Bug 1001425

Summary: unable to change the installation source
Product: [Fedora] Fedora Reporter: lnie <lnie>
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: anaconda-maint-list, dshea, g.kaviyarasu, jonathan, mkolman, sbueno, stephent98, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-28 14:02:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
screen shot 1
none
step1.png
none
step2.png
none
anaconda.log
none
syslog
none
packaging.log none

Description lnie 2013-08-27 03:30:18 UTC 
Description of problem:
Do a default insall with DVD,and try to change the installation source ,
nothing happended,even though I changed the source to "http://..."

Version-Release number of selected component (if applicable):
F20-Alpha-TC1

How reproducible:
100%

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Steve Tyler 2013-08-27 04:45:34 UTC 
Bug 1001081 - anaconda unable to select INSTALLATION SOURCE (Exception yum.Errors.RepoError...)
Comment 2 lnie 2013-08-28 04:55:16 UTC 
 Add"Steps to Reproduce"here:
 1 do a default install
 2 click into"INSTALLATION Source" and choose
  "on the Network" 
 3 put in an address as show in the "step.png" attachment and click "Done"
 4 Then anaconda went back to hub,with"closest mirror"showed in the INSTALLATION  Source  
 5 click into "INSTALLATION Source" again,the "step2.png" attachment shows what's the problem.
Comment 3 lnie 2013-08-28 04:56:32 UTC 
Created attachment 791253 [details]
screen shot 1
Comment 4 lnie 2013-08-28 04:57:23 UTC 
Created attachment 791254 [details]
step1.png
Comment 5 lnie 2013-08-28 04:57:54 UTC 
Created attachment 791255 [details]
step2.png
Comment 6 lnie 2013-08-28 05:02:58 UTC 
Created attachment 791256 [details]
anaconda.log
Comment 7 lnie 2013-08-28 06:05:46 UTC 
Created attachment 791262 [details]
syslog
Comment 8 lnie 2013-08-28 06:06:35 UTC 
Created attachment 791263 [details]
packaging.log
Comment 9 Steve Tyler 2013-08-28 09:14:41 UTC 
Thanks for the additional attachments. syslog has this avc:

16:30:02,625 NOTICE kernel:[  201.341087] type=1400 audit(1377621002.623:19): avc:  denied  { read write } for  pid=701 comm="hostname" path="/dev/pts/1" dev="devpts" ino=4 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
Comment 10 Steve Tyler 2013-08-28 10:18:18 UTC 
(In reply to Steve Tyler from comment #9)
> Thanks for the additional attachments. syslog has this avc:
> 
> 16:30:02,625 NOTICE kernel:[  201.341087] type=1400
> audit(1377621002.623:19): avc:  denied  { read write } for  pid=701
> comm="hostname" path="/dev/pts/1" dev="devpts" ino=4
> scontext=system_u:system_r:hostname_t:s0
> tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file

Opened Bug 1002006 against selinux-policy.
Comment 11 David Shea 2013-08-28 14:02:15 UTC 
The selinux errors are only informative. The installer environment runs in permissive mode.

*** This bug has been marked as a duplicate of bug 1001081 ***
Comment 12 Steve Tyler 2013-08-28 14:18:54 UTC 
You obviously did not read syslog then:

After those eight avcs, firewalld exits:

16:29:59,857 ERR firewalld: 2013-08-27 16:29:59 ERROR: ebtables not usable, disabling ethernet bridge firewall.
16:29:59,875 CRIT firewalld: 2013-08-27 16:29:59 FATAL ERROR: No IPv4 and IPv6 firewall.
16:29:59,876 ERR firewalld: 2013-08-27 16:29:59 ERROR: Raising SystemExit in run_server

Bug 1002038 - avc: denied { write } for pid=639 comm="firewalld" name="python2.7" dev="dm-0" ino=66860 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:lib_t:s0 tclass=dir
Comment 13 Steve Tyler 2013-08-28 15:40:30 UTC 
Thanks for reporting this bug, lnie. I had no idea there were so many security issues with the installer DVD until I looked at the syslog you attached:

Bug 1002195 - FATAL ERROR: No IPv4 and IPv6 firewall. during installer DVD boot

Bug 1002038 - avc: denied { write } for pid=639 comm="firewalld" name="python2.7" dev="dm-0" ino=66860 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:lib_t:s0 tclass=dir
Comment 14 lnie 2013-08-29 03:13:59 UTC 
(In reply to Steve Tyler from comment #13)
> Thanks for reporting this bug, lnie. I had no idea there were so many
> security issues with the installer DVD until I looked at the syslog you
> attached:
> 
> Bug 1002195 - FATAL ERROR: No IPv4 and IPv6 firewall. during installer DVD
> boot
> 
> Bug 1002038 - avc: denied { write } for pid=639 comm="firewalld"
> name="python2.7" dev="dm-0" ino=66860
> scontext=system_u:system_r:firewalld_t:s0
> tcontext=unconfined_u:object_r:lib_t:s0 tclass=dir

 It's really a pleasure and what I should do, Steve.:)
Comment 15 Steve Tyler 2013-08-29 05:02:03 UTC 
(In reply to Steve Tyler from comment #9)
> Thanks for the additional attachments. syslog has this avc:
> 
> 16:30:02,625 NOTICE kernel:[  201.341087] type=1400
> audit(1377621002.623:19): avc:  denied  { read write } for  pid=701
> comm="hostname" path="/dev/pts/1" dev="devpts" ino=4
> scontext=system_u:system_r:hostname_t:s0
> tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file

lnie: These are called AVC denials. They mean that SELinux is preventing a command from doing something:
http://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sect-Security-Enhanced_Linux-Troubleshooting.html

The problem is sometimes caused by file mislabeling, and that appears to be the case here: Bug 1002059, Comment 2.

The "ls -Z" command will show you what the SELinux file labels are for a file:
$ ls -Z /etc/passwd
-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/passwd

However, Bug 1002006 was an selinux-policy problem.

The SELinux troubleshooter GUI app. is the easiest way to report SELinux problems. It can be started from the command-line with:
$ sealert -b

The installer DVD does not have any SELinux tools, so reading syslog is the only way to find problems with SELinux when the DVD boots, although syslog can be copied to a host and analyzed with:
$ sealert -a syslog | less

A good way to learn more is to read bug reports. You could also add yourself to the CC list for these bugs:
Bug 1002006
Bug 1002035
Bug 1002038
Bug 1002059
Bug 1002195
Comment 16 lnie 2013-08-29 05:11:08 UTC 
okay,thx.