Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux failures on Fedora 40 update #9503

Open
marmarek opened this issue Oct 12, 2024 · 2 comments
Open

SELinux failures on Fedora 40 update #9503

marmarek opened this issue Oct 12, 2024 · 2 comments
Labels
affects-4.2 This issue affects Qubes OS 4.2. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.

Comments

@marmarek
Copy link
Member

marmarek commented Oct 12, 2024
edited
Loading

How to file a helpful issue

Qubes OS release

R4.2

Brief summary

fedora-40 update fails

Steps to reproduce

Run fedora-40 update using qubes-vm-update or qubes-update-gui

Expected behavior

Update completes normally

Actual behavior

Update fails. On the updater side, there is:

2024-10-12 14:25:50.238 qrexec-client[16214]: process_io.c:39:handle_vchan_error: Error while vchan read, exiting

And on the fedora-40 console there is:

[2024-10-12 14:19:04] [  256.737215] SELinux:  Converting 403 SID table entries...
[2024-10-12 14:19:04] [  256.737290] SELinux:  Context system_u:object_r:snappy_unit_file_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737380] SELinux:  Context system_u:object_r:qubes_qubesdb_daemon_exec_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737399] SELinux:  Context system_u:system_r:qubes_qubesdb_daemon_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737420] SELinux:  Context system_u:object_r:qubes_var_run_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737439] SELinux:  Context system_u:object_r:qubes_qubesdb_socket_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737541] SELinux:  Context system_u:object_r:snappy_cli_exec_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737679] SELinux:  Context system_u:object_r:snappy_exec_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737696] SELinux:  Context system_u:system_r:snappy_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737712] SELinux:  Context system_u:object_r:snappy_var_run_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737731] SELinux:  Context system_u:object_r:snappy_var_lib_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737751] SELinux:  Context system_u:object_r:qubes_meminfo_writer_exec_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737769] SELinux:  Context system_u:system_r:qubes_meminfo_writer_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737788] SELinux:  Context system_u:object_r:qubes_meminfo_writer_var_run_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737856] SELinux:  Context system_u:object_r:qubes_qrexec_agent_exec_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.737952] SELinux:  Context system_u:object_r:qubes_qrexec_socket_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.738028] SELinux:  Context system_u:system_r:qubes_qubesdb_daemon_t:s0-s0:c0.c1023 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.738169] SELinux:  Context unconfined_u:object_r:snappy_var_lib_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.738188] SELinux:  Context unconfined_u:object_r:qubes_var_run_t:s0 became invalid (unmapped).
[2024-10-12 14:19:04] [  256.782079] audit: type=1403 audit(1728735544.616:275): auid=0 ses=9 lsm=selinux res=1
[2024-10-12 14:19:04] [  256.782514] audit: type=1300 audit(1728735544.616:275): arch=c000003e syscall=1 success=yes exit=3809034 a0=4 a1=7e77f9600000 a2=3a1f0a a3=0 items=0 ppid=1411 pid=1416 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm="load_policy" exe="/usr/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null)
...
[2024-10-12 14:19:04] [  256.837494] audit: type=1400 audit(1728735544.735:277): avc:  denied  { read } for  pid=483 comm="meminfo-writer" path="/sys/devices/system/xen_memory/xen_memory0/info/current_kb" dev="sysfs" ino=2893 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 srawcon="system_u:system_r:qubes_meminfo_writer_t:s0"
[2024-10-12 14:19:04] [  256.837559] audit: type=1300 audit(1728735544.735:277): arch=c000003e syscall=17 success=no exit=-13 a0=4 a1=7ffd43f5ab40 a2=1f a3=0 items=0 ppid=1 pid=483 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="meminfo-writer" exe="/usr/sbin/meminfo-writer" subj=system_u:object_r:unlabeled_t:s0 key=(null)
[2024-10-12 14:19:04] [  256.837632] audit: type=1327 audit(1728735544.735:277): proctitle=2F7573722F7362696E2F6D656D696E666F2D77726974657200333030303000313030303030002F72756E2F6D656D696E666F2D7772697465722E706964
[2024-10-12 14:19:04] [  256.837666] audit: type=1400 audit(1728735544.735:278): avc:  denied  { use } for  pid=483 comm="meminfo-writer" path="socket:[4599]" dev="sockfs" ino=4599 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0 srawcon="system_u:system_r:qubes_meminfo_writer_t:s0"
[2024-10-12 14:19:04] [  256.837715] audit: type=1300 audit(1728735544.735:278): arch=c000003e syscall=72 success=no exit=-13 a0=6 a1=3 a2=7b7a6198fec3 a3=0 items=0 ppid=1 pid=483 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="meminfo-writer" exe="/usr/sbin/meminfo-writer" subj=system_u:object_r:unlabeled_t:s0 key=(null)
...
[2024-10-12 14:19:59] [  312.028884] audit: type=1400 audit(1728735599.927:333): avc:  denied  { getattr } for  pid=9295 comm="systemd-gpt-aut" path="/efi" dev="autofs" ino=1581 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:autofs_t:s0 tclass=dir permissive=0

I'm not 100% sure those two are related, but it seems likely. The last denial looks to be not strictly qubes-related, so maybe the issue is in the upstream selinux policy?

Update summary 

Packages Altered:
    Install       kernel-6.10.12-200.fc40.x86_64                        @updates
    Install       kernel-core-6.10.12-200.fc40.x86_64                   @updates
    Install       kernel-modules-6.10.12-200.fc40.x86_64                @updates
    Install       kernel-modules-core-6.10.12-200.fc40.x86_64           @updates
    Upgrade       ansible-srpm-macros-1-16.fc40.noarch                  @updates
    Upgraded      ansible-srpm-macros-1-14.fc40.noarch                  @@System
    Upgrade       chromium-129.0.6668.100-1.fc40.x86_64                 @updates
    Upgraded      chromium-129.0.6668.70-1.fc40.x86_64                  @@System
    Upgrade       chromium-common-129.0.6668.100-1.fc40.x86_64          @updates
    Upgraded      chromium-common-129.0.6668.70-1.fc40.x86_64           @@System
    Upgrade       firefox-131.0.2-1.fc40.x86_64                         @updates
    Upgraded      firefox-131.0-2.fc40.x86_64                           @@System
    Upgrade       firefox-langpacks-131.0.2-1.fc40.x86_64               @updates
    Upgraded      firefox-langpacks-131.0-2.fc40.x86_64                 @@System
    Upgrade       fmt-10.2.1-5.fc40.x86_64                              @updates
    Upgraded      fmt-10.2.1-4.fc40.x86_64                              @@System
    Upgrade       ghc-srpm-macros-1.9.1-1.fc40.noarch                   @updates
    Upgraded      ghc-srpm-macros-1.9-1.fc40.noarch                     @@System
    Upgrade       git-2.47.0-1.fc40.x86_64                              @updates
    Upgraded      git-2.46.2-1.fc40.x86_64                              @@System
    Upgrade       git-core-2.47.0-1.fc40.x86_64                         @updates
    Upgraded      git-core-2.46.2-1.fc40.x86_64                         @@System
    Upgrade       git-core-doc-2.47.0-1.fc40.noarch                     @updates
    Upgraded      git-core-doc-2.46.2-1.fc40.noarch                     @@System
    Upgrade       hwdata-0.388-1.fc40.noarch                            @updates
    Upgraded      hwdata-0.387-1.fc40.noarch                            @@System
    Upgrade       javascriptcoregtk4.1-2.46.1-1.fc40.x86_64             @updates
    Upgraded      javascriptcoregtk4.1-2.44.3-2.fc40.x86_64             @@System
    Upgrade       javascriptcoregtk6.0-2.46.1-1.fc40.x86_64             @updates
    Upgraded      javascriptcoregtk6.0-2.44.3-2.fc40.x86_64             @@System
    Upgrade       libwnck3-43.1-1.fc40.x86_64                           @updates
    Upgraded      libwnck3-43.0-9.fc40.x86_64                           @@System
    Upgrade       ostree-libs-2024.8-1.fc40.x86_64                      @updates
    Upgraded      ostree-libs-2024.7-1.fc40.x86_64                      @@System
    Upgrade       perl-Git-2.47.0-1.fc40.noarch                         @updates
    Upgraded      perl-Git-2.46.2-1.fc40.noarch                         @@System
    Upgrade       perl-Module-CoreList-1:5.20240920-1.fc40.noarch       @updates
    Upgraded      perl-Module-CoreList-1:5.20240829-1.fc40.noarch       @@System
    Upgrade       perl-Module-CoreList-tools-1:5.20240920-1.fc40.noarch @updates
    Upgraded      perl-Module-CoreList-tools-1:5.20240829-1.fc40.noarch @@System
    Upgrade       python-pip-wheel-23.3.2-2.fc40.noarch                 @updates
    Upgraded      python-pip-wheel-23.3.2-1.fc40.noarch                 @@System
    Upgrade       python3-pyasn1-0.6.0-1.fc40.noarch                    @updates
    Upgraded      python3-pyasn1-0.5.1-3.fc40.noarch                    @@System
    Upgrade       python3-pyasn1-modules-0.6.0-1.fc40.noarch            @updates
    Upgraded      python3-pyasn1-modules-0.5.1-3.fc40.noarch            @@System
    Upgrade       python3-unbound-1.21.1-3.fc40.x86_64                  @updates
    Upgraded      python3-unbound-1.20.0-1.fc40.x86_64                  @@System
    Upgrade       rav1e-libs-0.7.1-4.fc40.x86_64                        @updates
    Upgraded      rav1e-libs-0.7.1-2.fc40.x86_64                        @@System
    Upgrade       selinux-policy-40.28-1.fc40.noarch                    @updates
    Upgraded      selinux-policy-40.27-1.fc40.noarch                    @@System
    Upgrade       selinux-policy-targeted-40.28-1.fc40.noarch           @updates
    Upgraded      selinux-policy-targeted-40.27-1.fc40.noarch           @@System
    Upgrade       thunderbird-128.3.1-1.fc40.x86_64                     @updates
    Upgraded      thunderbird-128.2.0-1.fc40.x86_64                     @@System
    Upgrade       thunderbird-librnp-rnp-128.3.1-1.fc40.x86_64          @updates
    Upgraded      thunderbird-librnp-rnp-128.2.0-1.fc40.x86_64          @@System
    Upgrade       unbound-anchor-1.21.1-3.fc40.x86_64                   @updates
    Upgraded      unbound-anchor-1.20.0-1.fc40.x86_64                   @@System
    Upgrade       unbound-libs-1.21.1-3.fc40.x86_64                     @updates
    Upgraded      unbound-libs-1.20.0-1.fc40.x86_64                     @@System
    Upgrade       webkit2gtk4.1-2.46.1-1.fc40.x86_64                    @updates
    Upgraded      webkit2gtk4.1-2.44.3-2.fc40.x86_64                    @@System
    Upgrade       webkitgtk6.0-2.46.1-1.fc40.x86_64                     @updates
    Upgraded      webkitgtk6.0-2.44.3-2.fc40.x86_64                     @@System
    Upgrade       xen-hypervisor-4.18.3-2.fc40.x86_64                   @updates
    Upgraded      xen-hypervisor-4.18.3-1.fc40.x86_64                   @@System
    Upgrade       xen-libs-4.18.3-2.fc40.x86_64                         @updates
    Upgraded      xen-libs-4.18.3-1.fc40.x86_64                         @@System
    Upgrade       xen-licenses-4.18.3-2.fc40.x86_64                     @updates
    Upgraded      xen-licenses-4.18.3-1.fc40.x86_64                     @@System
    Upgrade       xen-runtime-4.18.3-2.fc40.x86_64                      @updates
    Upgraded      xen-runtime-4.18.3-1.fc40.x86_64                      @@System
    Upgrade       xxhash-libs-0.8.2-4.fc40.x86_64                       @updates
    Upgraded      xxhash-libs-0.8.2-2.fc40.x86_64                       @@System
    Upgrade       qubes-pdf-converter-2.1.22-1.fc40.noarch              @qubes-vm-r4.2-current
    Upgraded      qubes-pdf-converter-2.1.21-1.fc40.noarch              @@System
    Upgrade       qubes-usb-proxy-1.3.2-1.fc40.noarch                   @qubes-vm-r4.2-current
    Upgraded      qubes-usb-proxy-1.3.1-1.fc40.noarch                   @@System
    Reason Change kernel-6.10.10-200.fc40.x86_64                        @updates
    Removed       kernel-6.10.7-200.fc40.x86_64                         @@System
    Reason Change kernel-core-6.10.10-200.fc40.x86_64                   @updates
    Removed       kernel-core-6.10.7-200.fc40.x86_64                    @@System
    Reason Change kernel-modules-6.10.10-200.fc40.x86_64                @updates
    Removed       kernel-modules-6.10.7-200.fc40.x86_64                 @@System
    Reason Change kernel-modules-core-6.10.10-200.fc40.x86_64           @updates
    Removed       kernel-modules-core-6.10.7-200.fc40.x86_64            @@System

@marmarek marmarek added T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. affects-4.2 This issue affects Qubes OS 4.2. labels Oct 12, 2024
@marmarek
Copy link
Member Author

It looks like all updates were actually installed anyway. And contexts seems to be set correctly, for example:

-rwxr-xr-x. 1 root root system_u:object_r:qubes_qrexec_agent_exec_t:s0 41072 Jul  5 02:00 /usr/lib/qubes/qrexec-agent

So, maybe it's just some transient issue?
But the fact that update was reported as failed, and also its output was cut is still a problem.

And also, it looks like SELinux labels issue crashed qubes-gui:

Oct 12 14:19:04 fedora-40 qubes-gui[585]: xc_evtchn_status: Permission denied
Oct 12 14:19:04 fedora-40 qubes-gui[585]: libvchan_is_eof
Oct 12 14:19:04 fedora-40 audit[585]: AVC avc:  denied  { ioctl } for  pid=585 comm="qubes-gui" path="/dev/xen/privcmd" dev="devtmpfs" ino=174 ioctlcmd=0x5000 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xen_device_t:s0 tclass=chr_file permissive=0
Oct 12 14:19:04 fedora-40 audit[585]: SYSCALL arch=c000003e syscall=16 success=no exit=-13 a0=5 a1=305000 a2=7ffd60fbeaa0 a3=64f55c086150 items=0 ppid=1 pid=585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7 ses=4294967295 comm="qubes-gui" exe="/usr/bin/qubes-gui" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Oct 12 14:19:04 fedora-40 audit: PROCTITLE proctitle=2F7573722F62696E2F71756265732D677569002D640030
Oct 12 14:19:04 fedora-40 audit[585]: AVC avc:  denied  { ioctl } for  pid=585 comm="qubes-gui" path="/dev/xen/evtchn" dev="devtmpfs" ino=170 ioctlcmd=0x4504 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xen_device_t:s0 tclass=chr_file permissive=0
Oct 12 14:19:04 fedora-40 audit[585]: SYSCALL arch=c000003e syscall=16 success=no exit=-13 a0=4 a1=44504 a2=7ffd60fbe9c4 a3=0 items=0 ppid=1 pid=585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7 ses=4294967295 comm="qubes-gui" exe="/usr/bin/qubes-gui" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Oct 12 14:19:04 fedora-40 audit: PROCTITLE proctitle=2F7573722F62696E2F71756265732D677569002D640030
Oct 12 14:19:04 fedora-40 audit[585]: AVC avc:  denied  { getattr } for  pid=585 comm="qubes-gui" path="/dev/xen/xenbus" dev="devtmpfs" ino=94 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xen_device_t:s0 tclass=chr_file permissive=0
Oct 12 14:19:04 fedora-40 audit[585]: SYSCALL arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=7453c086c07d a2=7ffd60fbe8c0 a3=0 items=0 ppid=1 pid=585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7 ses=4294967295 comm="qubes-gui" exe="/usr/bin/qubes-gui" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Oct 12 14:19:04 fedora-40 audit: PROCTITLE proctitle=2F7573722F62696E2F71756265732D677569002D640030
Oct 12 14:19:04 fedora-40 audit[585]: AVC avc:  denied  { read write } for  pid=585 comm="qubes-gui" name="gntalloc" dev="devtmpfs" ino=172 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xen_device_t:s0 tclass=chr_file permissive=0
Oct 12 14:19:04 fedora-40 audit[585]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7453c08560a7 a2=2 a3=0 items=0 ppid=1 pid=585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7 ses=4294967295 comm="qubes-gui" exe="/usr/bin/qubes-gui" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Oct 12 14:19:04 fedora-40 audit: PROCTITLE proctitle=2F7573722F62696E2F71756265732D677569002D640030
Oct 12 14:19:04 fedora-40 audit[585]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 pid=585 comm="qubes-gui" exe="/usr/bin/qubes-gui" sig=11 res=1

And was the reason for qrexec error:

Oct 12 14:19:05 fedora-40 audit[574]: AVC avc:  denied  { ioctl } for  pid=574 comm="qrexec-agent" path="/dev/xen/evtchn" dev="devtmpfs" ino=170 ioctlcmd=0x4504 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xen_device_t:s0 tclass=chr_file permissive=0
Oct 12 14:19:05 fedora-40 audit[574]: SYSCALL arch=c000003e syscall=16 success=no exit=-13 a0=4 a1=44504 a2=7fff9ac7b4d4 a3=2 items=0 ppid=1 pid=574 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qrexec-agent" exe="/usr/lib/qubes/qrexec-agent" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
Oct 12 14:19:05 fedora-40 audit: PROCTITLE proctitle="/usr/lib/qubes/qrexec-agent"
Oct 12 14:19:05 fedora-40 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@0-1419-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 12 14:19:05 fedora-40 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=qubes-qrexec-agent comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Oct 12 14:19:05 fedora-40 dbus-broker-launch[748]: avc:  op=load_policy lsm=selinux seqno=2 res=1
Oct 12 14:19:05 fedora-40 qrexec-agent[574]: 2024-10-12 14:19:05.256 qrexec-agent[574]: qrexec-agent.c:332:handle_vchan_error: Error while vchan send (MSG_CONNECTION_TERMINATED), exiting
Oct 12 14:19:05 fedora-40 systemd[1]: qubes-qrexec-agent.service: Main process exited, code=exited, status=1/FAILURE
Oct 12 14:19:05 fedora-40 systemd[1]: qubes-qrexec-agent.service: Failed with result 'exit-code'.

QubesDB was not happy either:

Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { ioctl } for  pid=285 comm="qubesdb-daemon" path="/dev/xen/gntdev" dev="devtmpfs" ino=173 ioctlcmd=0x4702 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:xen_device_t:s0 tclass=chr_file permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { ioctl } for  pid=285 comm="qubesdb-daemon" path="/dev/xen/evtchn" dev="devtmpfs" ino=170 ioctlcmd=0x4504 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:xen_device_t:s0 tclass=chr_file permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { use } for  pid=285 comm="qubesdb-daemon" path="socket:[2775]" dev="sockfs" ino=2775 ioctlcmd=0x5401 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { search } for  pid=285 comm="qubesdb-daemon" name="/" dev="xvda3" ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { use } for  pid=285 comm="qubesdb-daemon" path="socket:[2775]" dev="sockfs" ino=2775 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { use } for  pid=285 comm="qubesdb-daemon" path="socket:[2775]" dev="sockfs" ino=2775 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { use } for  pid=285 comm="qubesdb-daemon" path="socket:[2775]" dev="sockfs" ino=2775 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { use } for  pid=285 comm="qubesdb-daemon" path="socket:[2775]" dev="sockfs" ino=2775 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { use } for  pid=285 comm="qubesdb-daemon" path="socket:[2775]" dev="sockfs" ino=2775 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { use } for  pid=285 comm="qubesdb-daemon" path="socket:[2775]" dev="sockfs" ino=2775 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[285]: AVC avc:  denied  { getattr } for  pid=285 comm="qubesdb-daemon" path="/run/qubes/qubesdb.sock" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=unix_stream_socket permissive=0 srawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0" trawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=qubes-db comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 12 14:19:05 fedora-40 systemd[1]: qubes-db.service: Deactivated successfully.

And pipewire got crashed as a side effect too:

Oct 12 14:19:05 fedora-40 audit[650]: AVC avc:  denied  { connectto } for  pid=650 comm="pipewire" path="/run/qubes/qubesdb.sock" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=unix_stream_socket permissive=0 trawcon="system_u:system_r:qubes_qubesdb_daemon_t:s0"
Oct 12 14:19:05 fedora-40 audit[650]: SYSCALL arch=c000003e syscall=42 success=no exit=-13 a0=1c a1=7ffddb92ecc0 a2=1d a3=ffffffff items=0 ppid=622 pid=650 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="pipewire" exe="/usr/bin/pipewire" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Oct 12 14:19:05 fedora-40 audit: PROCTITLE proctitle="/usr/bin/pipewire"
Oct 12 14:19:05 fedora-40 pipewire[650]: mod.qubes-audio: unable to obtain /qubes-audio-domain-xid entry from QubesDB
Oct 12 14:19:05 fedora-40 pipewire[650]: mod.qubes-audio: Cannot obtain new peer domain ID (Broken pipe), disconnecting from 0
Oct 12 14:19:05 fedora-40 pipewire[650]: mod.qubes-audio: Control vchan closed, cannot issue control command
Oct 12 14:19:05 fedora-40 pipewire[649]: mod.qubes-audio: unable to obtain /qubes-audio-domain-xid entry from QubesDB
Oct 12 14:19:05 fedora-40 pipewire[649]: mod.qubes-audio: Cannot obtain new peer domain ID (Broken pipe), disconnecting from 0
Oct 12 14:19:05 fedora-40 pipewire[650]: mod.qubes-audio: unknown peer domain, cannot create stream
Oct 12 14:19:05 fedora-40 pipewire[649]: mod.qubes-audio: unknown peer domain, cannot create stream
Oct 12 14:19:05 fedora-40 pipewire[649]: mod.qubes-audio: Control vchan closed, cannot issue control command
Oct 12 14:19:05 fedora-40 pipewire[649]: mod.qubes-audio: unknown peer domain, cannot create stream
Oct 12 14:19:05 fedora-40 pipewire[650]: mod.qubes-audio: unknown peer domain, cannot create stream

After all this, I see the SELinux policy got reloaded few more times, and at later time it said:

Oct 12 14:19:57 fedora-40 kernel: SELinux:  Converting 422 SID table entries...
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:snappy_unit_file_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:qubes_qubesdb_daemon_exec_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:system_r:qubes_qubesdb_daemon_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:qubes_var_run_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:qubes_qubesdb_socket_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:snappy_cli_exec_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:snappy_exec_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:system_r:snappy_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:snappy_var_run_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:snappy_var_lib_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:qubes_meminfo_writer_exec_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:system_r:qubes_meminfo_writer_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:qubes_meminfo_writer_var_run_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:qubes_qrexec_agent_exec_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:object_r:qubes_qrexec_socket_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context system_u:system_r:qubes_qubesdb_daemon_t:s0-s0:c0.c1023 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context unconfined_u:object_r:snappy_var_lib_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  Context unconfined_u:object_r:qubes_var_run_t:s0 became valid (mapped).
Oct 12 14:19:57 fedora-40 kernel: SELinux:  policy capability network_peer_controls=1
Oct 12 14:19:57 fedora-40 kernel: SELinux:  policy capability open_perms=1
Oct 12 14:19:57 fedora-40 kernel: SELinux:  policy capability extended_socket_class=1
Oct 12 14:19:57 fedora-40 kernel: SELinux:  policy capability always_check_network=0
Oct 12 14:19:57 fedora-40 kernel: SELinux:  policy capability cgroup_seclabel=1
Oct 12 14:19:57 fedora-40 kernel: SELinux:  policy capability nnp_nosuid_transition=1
Oct 12 14:19:57 fedora-40 kernel: SELinux:  policy capability genfs_seclabel_symlinks=1
Oct 12 14:19:57 fedora-40 kernel: SELinux:  policy capability ioctl_skip_cloexec=0
Oct 12 14:19:57 fedora-40 audit: MAC_POLICY_LOAD auid=0 ses=9 lsm=selinux res=1

So the end state is correct I think, but at this point a bunch of services were crashed already...

@marmarek
Copy link
Member Author

The best solution would be obviously to not invalidate a bunch of contexts during update. But if that cannot be avoided, maybe some workaround would be to temporarily enable permissive mode for the update time (for example if selinux-policy-targeted is part of the update)? Can it be done using rpm triggers?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects-4.2 This issue affects Qubes OS 4.2. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@marmarek