Memory ballooning issue is back for the fedora-41 template

[lubellier]

Qubes OS release

Qubes OS 4.2.3

Brief summary

The fedora-41 template based AppVMs stay to the minimal memory limit.
Other users got also this issue, see the related topic in the forum.

Steps to reproduce

1. Update your fedora-41 template with the fedora and QubesOS repositories
2. Start the XX AppVM (with the fedora-41 template)
3. Check XX prefs are memory 400MB / maxmem 4000MB
4. Start Firefox and browse the web
5. The XX current memory stays to 400MB

Expected behavior

The XX current memory should grow over 400MB.

Actual behavior

Related to Fedora 41 template / selinux

Done checks

Is there any manual action we can do to fix an already installed template, or do we need to reinstall from this new template?

Try removing /.qubes-relabeled in the template and restarting it - it should fix labels on startup; it may take some time, might require increasing qrexec_timeout property.

I did the /.qubes-relabeled removing / qrexec_timeout procedure in the fedora-41 template, the relabel job executed and re-created the /.qubes-relabeled file as expected:

fedora-41 logs:

[2024-12-21 14:34:23] [.[0m.[0;31m*     .[0m] Job qubes-relabel-root.service/start running (3s / no limit)
...
.[K[  .[0;31m*.[0;1;31m*.[0m.[0;31m* .[0m] Job qubes-relabel-root.service/start running (1min 9s / no limit)
...
[2024-12-21 14:35:28] [   71.312855] reboot: System halted

On next boot:

[user@tpl-f41 ~]$ ls -al /.qubes-relabeled 
-rw-r--r--. 1 root root 0 Dec 21 14:35 /.qubes-relabeled

Logs of the XX AppVM:

[2024-12-21 14:50:02] [   35.492145] audit: type=1400 audit(1734792602.359:123): avc:  denied  { read } for  pid=621 comm="qrexec-agent" name="meminfo-writer.pid" dev="tmpfs" ino=784 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0

[marmarek]

I think the issue is that %post selinux trigger should run also on selinux-policty-targeted update (%triggerin -- selinux-policy or %triggerin -- selinux-policy-targeted).
@DemiMarie what is the easiest way to do that, without duplicating the whole thing? I guess moving it to a macro that is used in both places would be very ugly, right? Maybe move it to a separate script and call that script when needed?
But also, can the relabel happen on update, or relabel on next boot is the only option?

[DemiMarie]

@marmarek Both a macro and a script would work. An online relabel is racy and might or might not work, or it might work most of the time and fail occasionally. However, I expect that most policy upgrades do not require a relabel, and in any case whether a relabel should happen is up to Fedora, not Qubes OS, except for upgrades to our own policy.

[marmarek]

It seems that's not the correct diagnosis. After the update, file_contexts.subs is correct (has qubes parts). But, file_context is missing some. My current hypothesis is that some of the %selinux_relabel_* macros are missing.

[marmarek]

That's not it either...
The current behavior is weird. After update /run/meminfo-writer.pid gets wrong label (var_run_t). But if I run restorecon /run/meminfo-writer.pid, it gets corrected to qubes_meminfo_writer_var_run_t, so it looks like the policy does have appropriate part included. This behaves the same after reboot, so it isn't just some relabel during update.

[marmarek]

And at the same time, files in /run/qubes seems to be correctly labeled (except /run/qubes/qubesdb.sock which also got var_run_t...).

[marmarek]

As for /run/qubes/qubesdb.sock, it's really weird:

1. After template boot: var_run_t
2. After restorecon /run/qubes/qubesdb.sock: qubes_qubesdb_socket_t (this is the correct one)
3. After systemctl restart qubes-db: qubes_var_run_t

I'm confused...

[Minimalist73]

While doing some tests, I noticed that reinstalling qubes-utils-selinux selinux-policy and selinux-policy-targeted fix the labels.
But, If i reinstall only qubes-utils-selinux, it doesn't.
Same for reinstalling qubes-utils-selinux selinux-policy or qubes-utils-selinux selinux-policy-targeted. It always need both selinux-policy-targeted selinux-policy and qubes-utils-selinux to work.
I'm not sure why it does work like this. The only thing different from F40 is that a restorecon is started in the selinux-policy-targeted scriptlet on both /usr/sbin and /usr/bin

[DemiMarie]

If I start with the Fedora 41 minimal template, install selinux-policy and a few other packages (I think qubes-gpg-sign, qubes-core-agent-passwordless-root, and some Salt stuff), enable SELinux on the kernel command line, and reboot a few times, the system eventually relabels itself and reaches a state where /run/qubes/qubesdb.sock has the correct context, as does /run/meminfo-writer.pid.

I think the best place to get help is from upstream Fedora.

[DemiMarie]

That's not it either... The current behavior is weird. After update /run/meminfo-writer.pid gets wrong label (var_run_t). But if I run restorecon /run/meminfo-writer.pid, it gets corrected to qubes_meminfo_writer_var_run_t, so it looks like the policy does have appropriate part included. This behaves the same after reboot, so it isn't just some relabel during update.

Which package was updated?

[DemiMarie]

@marmarek: can you check if a full relabel followed by two reboots solves the problem?

[DemiMarie]

I'm not sure why it does work like this. The only thing different from F40 is that a restorecon is started in the selinux-policy-targeted scriptlet on both /usr/sbin and /usr/bin

If this happens while file_context is missing some entries, that could explain the problems.

[marmarek]

@marmarek: can you check if a full relabel followed by two reboots solves the problem?

Why multiple relabels/reboots would change anything? We are talking about /run, which doesn't survive reboot...

[marmarek]

FWIW manually forcing full relabel does not help.
But while at it, I found this:

-----w--w-. 1 root root 0 Nov 30 13:33 /.qubes-relabeled

interesting mode...

[marmarek]

Diff of the resulting file_contexts file before and after updating selinux-policy-targeted contains this:

@@ -5149,7 +5153,6 @@
 /usr/bin/livecd-creator	--	system_u:object_r:livecd_exec_t:s0
 /usr/bin/lttng-sessiond	--	system_u:object_r:lttng_sessiond_exec_t:s0
 /usr/bin/mariadb-backup	--	system_u:object_r:mysqld_exec_t:s0
-/usr/bin/meminfo-writer	--	system_u:object_r:qubes_meminfo_writer_exec_t:s0
 /usr/bin/modules-update	--	system_u:object_r:kmod_exec_t:s0
 /usr/bin/mount\.ecryptfs	--	system_u:object_r:mount_ecryptfs_exec_t:s0
 /usr/bin/neutron-server	--	system_u:object_r:neutron_exec_t:s0
@@ -5160,7 +5163,6 @@
 /usr/bin/partition_uuid	--	system_u:object_r:fsadm_exec_t:s0
 /usr/bin/qemu-pr-helper	--	system_u:object_r:virtd_exec_t:s0
 /usr/bin/quantum-server	--	system_u:object_r:neutron_exec_t:s0
-/usr/bin/qubesdb-daemon	--	system_u:object_r:qubes_qubesdb_daemon_exec_t:s0
 /usr/bin/restart-dirsrv	--	system_u:object_r:initrc_exec_t:s0
 /usr/bin/roundup-server	--	system_u:object_r:roundup_exec_t:s0
 /usr/bin/samba-gpupdate	--	system_u:object_r:samba_gpupdate_exec_t:s0

This looks okay, as both files are in fact in /usr/sbin, not /usr/bin. And entries for /usr/sbin are still there. What I think is happening is that %post script of the policy package does /usr/sbin/fixfiles -C ${FILE_CONTEXT}.pre restore, which should relabel only files that changed labels. So far so good. But then we have /etc/selinux/targeted/contexts/files/file_contexts.subs_dist:

...
/usr/sbin            /usr/bin

So, I think fixfiles thinks /usr/sbin/qubesdb-daemon lost its entry too.

In fact, there is surprisingly little entries for /usr/sbin/ in the default policy (2 from qubes and 2 from other packages), but there are a lot of custom-labeled files in /usr/sbin. Maybe, due to the above subst rule we should have /usr/bin in the policy even though files live in /usr/sbin?

[marmarek]

There is /usr/libexec/selinux/binsbin-convert.sh that adds /usr/bin entries for /usr/sbin lines. Running it (with targeted parameter) restores those entries. selinux-policy.spec has this:

%posttrans targeted
%checkConfigConsistency targeted
%{_libexecdir}/selinux/varrun-convert.sh targeted
%{_libexecdir}/selinux/binsbin-convert.sh targeted
...

%triggerin -- fapolicyd-selinux
%{_libexecdir}/selinux/binsbin-convert.sh targeted
%{_sbindir}/restorecon /usr/sbin/fapolicyd*

%triggerin -- usbguard-selinux
%{_libexecdir}/selinux/binsbin-convert.sh targeted
%{_sbindir}/restorecon /usr/sbin/usbguard*

So, theoretically it should be called after the update, but I guess something went wrong here. And as can be seen above, there are specific packages that has it applied to via triggers. This binsbin-convert.sh thing, and the aliasing of bin-sbin seems to be Fedora-specific. Currently we don't enable SELinux on other distributions, but as can be seen in this issue, it's very tricky interaction.

I think the most reliable solution would be to add /usr/bin entries to our policy for all /usr/sbin binaries manually (have them more or less duplicated). This should fix the situation on Fedora (to be tested), regardless if binsbin-convert.sh works. And also should not be a problem in the future on non-Fedora systems not having this magic merging.

[lubellier]

The today stable fedora-41 template update fixed the issue. 👍

I noted some errors about the SELinux policy on package installation :

...
python3-aiosignal-1.3.2-1.fc41.noarch: Installed
qubes-db-4.2.7-1.fc41.x86_64: Upgrade
python3-tempora-5.7.0-1.fc41.noarch: Installed
python3-portend-3.2.0-6.fc41.noarch: Installed
python3-jaraco-classes-3.4.0-3.fc41.noarch: Installed
qubes-utils-selinux-4.2.19-1.fc41.x86_64: Upgrade
SELinux:  Could not load policy file /etc/selinux/targeted/policy/policy.33:  Cannot allocate memory
/sbin/load_policy:  Can't load policy:  Cannot allocate memory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
SELinux:  Could not load policy file /etc/selinux/targeted/policy/policy.33:  Cannot allocate memory
/sbin/load_policy:  Can't load policy:  Cannot allocate memory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
/usr/sbin/semodule:  Failed!
qubes-utils-libs-4.2.19-1.fc41.x86_64: Upgrade
qubes-db-vm-selinux-4.2.7-1.fc41.x86_64: Upgrade
SELinux:  Could not load policy file /etc/selinux/targeted/policy/policy.33:  Cannot allocate memory
/sbin/load_policy:  Can't load policy:  Cannot allocate memory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
SELinux:  Could not load policy file /etc/selinux/targeted/policy/policy.33:  Cannot allocate memory
/sbin/load_policy:  Can't load policy:  Cannot allocate memory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
/usr/sbin/semodule:  Failed!
python3-qubesimgconverter-4.2.19-1.fc41.x86_64: Upgrade
libxcrypt-4.4.37-1.fc41.x86_64: Upgrade
python3-aiohappyeyeballs-2.4.4-1.fc41.noarch: Installed
c-ares-1.34.4-1.fc41.x86_64: Installed
python3-pycares-4.3.0-9.fc41.x86_64: Installed
...

[Solomon1732]

The same updates prevented it for me in unaffected templates. I didn't notice such errors on my end, though.

[chkmue]

I am wondering if this issue is back with the latest Fedora 41 updates which I installed about an hour ago today. If I open a few programs my work qube becomes very laggy and in the log I see messages like this:

[2025-01-11 18:49:20] [  579.841249] systemd-journald[383]: Under memory pressure, flushing caches.
[2025-01-11 18:49:25] [  584.754589] systemd-journald[383]: Under memory pressure, flushing caches.
[2025-01-11 18:49:28] [  588.183516] systemd-journald[383]: Under memory pressure, flushing caches.
[2025-01-11 18:49:30] [  589.622584] xen:grant_table: g.e. 0x20 still pending
[2025-01-11 18:49:30] [  589.622610] xen:grant_table: g.e. 0x31 still pending
[2025-01-11 18:49:30] [  589.622624] xen:grant_table: g.e. 0x1e still pending

In the update history I can see that selinux got some updates:

[user@fedora-41-xfce ~]$ dnf5 history info 1
Transaction ID : 1
Begin time     : 2024-12-22 18:48:32
Begin rpmdb    : 0b7e1f84a0c27f2f807f898bc72e35a63727b2b1b68498f6dd60422e15ad054b
End time       : 2024-12-22 18:50:27
End rpmdb      : 2e93004491248234d9da80547827b99df88a8a2a8f73aacc08a0923f2ba2ea15
User           : 1000 <user>
Status         : Ok
Releasever     : 41
Description    : /usr/bin/dnf reinstall libselinux libselinux-utils python3-libselinux qubes-core-qrexec-vm-selinux qubes-gui-agent-selinux flatpak-selinux snapd-selinux qubes-db-vm-selinux qubes-utils-selinux rpm-plugin-selinux qubes-core-agent-selinux selinux-policy selinux-policy-targeted
Comment        : 
Packages altered:
  Action    Package                                             Reason        Repository
  Reinstall libselinux-0:3.7-5.fc41.x86_64                      External User fedora
  Reinstall libselinux-utils-0:3.7-5.fc41.x86_64                Dependency    fedora
  Reinstall python3-libselinux-0:3.7-5.fc41.x86_64              Dependency    fedora
  Reinstall qubes-core-qrexec-vm-selinux-0:4.2.21-1.fc41.x86_64 Dependency    qubes-vm-r4.2-current
  Reinstall qubes-gui-agent-selinux-0:4.2.19-1.fc41.noarch      Dependency    qubes-vm-r4.2-current
  Reinstall flatpak-selinux-0:1.15.12-1.fc41.noarch             Dependency    updates
  Reinstall snapd-selinux-0:2.66.1-1.fc41.noarch                Dependency    updates
  Reinstall qubes-db-vm-selinux-0:4.2.6-1.fc41.x86_64           Dependency    qubes-vm-r4.2-current
  Reinstall qubes-utils-selinux-0:4.2.18-1.fc41.x86_64          Dependency    qubes-vm-r4.2-current
  Reinstall rpm-plugin-selinux-0:4.20.0-1.fc41.x86_64           Dependency    fedora
  Reinstall qubes-core-agent-selinux-0:4.2.39-1.fc41.noarch     Dependency    qubes-vm-r4.2-current
  Reinstall selinux-policy-0:41.27-1.fc41.noarch                Dependency    updates
  Reinstall selinux-policy-targeted-0:41.27-1.fc41.noarch       User          updates
  Replaced  flatpak-selinux-0:1.15.12-1.fc41.noarch             Dependency    @System
  Replaced  libselinux-0:3.7-5.fc41.x86_64                      External User @System
  Replaced  libselinux-utils-0:3.7-5.fc41.x86_64                Dependency    @System
  Replaced  python3-libselinux-0:3.7-5.fc41.x86_64              Dependency    @System
  Replaced  qubes-core-agent-selinux-0:4.2.39-1.fc41.noarch     Dependency    @System
  Replaced  qubes-core-qrexec-vm-selinux-0:4.2.21-1.fc41.x86_64 Dependency    @System
  Replaced  qubes-db-vm-selinux-0:4.2.6-1.fc41.x86_64           Dependency    @System
  Replaced  qubes-gui-agent-selinux-0:4.2.19-1.fc41.noarch      Dependency    @System
  Replaced  qubes-utils-selinux-0:4.2.18-1.fc41.x86_64          Dependency    @System
  Replaced  rpm-plugin-selinux-0:4.20.0-1.fc41.x86_64           Dependency    @System
  Replaced  selinux-policy-0:41.27-1.fc41.noarch                Dependency    @System
  Replaced  selinux-policy-targeted-0:41.27-1.fc41.noarch       User          @System
  Replaced  snapd-selinux-0:2.66.1-1.fc41.noarch                Dependency    @System

Let me know if there is anything else I should check to find the root cause. Thanks.

[marmarek]

How much memory that qube has at the time?

[chkmue]

I set initial memory 1600 MB and max memory to 16000 MB.
But when I run free -hm I get this:

[user@work var]$ free -hm
               total        used        free      shared  buff/cache   available
Mem:           1.5Gi       1.3Gi        93Mi        76Mi       356Mi       236Mi
Swap:          1.0Gi       679Mi       344Mi

[Solomon1732]

I can confirm the issue is back. My sys-firewall is set to 4000MB in its settings. After this last update which included selinux, it is down to a 500MB limit.

Edit: This workaround still works #9663 (comment)

[Minimalist73]

I got this issue back too today after the latest selinux-policy and selinux-policy-targeted update that was pushed to stable recently. It can be fixed by running the Qubes Updater a second time after the update with the recently included plugin but will come back at the next update.
After troubleshooting a bit, I noticed that the /usr/bin/meminfo-writer file context was not included in /etc/selinux/targeted/contexts/files/file_contexts. I then vaguely remembered that I got a scriptlet error output when the new qubes selinux related packages were uploaded in the testing repositories, which could mean they were not installed correctly. After reinstalling qubes-utils-selinux, the context was added correctly and running restorecon -R /usr/sbin (or reinstalling both selinux-policy and selinux-policy-targeted) worked as intended.

[marmarek]

Out of 4 fedora-41-xfce templates, I can reproduce the issue on only one. There, I have this:

grep meminfo /etc/selinux/targeted/contexts/files/ -r
grep: /etc/selinux/targeted/contexts/files/file_contexts.bin: binary file matches
/etc/selinux/targeted/contexts/files/file_contexts:/run/meminfo-writer\.pid	--	system_u:object_r:qubes_meminfo_writer_var_run_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/meminfo-writer	--	system_u:object_r:qubes_meminfo_writer_exec_t:s0

But I have qubes-utils-selinux-4.2.19-1.fc41.x86_64 already installed, which should include also /usr/bin/meminfo-writer in the policy. I don't see any errors during latest update (that included selinux-policy-targeted).
Timestamp of the file_contexts file suggests it was regenerated on update.

[Minimalist73]

But I have qubes-utils-selinux-4.2.19-1.fc41.x86_64 already installed,

Do you remember if you had any scriptlet errors while installing this update when it was pushed to the testing repository?
It was pushed at the same time as the qrexec and qubesdb ones if I remember and because of the low memory some of them were having a semodule failed output from the scriptlet. That's why reinstalling the qubes-utils-selinux-4.2.19-1.fc41.x86_64 package worked on my side and added the file context correctly. It would also explain why some templates are affected and some not because it was failing quite randomly.
With this in mind, we could add that file context with the plugin if it's missing.

[DemiMarie]

Packages with SELinux policy changes cannot install successfully with only 400MiB RAM. The updater plugin needs to check that the packages have been installed properly and if they have not, reinstall them after increasing the amount of memory available.

[Solomon1732]

If you meant me, I wrote four zeros, as in four thousand, not four hundred. If you didn't mean me then never mind.

Edit: As for the fedora template itself, its minimum is four hundred, 2000MB max.

[ben-grande]

Packages with SELinux policy changes cannot install successfully with only 400MiB RAM.

Can this be enough reason to rebuild the fedora-41 template?

[marmarek]

That won't help users with this issue.
The updater sets the label explicitly now. It may be necessary to run the updater twice.

[ben-grande]

That won't help users with this issue.

I didn't specify, sorry... My proposal is aimed at users that haven't installed the template yet so they don't face these problems like having to run the updater twice. Nevermind, I think I can handle it...

Packages with SELinux policy changes cannot install successfully with only 400MiB RAM.

Reading this again makes me thing that if any SELinux policy changes needs to be added to fix qmemman again, any template or standalone that has the minimum amount of memory set to 400MiB will need to increase it permanently to be "future proof".

[marmarek]

Reading this again makes me thing that if any SELinux policy changes needs to be added to fix qmemman again, any template or standalone that has the minimum amount of memory set to 400MiB will need to increase it permanently to be "future proof".

When qmemman works, this isn't an issue in practice, and when it doesn't, rebuilding SELinux policy is just one of many issues... In fact, the thing that breaks with qmemman ist just qrexec signaling qmemman (or rather: meminfo-writer service) that it should start reporting memory usage (via sending USR1 signal), otherwise qmemman is functional. Maybe the updater should send the signal itself, just in case?

As for changing initial memory, that isn't a good idea - settings on templates are used as default values for appvms based on it, so if you increase initial memory for the template, then all your vms will use more initially.

[ben-grande]

otherwise qmemman is functional. Maybe the updater should send the signal itself, just in case?

I agree it should be done to avoid having to rerun the update.

Problem is greater when installing a salt formula chained with highstate. As a state from a qube can't depend on another, if updating the fedora template fails, the next state such as cloning the fedora template will still occur having one more copy of a bad tree that will later be used to create other qubes based on this new template.

Sure, I could do error checking with each qubesctl command using state.apply, to break the installation if any fails... which may be needed on other circumstances.

As for changing initial memory, that isn't a good idea - settings on templates are used as default values for appvms based on it, so if you increase initial memory for the template, then all your vms will use more initially.

I agree, I don't want it also, just trying to see if it was needed at all and I was wrong. Thanks for the explanation as always.

[Minimalist73]

In fact, the thing that breaks with qmemman ist just qrexec signaling qmemman (or rather: meminfo-writer service) that it should start reporting memory usage (via sending USR1 signal), otherwise qmemman is functional. Maybe the updater should send the signal itself, just in case?

I just made a pull request based on that idea to replace the service restart which is unreliable.

[DemiMarie]

Why does qrexec need to tell qmemman to start reporting memory usage? That seems like a rather pointless requirement. Also, should the updater check if the policy is busted and forcibly reinstall the policy packages?