[Virtio-fs] regression: lsetfilecon fails, breaks rpm, dpkg, dnf in virtiofs guests.

[Virtio-fs] regression: lsetfilecon fails, breaks rpm, dpkg, dnf in virtiofs guests.

[Harry G. Coin]

Some regression in virtio-fs has led to rpm/dnf/yum failing  in the same
guest it previously worked.

linux 5.11.19-300.fc34.x86_64

Specifically, all attempts to use dnf/yum lead to examples similar to this:

Error unpacking rpm package dnf-4.7.0-1.fc34.noarch
  Upgrading        :
python3-dnf-plugins-core-4.0.21-1.fc34.noarch                                                                                                                                                     
8/20
error: unpacking of archive failed on file /usr/bin/dnf;60b1b277: cpio:
(error 0x2)
error: dnf-4.7.0-1.fc34.noarch: install failed
error: lsetfilecon: (/etc/dnf/plugins/copr.conf,
system_u:object_r:etc_t:s0) Operation not permitted
error: Plugin selinux: hook fsm_file_prepare failed

(

For all packages.  No updates are possible.  Possibly related to:
https://github.com/fedora-selinux/selinux-policy/pull/478/files/21a2df26cd605c55de7edc80e16907fcb76ccf08 
?  What really gets me, is this error exists even though

# getenforce
Permissive

)

The host is running btrfs.  ... virtiofsd --fd=50 -o
source=/vmsystems/fedora_generic,xattr,flock,posix_lock

same effect with  .... virtiofsd --fd=36 -o
source=/vmsystems/dbl1,xattr,flock,no_posix_lock

/etc/fstab:

myfs / virtiofs seclabel 0 0

Re: [Virtio-fs] regression: lsetfilecon fails, breaks rpm, dpkg, dnf in virtiofs guests.

[Vivek Goyal]

On Sat, May 29, 2021 at 01:42:50PM -0500, Harry G. Coin wrote:
> Some regression in virtio-fs has led to rpm/dnf/yum failing  in the same
> guest it previously worked.
> 
> linux 5.11.19-300.fc34.x86_64
> 
> Specifically, all attempts to use dnf/yum lead to examples similar to this:
> 
> Error unpacking rpm package dnf-4.7.0-1.fc34.noarch
>   Upgrading        :
> python3-dnf-plugins-core-4.0.21-1.fc34.noarch                                                                                                                                                     
> 8/20
> error: unpacking of archive failed on file /usr/bin/dnf;60b1b277: cpio:
> (error 0x2)
> error: dnf-4.7.0-1.fc34.noarch: install failed
> error: lsetfilecon: (/etc/dnf/plugins/copr.conf,
> system_u:object_r:etc_t:s0) Operation not permitted
> error: Plugin selinux: hook fsm_file_prepare failed

CCing Dan Walsh and Ondrej. They might have an idea.

Thanks
Vivek

> 
> (
> 
> For all packages.  No updates are possible.  Possibly related to:
> https://github.com/fedora-selinux/selinux-policy/pull/478/files/21a2df26cd605c55de7edc80e16907fcb76ccf08 
> ?  What really gets me, is this error exists even though
> 
> # getenforce
> Permissive
> 
> )
> 
> The host is running btrfs.  ... virtiofsd --fd=50 -o
> source=/vmsystems/fedora_generic,xattr,flock,posix_lock
> 
> same effect with  .... virtiofsd --fd=36 -o
> source=/vmsystems/dbl1,xattr,flock,no_posix_lock
> 
> /etc/fstab:
> 
> myfs / virtiofs seclabel 0 0
> 
> 
> 
> 
> _______________________________________________
> Virtio-fs mailing list
> Virtio-fs@redhat.com
> https://listman.redhat.com/mailman/listinfo/virtio-fs

Re: [Virtio-fs] regression: lsetfilecon fails, breaks rpm, dpkg, dnf in virtiofs guests.

[Ondrej Mosnacek]

On Tue, Jun 1, 2021 at 3:02 PM Vivek Goyal <vgoyal@redhat.com> wrote:
> On Sat, May 29, 2021 at 01:42:50PM -0500, Harry G. Coin wrote:
> > Some regression in virtio-fs has led to rpm/dnf/yum failing  in the same
> > guest it previously worked.
> >
> > linux 5.11.19-300.fc34.x86_64
> >
> > Specifically, all attempts to use dnf/yum lead to examples similar to this:
> >
> > Error unpacking rpm package dnf-4.7.0-1.fc34.noarch
> >   Upgrading        :
> > python3-dnf-plugins-core-4.0.21-1.fc34.noarch
> > 8/20
> > error: unpacking of archive failed on file /usr/bin/dnf;60b1b277: cpio:
> > (error 0x2)
> > error: dnf-4.7.0-1.fc34.noarch: install failed
> > error: lsetfilecon: (/etc/dnf/plugins/copr.conf,
> > system_u:object_r:etc_t:s0) Operation not permitted
> > error: Plugin selinux: hook fsm_file_prepare failed
>
> CCing Dan Walsh and Ondrej. They might have an idea.

I believe this was reported in
https://bugzilla.redhat.com/show_bug.cgi?id=1965786 - I put some
comments there, though I'm not sure yet where the problem lies...

>
> Thanks
> Vivek
>
> >
> > (
> >
> > For all packages.  No updates are possible.  Possibly related to:
> > https://github.com/fedora-selinux/selinux-policy/pull/478/files/21a2df26cd605c55de7edc80e16907fcb76ccf08
> > ?  What really gets me, is this error exists even though
> >
> > # getenforce
> > Permissive
> >
> > )
> >
> > The host is running btrfs.  ... virtiofsd --fd=50 -o
> > source=/vmsystems/fedora_generic,xattr,flock,posix_lock
> >
> > same effect with  .... virtiofsd --fd=36 -o
> > source=/vmsystems/dbl1,xattr,flock,no_posix_lock
> >
> > /etc/fstab:
> >
> > myfs / virtiofs seclabel 0 0
> >
> >
> >
> >
> > _______________________________________________
> > Virtio-fs mailing list
> > Virtio-fs@redhat.com
> > https://listman.redhat.com/mailman/listinfo/virtio-fs
>

-- 
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.

Re: [Virtio-fs] regression: lsetfilecon fails, breaks rpm, dpkg, dnf in virtiofs guests.

[Harry G. Coin]

On 6/1/21 8:02 AM, Vivek Goyal wrote:
> On Sat, May 29, 2021 at 01:42:50PM -0500, Harry G. Coin wrote:
>> Some regression in virtio-fs has led to rpm/dnf/yum failing  in the same
>> guest it previously worked.
>>
>> linux 5.11.19-300.fc34.x86_64
>>
>> Specifically, all attempts to use dnf/yum lead to examples similar to this:
>>
>> Error unpacking rpm package dnf-4.7.0-1.fc34.noarch
>>   Upgrading        :
>> python3-dnf-plugins-core-4.0.21-1.fc34.noarch                                                                                                                                                     
>> 8/20
>> error: unpacking of archive failed on file /usr/bin/dnf;60b1b277: cpio:
>> (error 0x2)
>> error: dnf-4.7.0-1.fc34.noarch: install failed
>> error: lsetfilecon: (/etc/dnf/plugins/copr.conf,
>> system_u:object_r:etc_t:s0) Operation not permitted
>> error: Plugin selinux: hook fsm_file_prepare failed
> CCing Dan Walsh and Ondrej. They might have an idea.
>
> Thanks
> Vivek
>
>> (
>>
>> For all packages.  No updates are possible.  Possibly related to:
>> https://github.com/fedora-selinux/selinux-policy/pull/478/files/21a2df26cd605c55de7edc80e16907fcb76ccf08 
>> ?  What really gets me, is this error exists even though
>>
>> # getenforce
>> Permissive
>>
>> )
>>
>> The host is running btrfs.  ... virtiofsd --fd=50 -o
>> source=/vmsystems/fedora_generic,xattr,flock,posix_lock
>>
>> same effect with  .... virtiofsd --fd=36 -o
>> source=/vmsystems/dbl1,xattr,flock,no_posix_lock
>>
>> /etc/fstab:
>>
>> myfs / virtiofs seclabel 0 0



Here's a reproducer:

[root@registry1 ~]# getenforce

Permissive
[root@registry1 ~]# cat lsetfilecon.c
#include <selinux/selinux.h>
#include <stdio.h>
#include <errno.h>
 void perror(const char *s);

int main(int argc,char *argv[]){
  int i;
  i= lsetfilecon("/usr/bin/rngtest","system_u:object_r:bin_t:s0");
  //i=
lsetfilecon("/usr/bin/rngtest;60b9120b","system_u:object_r:bin_t:s0");
  printf("ret %lx\n",i);
  perror("\n");
  return 0;
}

[root@registry1 ~]# gcc lsetfilecon.c -lselinux -o lsetfilecon
[root@registry1 ~]# ./lsetfilecon
ret ffffffff

: Operation not permitted
[root@registry1 ~]# ls -l /usr/bin/rngtest
-rwxr-xr-x. 1 root root 21176 Apr 27 18:26 /usr/bin/rngtest

[root@registry1 ~]# uname -a
Linux registry1.xxxx 5.11.19-300.fc34.x86_64 #1 SMP Fri May 7 14:17:15
UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

On the host:


root@noc1:/vmsystems/registry1/usr/bin# getfattr -m - -d rngtest
# file: rngtest
security.selinux="system_u:object_r:bin_t:s0"

ls -l rngtest
-rwxr-xr-x. 1 root root 21176 Apr 27 18:26 rngtest