Bug 1061064
| Summary: | Policy for ostree - needs mac_admin | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Colin Walters <walters> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | dominick.grift, dustymabe, dwalsh, james.antill, lvrabec, mattdm, mgrepl, walters |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-03-27 07:02:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Colin Walters
2014-02-04 10:31:41 UTC
Yes, we will need to create a policy and allow mac_admin for it. If you label your binaries as livecd_exec_t does everything work? (In reply to Daniel Walsh from comment #2) > If you label your binaries as livecd_exec_t does everything work? It appears to work as is (run as unconfined_t) - except it will just blow up if an upgrade includes *new* labels not known by current policy =/ Is livecd_t already unconfined? I need something that's like rpm_t except also with mac_admin. Yes livecd_t is just an unconfined domain that will not transition and is allowed to put down "bad" labels. Colin, you you test it with the latest rawhide build together with install_exec_t label? (In reply to Miroslav Grepl from comment #5) > Colin, > you you test it with the latest rawhide build together with install_exec_t > label? That appears to work fine. Also, can we give /usr/bin/rpm-ostree the same label? Thanks! As a user who hit this I'd like to copy some of the error output here so that others might find this bug and thus a solution/workaround sooner. The error I was seeing was the following: [root@localhost yum.repos.d]# rpm -q ostree ostree-2014.5.39.gd5e813c-3.fc22.x86_64 [root@localhost yum.repos.d]# ostree pull dustyserver fedora-atomic/rawhide/x86_64/base/core error: fsetxattr: Invalid argument I was pointed[1] to this bug and also told to workaround by disabling selinux temporarily, which worked fine. [1] - https://mail.gnome.org/archives/ostree-list/2014-July/msg00006.html Note that some SELinux policy versions may have install_t but *not* have a domain transition from unconfined_t -> (install_exec_t) -> install_t. If that's the case, a cleaner workaround that does not involve full permissive mode is: # runcon -r system_r -t install_t rpm-ostree upgrade Strange that we have the transition rule in fedora but not in rhel. (In reply to Daniel Walsh from comment #9) > Strange that we have the transition rule in fedora but not in rhel. Do we need this in rhel? I am "playing" with the centos Atomic image (unreleased) from [1] and I just hit this: -bash-4.2# rpm-ostree upgrade Updating from: centos-atomic-host:centos/7/atomic/x86_64/cloud-docker-host Receiving objects: 13% (649/4806) 409.7 kB/s 17.2 MB error: fsetxattr: Invalid argument [1] - http://buildlogs.centos.org/rolling/7/isos/x86_64/CentOS-7-x86_64-AtomicHost-20150228_01.qcow2.xz What does rpm -q selinux-policy-targeted |