

Interestingly, this seems to affect only Fedora 38, but not Fedora 37. So, maybe it is an upstream issue? Or some change in upstream SELinux policy which makes our labeling incompatible?

In any case, linking to #8069

@marmarek
Copy link
Member Author

It does not fail with in-VM kernel, so it is something specific to our /lib/modules handling.

@marmarek
Copy link
Member Author

FWIW, I have tried regenerating modules.img with immutable=no (and confirmed indeed immutable attr was not set), and it still failed.

@DemiMarie
Copy link

It does not fail with in-VM kernel, so it is something specific to our /lib/modules handling.

Does it fail when using kernel-latest?

@marmarek
Copy link
Member Author

marmarek commented Apr 17, 2023 via email

@DemiMarie
Copy link

DemiMarie commented May 2, 2023
edited
Loading

audit2allow suggests:

allow kernel_t modules_object_t:dir relabelfrom;
allow kernel_t modules_object_t:dir create;

along with a comment stating that kernel_t would need can_change_object_identity. However, kernel_t is not the correct context here — unconfined_t is! I suspect this is a kernel bug bug in our initramfs: we need to use unconfined_t when mounting the overlayfs.

DemiMarie added a commit to DemiMarie/qubes-core-agent-linux that referenced this issue May 10, 2023
@DemiMarie
Remount /lib/modules in early boot
2d9022f 
This unbreaks writing to /lib/modules with SELinux enforcing.

Reported-by: Marek Marczykowski-Górecki <[email protected]>
Fixes: QubesOS/qubes-issues#8144
@DemiMarie DemiMarie mentioned this issue May 10, 2023
Merged
@qubesos-bot qubesos-bot mentioned this issue May 16, 2023
Closed
@andrewdavidwong andrewdavidwong added diagnosed Technical diagnosis has been performed (see issue comments). pr submitted A pull request has been submitted for this issue. and removed needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. labels May 16, 2023
DemiMarie added a commit to DemiMarie/qubes-core-agent-linux that referenced this issue May 22, 2023
@DemiMarie
Allow kernel threads to set arbitrary SELinux labels
60b79c2 
kernel_t can read, write, create, and delete all files and device nodes
on the system, so preventing it from setting arbitrary SELinux labels
makes no sense.  Furthermore, limiting what kernel_t can do breaks
overlay mounts set up in the initramfs, as the overlay uses kernel_t to
access the underlying volumes.

Fix this by allowing kernel_t the maximum possible privileges over all
labeled inodes in the system.  That kernel_t does not already have such
privilege is likely an upstream policy bug.

Fixes: QubesOS/qubes-issues#8144 (the right way this time)
@DemiMarie DemiMarie mentioned this issue May 22, 2023
Merged
Closed
@andrewdavidwong andrewdavidwong added the affects-4.2 This issue affects Qubes OS 4.2. label Aug 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DemiMarie DemiMarie

Labels
affects-4.2 This issue affects Qubes OS 4.2. C: Fedora diagnosed Technical diagnosis has been performed (see issue comments). P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. pr submitted A pull request has been submitted for this issue.
Projects
None yet
Milestone
Release 4.2
3 participants
@marmarek @DemiMarie @andrewdavidwong