Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Newly populated private volumes don’t get proper SELinux labels #8242

Closed
SiGraphics opened this issue Jun 4, 2023 · 20 comments · Fixed by QubesOS/qubes-core-agent-linux#437
Closed

Newly populated private volumes don’t get proper SELinux labels #8242

SiGraphics opened this issue Jun 4, 2023 · 20 comments · Fixed by QubesOS/qubes-core-agent-linux#437
Assignees
@DemiMarie
Labels
affects-4.2 This issue affects Qubes OS 4.2. C: core C: networking diagnosed Technical diagnosis has been performed (see issue comments). P: blocker Priority: blocker. Prevents release or would have prevented release if known prior to release. pr submitted A pull request has been submitted for this issue. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Milestone
Release 4.2

Comments

@SiGraphics
Copy link

How to file a helpful issue

Qubes OS release

R4.2.0-rc1 (and most recent 4.2 weekly build)

Brief summary

[sys-net] Connection Failure

Failed to add/activate connection

failure adding connection: error writing to file ‘/etc/NetworkManager/system-connections/{wireless name}.nmconnection’: failed to create file /etc/NetworkManager/system-connections/{wireless name}.nmconnection.46E551: Permission denied

Steps to reproduce

Install R4.2.0-rc1
Attempt to use WiFi

Expected behavior

WiFi works

Actual behavior

WiFi doesn't work

Don’t have access to a LAN connection, so unable to test.
@SiGraphics SiGraphics added P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists. labels Jun 4, 2023
@andrewdavidwong andrewdavidwong added hardware support needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. C: networking labels Jun 4, 2023
@andrewdavidwong andrewdavidwong added this to the Release 4.2 milestone Jun 4, 2023
@syntheticdrek
Copy link

This seems to be caused by selinux contexts not persisting in /rw when sys-net is based on a Fedora 38 disposable. A simple sudo restorecon -vrF /rw in sys-net resolves it in my testing. It appears that a sys-net based on non-disposable fedora-38 or a disposable debian-11 isn't affected.

@andrewdavidwong andrewdavidwong added C: Fedora diagnosed Technical diagnosis has been performed (see issue comments). and removed needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. labels Jun 5, 2023
@tlaurion
Copy link
Contributor

tlaurion commented Jun 12, 2023
edited
Loading

@marmarek how to fix this on fedora38 based templates so disp sys-net can be used?

@DemiMarie
Copy link

@tlaurion Looks like a missing relabel after populating /rw.

@tlaurion
Copy link
Contributor

tlaurion commented Jun 26, 2023
edited
Loading

@DemiMarie still not fixed in weekly iso? To be clear, solution provided by #8242 (comment) works on dispvm, but template is the problem. Template should be fixed.

Lack of replies here only means people are not enabling disp sys-net with fedora at install.

@tlaurion
Copy link
Contributor

It appears that a sys-net based on non-disposable fedora-38 or a disposable debian-11 isn't affected.

Ditching fedora for debian for service dispvms for now to test further Q4.2 without the annoyances on weekly isos.

@DemiMarie DemiMarie changed the title Unable to use WiFi with R4.2.0-rc1 Newly populated private volumes don’t get proper SELinux labels Jul 1, 2023
@DemiMarie DemiMarie added P: blocker Priority: blocker. Prevents release or would have prevented release if known prior to release. and removed P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. labels Jul 1, 2023
@DemiMarie
Copy link

All options offered by the installer should work out of the box. Marking as blocker.

DemiMarie added a commit to DemiMarie/qubes-core-agent-linux that referenced this issue Jul 1, 2023
@DemiMarie
Set correct SELinux contexts on /rw
45cd7d7 
This is needed for disposable sys-net to work properly.  Without it
/rw is not labeled correctly, causing SELinux to (correctly) block
NetworkManager's writes to /rw/config/NM-system-connections.

Fixes: QubesOS/qubes-issues#8242
DemiMarie added a commit to DemiMarie/qubes-core-agent-linux that referenced this issue Jul 1, 2023
@DemiMarie
Set correct SELinux contexts on /rw
1957be3 
This is needed for disposable sys-net to work properly.  Without it
/rw is not labeled correctly, causing SELinux to (correctly) block
NetworkManager's writes to /rw/config/NM-system-connections.

Fixes: QubesOS/qubes-issues#8242
@DemiMarie DemiMarie mentioned this issue Jul 1, 2023
Merged
@andrewdavidwong andrewdavidwong added C: core pr submitted A pull request has been submitted for this issue. and removed C: Fedora labels Jul 1, 2023
DemiMarie added a commit to DemiMarie/qubes-core-agent-linux that referenced this issue Aug 3, 2023
@DemiMarie
Set correct SELinux contexts on /rw
67bb071 
This is needed for disposable sys-net to work properly.  Without it
/rw is not labeled correctly, causing SELinux to (correctly) block
NetworkManager's writes to /rw/config/NM-system-connections.

Fixes: QubesOS/qubes-issues#8242
DemiMarie added a commit to DemiMarie/qubes-core-agent-linux that referenced this issue Aug 6, 2023
@DemiMarie
Set correct SELinux contexts on /rw
3b8e77f 
This is needed for disposable sys-net to work properly.  Without it
/rw is not labeled correctly, causing SELinux to (correctly) block
NetworkManager's writes to /rw/config/NM-system-connections.

Fixes: QubesOS/qubes-issues#8242
@qubesos-bot qubesos-bot mentioned this issue Aug 7, 2023
Closed
@andrewdavidwong andrewdavidwong added the affects-4.2 This issue affects Qubes OS 4.2. label Aug 8, 2023
@marmarek marmarek mentioned this issue Aug 24, 2023
Closed
@tlaurion
Copy link
Contributor

@marmarek

https://openqa.qubes-os.org/tests/80558/asset/iso/Qubes-4.2.202308242042-x86_64.iso

Still affected :(

signal-2023-08-25-10-26-27-233.jpg

@andrewdavidwong andrewdavidwong added needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. and removed diagnosed Technical diagnosis has been performed (see issue comments). labels Aug 25, 2023
@tlaurion
Copy link
Contributor

tlaurion commented Aug 25, 2023
edited
Loading

@andrewdavidwong package is in the testing repo but not in test ISO's templates (weekly or openqa's) This is a corner case of "please update" that is not possible easily.

We can conclude that testers are not using dispvm sys-net over fedora still today.

@andrewdavidwong andrewdavidwong added diagnosed Technical diagnosis has been performed (see issue comments). and removed needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. labels Aug 25, 2023
@andrewdavidwong
Copy link
Member

We can conclude that testers are not using dispvm sys-net over fedora still today.

Well, it looks like this was also reported in #8445, so perhaps that is not entirely true.

@DemiMarie
Copy link

We can conclude that testers are not using dispvm sys-net over fedora still today.

Well, it looks like this was also reported in #8445, so perhaps that is not entirely true.

This problem breaks updates, so it needs to be fixed via a new ISO and a new template image. @marmarek can you make sure that updated templates are available before rc2?

@andrewdavidwong

This comment was marked as off-topic.

Sign in to view
@tlaurion

This comment was marked as off-topic.

Sign in to view
@Augsch123
Copy link

I'm using disposable sys-net. But I have a different setup. I have a sys-net-dvm which is an app qube as the disposable template, and a sys-net which is a disposable.

I also got the same error as shown in tlaurion's screenshot when I had changed my sys-net-dvm's template qube to fedora-38 and was trying to boot up sys-net. I guessed this had to do with disposable, so I booted up sys-net-dvm and connected to wifi there. Then I shut down sys-net-dvm and booted sys-net, and the error went away, so I didn't report this to the issue tracker.

@andrewdavidwong

This comment was marked as off-topic.

Sign in to view
@DemiMarie
Copy link

Does this problem impact anyone whose ISO includes QubesOS/qubes-core-agent-linux#437?

@tlaurion
Copy link
Contributor

tlaurion commented Aug 26, 2023
edited
Loading

Does this problem impact anyone whose ISO includes QubesOS/qubes-core-agent-linux#437?

@DemiMarie What ISO are you referring to? Short version: This issue was closed but not fixed in templates or ISOs. Testers expect ISOs to work. The openqa ISOs and the weekly ISOs do not have updated templates containing updated package. The last ‘weekly’ iso is from August 8th. Today's openqa build might contain the fix but I'm not sure.

TLDR: Bug in fedora template installation with dispvm service VMs and sys-net. Closed but not fixed. Testers confused. Testing processes unclear. Need discussion on forum.

Possible solution: Add an installer issue tag that will trigger template rebuilds when a package that fixes an installer issue is built, so that the next openqa/weekly builds create ISOs that include the templates containing the fix? Even better: CI building templates hooking back to pr and/or back to issue to point which iso to test for an installer fix.

@marmarek
Copy link
Member

Does this problem impact anyone whose ISO includes QubesOS/qubes-core-agent-linux#437?

Probably no, but nobody tried because such ISO does not exist (yet). Fedora templates (until yesterday) were built before the fix was pushed, so any ISO did not include it. That's the whole confusion @tlaurion is talking about.
I think the simple improvement to the process would be to build templates more often (every week? every two weeks?).

@tlaurion
Copy link
Contributor

tlaurion commented Aug 26, 2023
edited
Loading

Does this problem impact anyone whose ISO includes QubesOS/qubes-core-agent-linux#437?

Probably no, but nobody tried because such ISO does not exist (yet). Fedora templates (until yesterday) were built before the fix was pushed, so any ISO did not include it. That's the whole confusion @tlaurion is talking about.
I think the simple improvement to the process would be to build templates more often (every week? every two weeks?).

Edited: moved this discussion unrelated to this issue to #8449

@tlaurion tlaurion mentioned this issue Aug 26, 2023
Open
@andrewdavidwong andrewdavidwong mentioned this issue Aug 29, 2023
Closed
@samtinel
Copy link

I don't fully understand if feedback is still asked for here, but updating qubes-core-agent to testing fixed it for me.

@andrewdavidwong
Copy link
Member

This issue has been closed as resolved. If anyone believes this issue is not yet resolved, or if anyone is still affected by this issue, please leave a comment, and we'll be happy to reopen it. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DemiMarie DemiMarie

Labels
affects-4.2 This issue affects Qubes OS 4.2. C: core C: networking diagnosed Technical diagnosis has been performed (see issue comments). P: blocker Priority: blocker. Prevents release or would have prevented release if known prior to release. pr submitted A pull request has been submitted for this issue. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Projects
None yet
Milestone
Release 4.2
Development

Successfully merging a pull request may close this issue.

Set correct SELinux contexts on /rw DemiMarie/qubes-core-agent-linux
8 participants
@marmarek @tlaurion @DemiMarie @andrewdavidwong @samtinel @Augsch123 @SiGraphics @syntheticdrek