[rawhide] upgrade yields incorrect labels on SELinux modules files

[dustymabe]

This one is odd. It appears upgrading FCOS in rawhide right now gives us files that don't match the pre-upgraded system policy or the post-upgraded system policy:

$ cosa buildfetch --build=42.20240928.91.0 --artifact=qemu && cosa decompress --build=42.20240928.91.0

$ cosa run --build=42.20240928.91.0
Fedora CoreOS 42.20240928.91.0
Tracker: https://github.com/coreos/fedora-coreos-tracker
Discuss: https://discussion.fedoraproject.org/tag/coreos

Last login: Thu Oct  3 14:01:38 2024
[core@cosa-devsh ~]$
[core@cosa-devsh ~]$ sudo ls -ldZ /etc/selinux/targeted/active/modules
drwx------. 6 root root system_u:object_r:semanage_store_t:s0 55 Aug  1  2022 /etc/selinux/targeted/active/modules
[core@cosa-devsh ~]$ sudo restorecon -vn /etc/selinux/targeted/active/modules
[core@cosa-devsh ~]$ sudo rpm-ostree upgrade
Pulling manifest: ostree-remote-image:fedora:docker://quay.io/fedora/fedora-coreos:rawhide
Importing: ostree-remote-image:fedora:docker://quay.io/fedora/fedora-coreos:rawhide (digest: sha256:74069e8f769367d95c3567fc1530dd5e01c286477df13020d6cd010c577c5358)
ostree chunk layers already present: 27
ostree chunk layers needed: 24 (452.6 MB)
...
Staging deployment... done
Upgraded:
  bootupd 0.2.21-1.fc42 -> 0.2.23-1.fc42
  ca-certificates 2024.2.69_v8.0.401-1.fc42 -> 2024.2.69_v8.0.401-2.fc42
  coreutils 9.5-9.fc42 -> 9.5-10.fc42
  coreutils-common 9.5-9.fc42 -> 9.5-10.fc42
  kernel 6.12.0-0.rc0.20240926git11a299a7933e.13.fc42 -> 6.12.0-0.rc0.20240927git075dbe9f6e3c.14.fc42
  kernel-core 6.12.0-0.rc0.20240926git11a299a7933e.13.fc42 -> 6.12.0-0.rc0.20240927git075dbe9f6e3c.14.fc42
  kernel-modules 6.12.0-0.rc0.20240926git11a299a7933e.13.fc42 -> 6.12.0-0.rc0.20240927git075dbe9f6e3c.14.fc42
  kernel-modules-core 6.12.0-0.rc0.20240926git11a299a7933e.13.fc42 -> 6.12.0-0.rc0.20240927git075dbe9f6e3c.14.fc42
Removed:
  lld-libs-18.1.8-2.fc41.x86_64
  llvm-libs-18.1.8-2.fc41.x86_64
Added:
  lld18-libs-18.1.7-3.fc42.x86_64
  llvm18-libs-18.1.7-5.fc42.x86_64
Run "systemctl reboot" to start a reboot

[core@cosa-devsh ~]$ sudo su -
[root@cosa-devsh ~]# ls -ldZ /sysroot/ostree/deploy/fedora-coreos/deploy/*.0/etc/selinux/targeted/active/modules
drwx------. 6 root root system_u:object_r:semanage_store_t:s0 55 Aug  1  2022 /sysroot/ostree/deploy/fedora-coreos/deploy/7cbaa774e4dbb53022db38358e16f4b38b0be0f236b950bd20ffc2d9a12f4d66.0/etc/selinux/targeted/active/modules
drwx------. 6 root root system_u:object_r:semanage_store_t:s0 55 Oct  3 14:04 /sysroot/ostree/deploy/fedora-coreos/deploy/f64ade6708536ef6cdc686a2bd0d586a64ebb9ae9277b73523604b5f7539a7e0.0/etc/selinux/targeted/active/modules
[root@cosa-devsh ~]# reboot
...
...
...
Fedora CoreOS 42.20241002.91.0
Tracker: https://github.com/coreos/fedora-coreos-tracker
Discuss: https://discussion.fedoraproject.org/tag/coreos

Last login: Thu Oct  3 14:09:13 2024
[core@cosa-devsh ~]$ sudo ls -ldZ /etc/selinux/targeted/active/modules
drwx------. 6 root root system_u:object_r:selinux_config_t:s0 55 Oct  3 14:09 /etc/selinux/targeted/active/modules
[root@cosa-devsh ~]# ls -ldZ /sysroot/ostree/deploy/fedora-coreos/deploy/*.0/etc/selinux/targeted/active/modules
drwx------. 6 root root system_u:object_r:semanage_store_t:s0 55 Aug  1  2022 /sysroot/ostree/deploy/fedora-coreos/deploy/7cbaa774e4dbb53022db38358e16f4b38b0be0f236b950bd20ffc2d9a12f4d66.0/etc/selinux/targeted/active/modules
drwx------. 6 root root system_u:object_r:selinux_config_t:s0 55 Oct  3 14:09 /sysroot/ostree/deploy/fedora-coreos/deploy/f64ade6708536ef6cdc686a2bd0d586a64ebb9ae9277b73523604b5f7539a7e0.0/etc/selinux/targeted/active/modules

So something to do with the finalization that happens on reboot after the new deployment has been downloaded and applied?

[root@cosa-devsh ~]# rpm -q rpm-ostree ostree
rpm-ostree-2024.8-1.fc42.x86_64
ostree-2024.8-1.fc42.x86_64

[dustymabe]

Note if I just boot 42.20240928.91.0 or 42.20241002.91.0 without doing an upgrade then the files aren't labeled incorrectly.

[travier]

This is indeed unexpected: https://github.com/fedora-selinux/selinux-policy/blob/04bacae728b228b10e2a724dd5742e4bfec8aedb/policy/modules/system/selinuxutil.fc#L13

[travier]

Maybe there is a missing type transition rule as the parent dir is selinux_config_t: https://github.com/fedora-selinux/selinux-policy/blob/04bacae728b228b10e2a724dd5742e4bfec8aedb/policy/modules/system/selinuxutil.fc#L6

[dustymabe]

@travier it's somehow triggered by upgrade, though, because images booted without being upgraded have the correct labels

[dustymabe]

ok it looks like it's /usr/bin/ostree admin finalize-staged that's causing this:

[root@cosa-devsh ~]# ls -ldZ /sysroot/ostree/deploy/fedora-coreos/deploy/*.0/etc/selinux/targeted/active/modules
drwx------. 6 root root system_u:object_r:semanage_store_t:s0 55 Aug  1  2022 /sysroot/ostree/deploy/fedora-coreos/deploy/7cbaa774e4dbb53022db38358e16f4b38b0be0f236b950bd20ffc2d9a12f4d66.0/etc/selinux/targeted/active/modules
drwx------. 6 root root system_u:object_r:semanage_store_t:s0 55 Oct  3 14:29 /sysroot/ostree/deploy/fedora-coreos/deploy/9b4668adcbf84503dead8b1c2fb328381e93491f25081230da50da9ec77e8bfe.0/etc/selinux/targeted/active/modules

[root@cosa-devsh ~]# /usr/bin/ostree admin finalize-staged
Copying /etc changes: 6 modified, 0 removed, 39 added
Bootloader updated; bootconfig swap: yes; bootversion: boot.0.1, deployment count change: 1
[root@cosa-devsh ~]# ls -ldZ /sysroot/ostree/deploy/fedora-coreos/deploy/*.0/etc/selinux/targeted/active/modules
drwx------. 6 root root system_u:object_r:semanage_store_t:s0 55 Aug  1  2022 /sysroot/ostree/deploy/fedora-coreos/deploy/7cbaa774e4dbb53022db38358e16f4b38b0be0f236b950bd20ffc2d9a12f4d66.0/etc/selinux/targeted/active/modules
drwx------. 6 root root system_u:object_r:selinux_config_t:s0 55 Oct  3 14:31 /sysroot/ostree/deploy/fedora-coreos/deploy/9b4668adcbf84503dead8b1c2fb328381e93491f25081230da50da9ec77e8bfe.0/etc/selinux/targeted/active/modules

[jlebon]

This is from the semodule -N --refresh call ostree does during finalization which should normally be a no-op in this case. I booted the same rawhide build and did:

root@cosa-devsh:~# restorecon -rvn /etc/selinux
root@cosa-devsh:~# semodule -N --refresh
root@cosa-devsh:~# restorecon -rvn /etc/selinux
Would relabel /etc/selinux/targeted/active/booleans.local from system_u:object_r:selinux_config_t:s0 to system_u:object_r:semanage_store_t:s0
...

cc @WOnder93

I guess... let's file a bugzilla against policycoreutils to start?

[dustymabe]

Ran a bisect on this in rawhide with a test that does

sudo semodule -N --refresh && sudo find /etc/selinux/targeted/active/modules -maxdepth 0 -context "system_u:object_r:selinux_config_t:s0" -delete

Note the delete will fail because it's a read-only filesystem and thus the test will fail if anything is found..

The results:

BISECT TEST RESULTS:
Last known good build: 42.20240911.91.0
First known bad build: 42.20240914.91.0

The package set in that changeset is:

ostree diff commit from: 3a8acb2a5b7971084404216fb7c1d0282f626c7186618c361aa4545fbe3493b8
ostree diff commit to:   766159d55230282690a7e11cbe836fe06b26c62d846f9ba256bd4e9489e9e7d3
Upgraded:
  bootc 0.1.15-1.fc42 -> 0.1.16-1.fc42
  conmon 2:2.1.12-2.fc41 -> 2:2.1.12-3.fc42
  container-selinux 2:2.232.1-2.fc41 -> 2:2.233.0-1.fc42
  crun 1.15-2.fc41 -> 1.17-1.fc42
  crun-wasm 1.15-2.fc41 -> 1.17-1.fc42
  curl 8.9.1-3.fc42 -> 8.10.0-1.fc42
  gnutls 3.8.7-2.fc42 -> 3.8.7-4.fc42
  kbd 2.6.4-4.fc41 -> 2.6.4-5.fc42
  kbd-legacy 2.6.4-4.fc41 -> 2.6.4-5.fc42
  kbd-misc 2.6.4-4.fc41 -> 2.6.4-5.fc42
  kernel 6.11.0-0.rc7.56.fc42 -> 6.11.0-0.rc7.20240913git196145c606d0.60.fc42
  kernel-core 6.11.0-0.rc7.56.fc42 -> 6.11.0-0.rc7.20240913git196145c606d0.60.fc42
  kernel-modules 6.11.0-0.rc7.56.fc42 -> 6.11.0-0.rc7.20240913git196145c606d0.60.fc42
  kernel-modules-core 6.11.0-0.rc7.56.fc42 -> 6.11.0-0.rc7.20240913git196145c606d0.60.fc42
  libcurl-minimal 8.9.1-3.fc42 -> 8.10.0-1.fc42
  libgcc 14.2.1-2.fc42 -> 14.2.1-3.fc42
  libldb 2:4.21.0-7.fc42 -> 2:4.21.0-9.fc42
  libselinux 3.7-5.fc41 -> 3.7-6.fc42
  libselinux-utils 3.7-5.fc41 -> 3.7-6.fc42
  libsemanage 3.7-2.fc41 -> 3.7-3.fc42
  libsepol 3.7-2.fc41 -> 3.7-3.fc42
  libsmbclient 2:4.21.0-7.fc42 -> 2:4.21.0-9.fc42
  libstdc++ 14.2.1-2.fc42 -> 14.2.1-3.fc42
  libwbclient 2:4.21.0-7.fc42 -> 2:4.21.0-9.fc42
  microcode_ctl 2:2.1-64.fc42 -> 2:2.1-65.fc42
  openssl 1:3.2.2-5.fc41 -> 1:3.2.2-8.fc42
  openssl-libs 1:3.2.2-5.fc41 -> 1:3.2.2-8.fc42
  rpm 4.19.93-1.fc42 -> 4.19.94-1.fc42
  rpm-libs 4.19.93-1.fc42 -> 4.19.94-1.fc42
  rpm-plugin-selinux 4.19.93-1.fc42 -> 4.19.94-1.fc42
  samba-client-libs 2:4.21.0-7.fc42 -> 2:4.21.0-9.fc42
  samba-common 2:4.21.0-7.fc42 -> 2:4.21.0-9.fc42
  samba-common-libs 2:4.21.0-7.fc42 -> 2:4.21.0-9.fc42
  selinux-policy 41.16-1.fc42 -> 41.17-1.fc42
  selinux-policy-targeted 41.16-1.fc42 -> 41.17-1.fc42
  zlib-ng-compat 2.1.7-2.fc41 -> 2.1.7-3.fc42

[dustymabe]

I guess... let's file a bugzilla against policycoreutils to start?

opened https://bugzilla.redhat.com/show_bug.cgi?id=2316388 to start the conversation