Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CoreOS stable (899.15.0) polkit segfault using selinux #1258

Closed
thetechnick opened this Issue Apr 29, 2016 · 9 comments

Comments

Projects
None yet
4 participants
@thetechnick
Copy link

thetechnick commented Apr 29, 2016

I wanted to setup a selinux secured coreos cluster, but after setting the selinux mode to "enforcing" and restarting the machine, every call to systemd results in polkitd segfaulting.

To enable selinux enforcing I followed the steps here:
https://coreos.com/os/docs/latest/selinux.html

First I thought, that this might be an issue on my baremetal installation, but I can reproduce this behavior on plain CoreOS stable (899.15.0) installations on VirtualBox, digitalocean and baremetal.

The selinux integration is a critical requirement for my setup, so any help is very welcome.

Example Output (digitalocean):

core@coreos-512mb-fra1-01 ~ $ systemctl restart etcd2
Error getting authority: Error initializing authority: Error calling StartServiceByName for org.freedesktop.PolicyKit1: Timeout was reached (g-io-error-quark, 24)
Could not watch jobs: Connection timed out

core@coreos-512mb-fra1-01 ~ $ systemctl status polkit -l
● polkit.service - Authorization Manager
   Loaded: loaded (/usr/lib64/systemd/system/polkit.service; static; vendor preset: disabled)
   Active: failed (Result: signal) since Fri 2016-04-29 16:58:26 UTC; 1min 43s ago
     Docs: man:polkit(8)
  Process: 985 ExecStart=/usr/lib/polkit-1/polkitd --no-debug (code=killed, signal=SEGV)
 Main PID: 985 (code=killed, signal=SEGV)

Apr 29 16:58:26 coreos-512mb-fra1-01 systemd[1]: Starting Authorization Manager...
Apr 29 16:58:26 coreos-512mb-fra1-01 polkitd[985]: Started polkitd version 0.113
Apr 29 16:58:26 coreos-512mb-fra1-01 systemd[1]: polkit.service: Main process exited, code=killed, status=11/SEGV
Apr 29 16:58:26 coreos-512mb-fra1-01 systemd[1]: Failed to start Authorization Manager.
Apr 29 16:58:26 coreos-512mb-fra1-01 systemd[1]: polkit.service: Unit entered failed state.
Apr 29 16:58:26 coreos-512mb-fra1-01 systemd[1]: polkit.service: Failed with result 'signal'.
@mischief

This comment has been minimized.

Copy link

mischief commented Apr 29, 2016

i can't seem to reproduce this. i've run a 899.15.0 vm in qemu, and run:

sudo setenforce 1
systemctl status polkit -l
coredumpctl --no-pager --no-legend list | wc -l

coredumpctl reports no core dumps.

any extra advice on reproducing this?

@thetechnick

This comment has been minimized.

Copy link
Author

thetechnick commented Apr 29, 2016

Hi, thanks for your reply.
Make the selinux option permanent, setting the option in the /etc/selinux/config file.
If you then restart the virtual machine and use a systemd command polkit will crash.

Setting selinux enforcing during runtime works. It also works if you deactivate selinux enforcing temporarily using sudo setenforce 0 and reactivate it right after.

Edit I just started a new digitalocean droplet using 899.15.0 reproducing the issue, but coredumpctl returns no results:

CoreOS stable (899.15.0)
core@coreos-512mb-fra1-01 ~ $ sudo vim /etc/selinux/config
core@coreos-512mb-fra1-01 ~ $ sudo cp --remove-destination $(readlink -f /etc/selinux/config) /etc/selinux/config
core@coreos-512mb-fra1-01 ~ $ sudo vim /etc/selinux/config
core@coreos-512mb-fra1-01 ~ $ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mcs
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      30
core@coreos-512mb-fra1-01 ~ $ sudo reboot



CoreOS stable (899.15.0)
core@coreos-512mb-fra1-01 ~ $ systemctl restart etcd2
Error getting authority: Error initializing authority: Error calling StartServiceByName for org.freedesktop.PolicyKit1: Timeout was reached (g-io-error-quark, 24)
Could not watch jobs: Connection timed out
core@coreos-512mb-fra1-01 ~ $ systemctl status polkit -l
● polkit.service - Authorization Manager
   Loaded: loaded (/usr/lib64/systemd/system/polkit.service; static; vendor preset: disabled)
   Active: failed (Result: signal) since Fri 2016-04-29 19:03:18 UTC; 31s ago
     Docs: man:polkit(8)
  Process: 973 ExecStart=/usr/lib/polkit-1/polkitd --no-debug (code=killed, signal=SEGV)
 Main PID: 973 (code=killed, signal=SEGV)

Apr 29 19:03:18 coreos-512mb-fra1-01 systemd[1]: Starting Authorization Manager...
Apr 29 19:03:18 coreos-512mb-fra1-01 polkitd[973]: Started polkitd version 0.113
Apr 29 19:03:18 coreos-512mb-fra1-01 systemd[1]: polkit.service: Main process exited, code=killed, status=11/SEGV
Apr 29 19:03:18 coreos-512mb-fra1-01 systemd[1]: Failed to start Authorization Manager.
Apr 29 19:03:18 coreos-512mb-fra1-01 systemd[1]: polkit.service: Unit entered failed state.
Apr 29 19:03:18 coreos-512mb-fra1-01 systemd[1]: polkit.service: Failed with result 'signal'.
core@coreos-512mb-fra1-01 ~ $ coredumpctl --no-pager --no-legend list | wc -l
No coredumps found.
0
@mischief

This comment has been minimized.

Copy link

mischief commented Apr 29, 2016

ok, i can reproduce this by setting SELINUX=enforcing and rebooting.

unfortunately there is no coredump, which is strange.

@thetechnick

This comment has been minimized.

Copy link
Author

thetechnick commented Apr 29, 2016

Just curious: Is this setup somehow unusual?
I wonder why this has not come up earlier.

Btw. if I can somehow help finding the source of this issue, let me know.
(But please mind, that I have no clue about the inner workings of systemd or selinux ;) )

@mischief

This comment has been minimized.

Copy link

mischief commented Apr 29, 2016

i believe we may be missing an appropriate selinux policy for polkit. unsure why it didn't come up before.

the relevant failure appears to be:

[pid   769] mmap(NULL, 65536, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 <unfinished ...>
[pid   769] <... mmap resumed> )        = -1 EACCES (Permission denied)
[pid   769] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x10} ---

so, mmap fails (due to selinux?) and appears to deref the NULL, so it crashes.

/cc @mjg59

@mjg59

This comment has been minimized.

Copy link

mjg59 commented May 5, 2016

You can work around this for now by doing the following:

rm /etc/selinux/mcs
cp -a /usr/lib/selinux/mcs /etc/selinux
echo "allow_execmem = true" > /etc/selinux/mcs/booleans

and then rebooting. Apologies for this - polkit appears to have started using a JIT for javascript parsing, despite the code indicating that it shouldn't be doing that.

@mjg59

This comment has been minimized.

Copy link

mjg59 commented May 5, 2016

@thetechnick

This comment has been minimized.

Copy link
Author

thetechnick commented May 6, 2016

Thanks for your workaround!
This issue is also related to missing selinux permissions: #1270

@crawford

This comment has been minimized.

Copy link
Member

crawford commented May 25, 2016

This was fixed in 1045.0.0 and backported to 1010.4.0.

@crawford crawford closed this May 25, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.