-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
rhel-8.10
-
No
-
Important
-
rhel-security-selinux
-
3
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
Cockpit (web console)'s SELinux troubleshoot tests provoke some well-defined SELinux errors and check that setroubleshoot can fix them. One of them is to set a wrong context on ~/.ssh/authorized_keys and trying to run ssh. This will trigger an AVC denial and thus setroubleshootd suggesting to fix the label to ssh_home_t:
set -e mkdir -p ~/.ssh ssh-keygen -t rsa -f ~/.ssh/test-avc-rsa -N "" mv -f ~/.ssh/authorized_keys ~/.ssh/authorized_keys.test-avc cat .ssh/test-avc-rsa.pub >> ~/.ssh/authorized_keys chcon -t httpd_exec_t ~/.ssh/authorized_keys auditctl -D auditctl -w ~/.ssh/authorized_keys -p a ssh -o StrictHostKeyChecking=no -o 'BatchMode=yes' -i ~/.ssh/test-avc-rsa localhost || true mv -f ~/.ssh/authorized_keys.test-avc ~/.ssh/authorized_keys
However, this fails quite often.
What is the impact of this issue to you?
Applying a proposed solution sometimes fails. This also causes an unstable test
Please provide the package NVR for which the bug is seen:
setroubleshoot-server-3.3.26-6.el8.x86_64
setroubleshoot-plugins-3.3.14-1.el8.noarch
selinux-policy-targeted-3.14.3-139.el8_10.1.noarch
How reproducible is this bug?:
Rarely. I haven't managed to reproduce it locally, but it happens quite often in our CI with a 35% failure rate. However, there are at least three different setroubleshoot bugs (see https://github.com/cockpit-project/cockpit/pull/22185#issue-3211647176), so it's hard to say the failure rate of this specific issue.
However, in an intermediate version of https://github.com/cockpit-project/cockpit/pull/22185 I did an amplified run – https://cockpit-logs.us-east-1.linodeobjects.com/pull-22185-f56da34f-20250708-085600-rhel-8-10-ws-container-other-3/log.html – and that failed 3 out of 15 times.
Expected results
Applying solution works.
Actual results
Applying solution failed, see screenshot:
> warn: Unable to run fix:
{"problem":null,"name":"org.freedesktop.DBus.Python.subprocess.CalledProcessError","message":"Traceback (most recent call last):
File \"/usr/lib64/python3.6/site-packages/dbus/service.py\", line 707, in _message_cb
retval = candidate_method(self, *args, **keywords)
File \"/usr/share/setroubleshoot/SetroubleshootFixit.py\", line 41, in run_fix
result = subprocess.check_output(command, universal_newlines=True)
File \"/usr/lib64/python3.6/subprocess.py\", line 356, in check_output
**kwargs).stdout
File \"/usr/lib64/python3.6/subprocess.py\", line 438, in run
output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['sealert', '-f', dbus.String('a509bf1d-b0f8-41f1-b12b-dc6188145349'), '-P', dbus.String('restorecon')]' returned non-zero exit status 3.
"}
The journal may have a hint here:
Jul 08 05:15:54 rhel-8-10-127-0-0-2-2201 dbus-daemon[794]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootFixit' Jul 08 05:15:54 rhel-8-10-127-0-0-2-2201 systemd[1]: systemd-hostnamed.service: Succeeded. Jul 08 05:15:55 rhel-8-10-127-0-0-2-2201 org.fedoraproject.SetroubleshootFixit[2946]: ERROR:dbus.proxies:Introspect error on :1.64:/org/fedoraproject/Setroubleshootd: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying Jul 08 05:15:55 rhel-8-10-127-0-0-2-2201 org.fedoraproject.SetroubleshootFixit[2946]: could not attach to desktop process Jul 08 05:15:55 rhel-8-10-127-0-0-2-2201 systemd[1]: setroubleshootd.service: Succeeded.
I'm happy to augment the test with extra debugging calls/log collections and report back here, if you have an idea what to watch out for?
Thanks!
