ARC++ fails to start with 4.12 and later kernels due to selinux permission problems |
|||||||||
Issue description
Attempts to start ARC++ on a 4.12 kernel fails with the following messages seen in the kernel log (dmesg).
[ 58.950400] audit: type=1400 audit(1502477548.043:4): avc: denied { sys_admin } for pid=3255 comm="init" capability=21 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
[ 58.972559] audit: type=1400 audit(1502477548.065:5): avc: denied { sys_admin } for pid=3255 comm="init" capability=21 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
[ 58.993893] audit: type=1400 audit(1502477548.086:6): avc: denied { chown } for pid=3255 comm="init" capability=0 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
[ 59.015425] audit: type=1400 audit(1502477548.107:7): avc: denied { chown } for pid=3255 comm="init" capability=0 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
[ 59.035438] audit: type=1400 audit(1502477548.107:8): avc: denied { chown } for pid=3255 comm="init" capability=0 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
[ 59.056411] audit: type=1400 audit(1502477548.107:9): avc: denied { chown } for pid=3255 comm="init" capability=0 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
[ 59.076411] audit: type=1400 audit(1502477548.168:10): avc: denied { sys_admin } for pid=3255 comm="init" capability=21 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
[ 59.097420] audit: type=1400 audit(1502477548.189:11): avc: denied { sys_admin } for pid=3255 comm="init" capability=21 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
[ 59.132156] audit: type=1400 audit(1502477548.224:12): avc: denied { chown } for pid=3255 comm="init" capability=0 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
[ 59.152407] audit: type=1400 audit(1502477548.244:13): avc: denied { sys_admin } for pid=3255 comm="init" capability=21 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
[ 355.644888] init: arc-network main process (3257) killed by ABRT signal
Workaround is to set "SELINUX=permissive" in /etc/selinux/config.
,
Aug 16 2017
What's your kernel config? In Chrome OS we use permissive mode: chromeos/config/base.config:CONFIG_SECURITY_SELINUX_PERMISSIVE_DONTAUDIT=y That appears to be a Chrome OS specific config. See <https://chromium-review.googlesource.com/425786>. I don't know how it was done before then... +folks who I know were involved in SE Linux Permissive Stuff and hopefully they can comment.
,
Aug 16 2017
#2: Yes, that is correct, and it is so configured. From chromeos-4.12: chromeos/config/base.config:CONFIG_SECURITY_SELINUX_PERMISSIVE_DONTAUDIT=y Nevertheless, I have to apply the workaround to get it working. If I understand the code correctly, this is as expected. The flag doesn't really do much and appears to depend on 'permissive'. See its use and associated comments in security/selinux/avc.c.
,
Aug 16 2017
What "workaround" are you referring to?
,
Aug 16 2017
Yes, that flag is meant to quiesce the log from permissive logspam. It does not change behavior. can you also share /var/log/arc-network.log?
,
Aug 16 2017
#5: See description: "Workaround is to set "SELINUX=permissive" in /etc/selinux/config."
,
Aug 16 2017
arc-network.log: 017-08-15 14:38:33.576150280-07:00: Starting arc-network + ip link delete veth_android Cannot find device "veth_android" + true + ip link add veth_android type veth peer name slave_android + ip link set dev slave_android addr 00:FF:AA:00:00:55 + ifconfig veth_android up + brctl addif br0 veth_android + readlink /proc/1/ns/net + init_ns=net:[4026531961] + seq 1 50 + [ -d /proc/11788 ] + readlink /proc/11788/ns/net + ns=net:[4026532572] + [ -n net:[4026532572] -a net:[4026532572] != net:[4026531961] ] + break + ip link set slave_android netns 11788 + nsenter -t 11788 -n -- ip link set slave_android name arc0 + initctl emit start-arc-sensor CONTAINER_PATH=/run/containers/android_hsJo5G + touch /run/containers/android_hsJo5G/root/dev/.coldboot_done + sysctl net.ipv6.conf.all.forwarding=1 net.ipv6.conf.all.forwarding = 1 + sysctl net.ipv6.conf.all.proxy_ndp=1 net.ipv6.conf.all.proxy_ndp = 1 + chown 655360:655360 /sys/class/xt_idletimer + initctl start -n arc-obb-mounter arc-obb-mounter start/starting + initctl start -n arc-removable-media arc-removable-media start/starting + exec /usr/bin/arc-networkd --con_netns=11788
,
Oct 4 2017
,
Oct 23 2017
,
Nov 1 2017
It looks like the problem is commit 8e4ff6f228e4722cac74db716e308d1da33d744f that went into 4.7. It splits selinux capability checks based on whether you're in the initial user namespace or not. Working on a list of sepolicy changes needed for compatibility.
,
Nov 3 2017
The following revision refers to this bug: https://chrome-internal.googlesource.com/chromeos/overlays/project-cheets-private/+/1838c7c57e2227b4fbe19341606f4f75ee67f67d commit 1838c7c57e2227b4fbe19341606f4f75ee67f67d Author: Benjamin Gordon <bmgordon@chromium.org> Date: Fri Nov 03 01:36:48 2017
,
Nov 17 2017
The following revision refers to this bug: https://chrome-internal.googlesource.com/chromeos/overlays/project-cheets-private/+/c45fcee50cacf1db44653d2d72c15015636e3c8f commit c45fcee50cacf1db44653d2d72c15015636e3c8f Author: Guenter Roeck <groeck@chromium.org> Date: Fri Nov 17 12:02:04 2017
,
Nov 18 2017
The workaround as committed in #11 and #12 results in a test failure: [Test-Logs]: cheets_SELinuxTest: retry_count: 2, FAIL: Unexpected value: Expected: Enforcing, Actual: Permissive
,
Nov 18 2017
Raising priority. This is a must have for chromeos-4.14 release.
,
Nov 18 2017
aosp/538523 is out with the changes needed for 4.12 on android-master. Once that goes in, I'll cherry-pick it back to the arc-nyc branch, and that should cover 4.12. I have another couple of CLs in progress to cover the additional breakage that 4.14 introduces.
,
Nov 18 2017
bmgordon@: Excellent - thanks for making this happen!
,
Nov 20 2017
The following revision refers to this bug: https://chrome-internal.googlesource.com/chromeos/overlays/project-cheets-private/+/725e03d2816866b2debfdd62a0c7753115516d23 commit 725e03d2816866b2debfdd62a0c7753115516d23 Author: Guenter Roeck <groeck@chromium.org> Date: Mon Nov 20 20:21:13 2017
,
Nov 27 2017
,
Nov 27 2017
http://ag/3265696 and http://ag/3265725 are merged. Once they show up in an ARC++ release, we should be able to boot 4.12 with selinux in enforcing mode. I'm starting to working on the additional changes needed for 4.14.
,
Dec 5 2017
http://ag/3313865 should fix 4.14. Once that gets through the PFQ, I'll remove the workaround from crrev.com/i/494314 and mark this fixed.
,
Dec 9 2017
The following revision refers to this bug: https://chrome-internal.googlesource.com/chromeos/overlays/project-cheets-private/+/01c46058be7fddf2e1d568d16054bc392e85ddd3 commit 01c46058be7fddf2e1d568d16054bc392e85ddd3 Author: Benjamin Gordon <bmgordon@chromium.org> Date: Sat Dec 09 07:13:58 2017
,
Dec 15 2017
The following revision refers to this bug: https://chrome-internal.googlesource.com/chromeos/overlays/project-cheets-private/+/ed042e9affbd8b25e9401ea0f04cfdee8439f698 commit ed042e9affbd8b25e9401ea0f04cfdee8439f698 Author: Benjamin Gordon <bmgordon@chromium.org> Date: Fri Dec 15 23:52:44 2017
,
Dec 16 2017
|
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by groeck@chromium.org
, Aug 15 2017