-
Story
-
Resolution: Unresolved
-
Major
-
None
-
rhel-10.2
-
Impediment
-
None
-
rhel-security-selinux
-
None
-
True
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
Overview
The subscription-manager component has been trying to deliver an implementation for story RHEL-108712, which provides a new capability to detect and upload package profile information about the "persistence" of an installed package (either "persistent" or "transient"). Prior selinux-policy issue RHEL-141391 was already implemented to help allow rhsmcertd permissions to detect bootc/ostree-based systems. Unfortunately, the fixed policy version 42.1.17-1.el10 does not appear to be sufficient (as demonstrated below in the Current Reproducer).
Goal
- on a ostree-booted image-mode system, I want to use dnf to install a package with the transient option and have subscription-manager upload a package profile for the newly installed package with a "transient" value for persistence.
Current Reproducer
Below is a demonstration on the latest image-mode system reserved by testing-farm, updated with selinux-policy-42.1.17-1 and an in_progress build of subscription-manager from RHEL-108712...
jsefler@jseflerP1Gen4:~$ NO_TTY=1 testing-farm reserve --compose RHEL-10.2-image-mode --arch x86_64 --duration 720 --ssh-public-key ~/.ssh/rhsm-qe.pub --no-autoconnect
💻 RHEL-10.2-image-mode on x86_64
🕗 Reserved for 720 minutes
⏳ Maximum reservation time is 720 minutes
🔎 https://api.dev.testing-farm.io/v0.1/requests/51097ccc-0377-4547-9689-001e2242a244
🌎 ssh root@10.31.15.216
jsefler@jseflerP1Gen4:~$ ssh root@10.31.15.216
[root@4fc4a62c-85f5-42a3-b23d-f7831eb52640 ~]# rpm-ostree override replace --quiet https://download-01.beak-001.prod.iad2.dc.redhat.com/brewroot/vol/rhel-10/packages/selinux-policy/42.1.17/1.el10/noarch/selinux-policy-42.1.17-1.el10.noarch.rpm https://download-01.beak-001.prod.iad2.dc.redhat.com/brewroot/vol/rhel-10/packages/selinux-policy/42.1.17/1.el10/noarch/selinux-policy-targeted-42.1.17-1.el10.noarch.rpm
Downloading https://download-01.beak-001.prod.iad2.dc.redhat.com/brewroot/vol/rhel-10/packages/selinux-policy/42.1.17/1.el10/noarch/selinux-policy-42.1.17-1.el10.noarch.rpm...done
Downloading https://download-01.beak-001.prod.iad2.dc.redhat.com/brewroot/vol/rhel-10/packages/selinux-policy/42.1.17/1.el10/noarch/selinux-policy-targeted-42.1.17-1.el10.noarch.rpm...done
Use "rpm-ostree override reset" to undo overrides
Run "systemctl reboot" to start a reboot
[root@4fc4a62c-85f5-42a3-b23d-f7831eb52640 ~]# rpm-ostree override replace --quiet https://jenkins-csb-rhsm-prod.dno.corp.redhat.com/view/QE-RPMs/job/rhsm_main.el10/208/artifact/rpms/x86_64/subscription-manager.rpm https://jenkins-csb-rhsm-prod.dno.corp.redhat.com/view/QE-RPMs/job/rhsm_main.el10/208/artifact/rpms/x86_64/python3-cloud-what.rpm https://jenkins-csb-rhsm-prod.dno.corp.redhat.com/view/QE-RPMs/job/rhsm_main.el10/208/artifact/rpms/x86_64/python3-subscription-manager-rhsm.rpm https://jenkins-csb-rhsm-prod.dno.corp.redhat.com/view/QE-RPMs/job/rhsm_main.el10/208/artifact/rpms/x86_64/libdnf-plugin-subscription-manager.rpm
Downloading https://jenkins-csb-rhsm-prod.dno.corp.redhat.com/view/QE-RPMs/job/rhsm_main.el10/208/artifact/rpms/x86_64/subscription-manager.rpm...done
Downloading https://jenkins-csb-rhsm-prod.dno.corp.redhat.com/view/QE-RPMs/job/rhsm_main.el10/208/artifact/rpms/x86_64/python3-cloud-what.rpm...done
Downloading https://jenkins-csb-rhsm-prod.dno.corp.redhat.com/view/QE-RPMs/job/rhsm_main.el10/208/artifact/rpms/x86_64/python3-subscription-manager-rhsm.rpm...done
Downloading https://jenkins-csb-rhsm-prod.dno.corp.redhat.com/view/QE-RPMs/job/rhsm_main.el10/208/artifact/rpms/x86_64/libdnf-plugin-subscription-manager.rpm...done
Use "rpm-ostree override reset" to undo overrides
Run "systemctl reboot" to start a reboot
[root@4fc4a62c-85f5-42a3-b23d-f7831eb52640 ~]# systemctl reboot
[root@4fc4a62c-85f5-42a3-b23d-f7831eb52640 ~]# Connection to 10.31.15.216 closed by remote host.
Connection to 10.31.15.216 closed.
jsefler@jseflerP1Gen4:~$ ssh root@10.31.15.216
[root@4fc4a62c-85f5-42a3-b23d-f7831eb52640 ~]# dnf install setools-console --transient -y --quiet
A writable overlayfs is prepared for /usr, but is mounted read-only by default.
All changes there will be discarded on reboot.
Installed:
setools-console-4.6.0-2.el10.x86_64
[root@4fc4a62c-85f5-42a3-b23d-f7831eb52640 ~]# rpm -qa selinux-policy\*
selinux-policy-42.1.17-1.el10.noarch
selinux-policy-targeted-42.1.17-1.el10.noarch
[root@4fc4a62c-85f5-42a3-b23d-f7831eb52640 ~]# semanage fcontext -l | grep ostree-booted
/run/ostree-booted all files system_u:object_r:install_var_run_t:s0
[root@4fc4a62c-85f5-42a3-b23d-f7831eb52640 ~]# sesearch -s rhsmcertd_t -t install_var_run_t -c file -p read --allow
allow rhsmcertd_t install_var_run_t:file { getattr ioctl lock open read };
[root@4fc4a62c-85f5-42a3-b23d-f7831eb52640 ~]# rpm -q subscription-manager
subscription-manager-1.30.11+18.g1509dcf51-1.git.0.1b1bf50.x86_64
[root@4fc4a62c-85f5-42a3-b23d-f7831eb52640 ~]# rpm -q subscription-manager --changelog | grep "persistence"
- test: added new tests for the persistence related implemented functions
- feat: added package persistence info in packages profile (macano@redhat.com)
[root@4fc4a62c-85f5-42a3-b23d-f7831eb52640 ~]# subscription-manager config --rhsm.report_package_profile=1 --rhsm.package_profile_on_trans=1
[root@4fc4a62c-85f5-42a3-b23d-f7831eb52640 ~]# subscription-manager register
Registering to: subscription.rhsm.redhat.com:443/subscription
Username: **REDACTED**
Password:
The system has been registered with ID: 12fb218f-0d6b-430a-9ba0-5c98d5e0a978
The registered system name is: 4fc4a62c-85f5-42a3-b23d-f7831eb52640
[root@4fc4a62c-85f5-42a3-b23d-f7831eb52640 ~]# truncate --size=0 /var/log/audit/audit.log
[root@4fc4a62c-85f5-42a3-b23d-f7831eb52640 ~]# dnf install zsh --transient --quiet --assumeyes
Installed:
zsh-5.9-15.el10.x86_64
[root@4fc4a62c-85f5-42a3-b23d-f7831eb52640 ~]# cat /var/lib/rhsm/cache/profile.json | jq '.rpm[] | select(.name == "zsh")'
{
"name": "zsh",
"version": "5.9",
"release": "15.el10",
"arch": "x86_64",
"epoch": 0,
"vendor": "Red Hat, Inc.",
"persistence": "persistent" <==== EXPECTING "transient"
}
[root@4fc4a62c-85f5-42a3-b23d-f7831eb52640 ~]# grep "denied" /var/log/audit/audit.log
type=AVC msg=audit(1772125905.240:344): avc: denied { write } for pid=1843 comm="rhsm-package-pr" name="rpmdb.sqlite-wal" dev="overlay" ino=545259709 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1772125905.240:345): avc: denied { write } for pid=1843 comm="rhsm-package-pr" name="rpmdb.sqlite-shm" dev="overlay" ino=176161488 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1772125905.244:346): avc: denied { read } for pid=1843 comm="rhsm-package-pr" name="repo" dev="xvda4" ino=16908416 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1772125905.304:347): avc: denied { write } for pid=1843 comm="rhsm-package-pr" name="rpmdb.sqlite-wal" dev="overlay" ino=545259709 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1772125905.304:348): avc: denied { write } for pid=1843 comm="rhsm-package-pr" name="rpmdb.sqlite-shm" dev="overlay" ino=176161488 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1772125905.334:349): avc: denied { write } for pid=1843 comm="rhsm-package-pr" name="rpmdb.sqlite-wal" dev="overlay" ino=545259709 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1772125905.334:350): avc: denied { write } for pid=1843 comm="rhsm-package-pr" name="rpmdb.sqlite-shm" dev="overlay" ino=176161488 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1772125905.440:351): avc: denied { write } for pid=1843 comm="rhsm-package-pr" name="rpmdb.sqlite-wal" dev="overlay" ino=545259709 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1772125905.440:352): avc: denied { write } for pid=1843 comm="rhsm-package-pr" name="rpmdb.sqlite-shm" dev="overlay" ino=176161488 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Expected Results
Enough selinux policy allowance is needed to achieve the "transient" persistence detection as shown below when selinux is permissive on the same ostree-booted image-mode system as used above...
[root@4fc4a62c-85f5-42a3-b23d-f7831eb52640 ~]# setenforce 0
[root@4fc4a62c-85f5-42a3-b23d-f7831eb52640 ~]# dnf reinstall zsh --transient --quiet --assumeyes
Reinstalled:
zsh-5.9-15.el10.x86_64
[root@4fc4a62c-85f5-42a3-b23d-f7831eb52640 ~]# cat /var/lib/rhsm/cache/profile.json | jq '.rpm[] | select(.name == "zsh")'
{
"name": "zsh",
"version": "5.9",
"release": "15.el10",
"arch": "x86_64",
"epoch": 0,
"vendor": "Red Hat, Inc.",
"persistence": "transient" <======== VERIFIED: THIS IS OUR GOAL
}
- blocks
-
-
- In Progress
-
- is triggered by
-
RHEL-141391 Update rhsmcertd SELinux policies to let /run/ostree-booted be consulted
-
- Release Pending
-
