Bug 1151814
| Summary: | "/etc/selinux/targeted/contexts/files/file_contexts: has invalid context system_u:object_r:systemd_networkd_exec_t:s0^" | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Peter H. Jones <jones.peter.busi> | ||||||||||
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> | ||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> | ||||||||||
| Severity: | unspecified | Docs Contact: | |||||||||||
| Priority: | unspecified | ||||||||||||
| Version: | 21 | CC: | bughunt, dwalsh, jones.peter.busi, pasteur | ||||||||||
| Target Milestone: | --- | ||||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | Unspecified | ||||||||||||
| OS: | Unspecified | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | selinux-policy-3.13.1-90.fc21 | Doc Type: | Bug Fix | ||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2014-10-28 21:49:53 UTC | Type: | Bug | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Peter H. Jones
2014-10-12 04:05:12 UTC
I fixed the vbetool problem.
I see this type in rawhide policy
seinfo -tsystemd_networkd_exec_t -x
systemd_networkd_exec_t
file_type
exec_type
entry_type
non_security_file_type
direct_init_entry
non_auth_file_type
rpm -q selinux-policy
selinux-policy-3.13.1-85.fc22.noarch
It works for me on my F21. What does # yum reinstall selinux-policy Created attachment 947309 [details]
portion of livecd-creator chroot output
yum reinstall failed because there's no repository available in livecd-creator chroot. I copied the rpm to INSTALL_ROOT from outside the shell. As this attachment shows, yum reinstall, pointing to this rpm, works normally.
With selinux-policy-targeted-3.13.1-86.fc21.noarch, I get:
rpm --verify selinux-policy-targeted-3.13.1-86.fc21.noarch gives
"missing /etc/selinux/targeted/modules/active/modules/vbetool.pp",
but rpm -ql selinux-policy-targeted-3.13.1-86.fc21.noarch shows it in the list!
grep -n networkd /etc/selinux/targeted/contexts/files/file_contexts^ gives:
"2284:/var/run/systemd/netif(/.*)? system_u:object_r:systemd_networkd_var_run_t:s0^
5502:/usr/lib/systemd/systemd-networkd -- system_u:object_r:systemd_networkd_exec_t:s0^
5706:/usr/lib/systemd/system/systemd-networkd\.service system_u:object_r:systemd_networkd_unit_file_t:s0^"
Just before livecd-creator exits to the chroot shell, I now get:
"/etc/selinux/targeted/contexts/files/file_contexts: has invalid context system_u:object_r:systemd_networkd_var_run_t:s0".
Furthermore, I need the following .te files to allow me to login to my custom live build:
"$ cat kernel0000.te
module kernel0000 0.0.0.0;
require {
type unconfined_t;
type kernel_t;
class process transition;
}
#============= kernel_t ==============
allow kernel_t unconfined_t:process transition;
bash-4.2$ cat login0000.te
module login0000 0.0.0.0;
require {
type unconfined_t;
type root_t;
class file entrypoint;
}
#============= unconfined_t ==============
allow unconfined_t root_t:file entrypoint;
"
If I disable either, and try to log out and log in, I get an AVC alert.
If that's a separate bug, I'm willing to file it as such.
selinux-policy-3.13.1-88.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-88.fc21 Package selinux-policy-3.13.1-88.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-88.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-13454/selinux-policy-3.13.1-88.fc21 then log in and leave karma (feedback). I still have the problem with selinux-policy-3.13.1-88.fc21.noarch and selinux-policy-targeted-3.13.1-88.fc21.noarch: missing vbetool and invalid context message. Package selinux-policy-3.13.1-90.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-90.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-13454/selinux-policy-3.13.1-90.fc21 then log in and leave karma (feedback). Still have the problem with selinux-policy-3.13.1-91.fc21 in a custom live build.
To reiterate:
1. rpm --verify selinux-policy complains about missing vbetool.pp. Also, trying to list the files in rpm -ql selinux-policy shows other missing files. Perhaps these are optional, hence not loaded.
2. In order boot, I need two .te files. I install these during the build phase.
If I disable either, I get a recommendation to reinstall and enable the same .te
(diff shows only the name of the .te is different).
I don't mind having to add these files, but I'd like to be sure using them would not create a security risk if I give my build to a final user.
Here are the files I am using:
kernel0000.te:
module kernel0000 0.0.0.0;
require {
type unconfined_t;
type kernel_t;
class process transition;
}
#============= kernel_t ==============
allow kernel_t unconfined_t:process transition;
login0000.te:
module login0000 0.0.0.0;
require {
type unconfined_t;
type root_t;
class file entrypoint;
}
#============= unconfined_t ==============
allow unconfined_t root_t:file entrypoint;
3. To build, I used the following FC21 packages on a FC20 system. I think I got an unbootable DVD when I tried to use the FC20 versions, but I will carefully reinstall the FC20 versions and repeating the FC20 test. As this is a new system, I'd like to target FC21.
The FC21's I had were:
python-imgcreate-21.3-1.fc21.x86_64
lorax-21.26-1.fc21.x86_64
syslinux-extlinux-nonlinux-6.03-1.fc21.noarch
syslinux-6.03-1.fc21.x86_64
pykickstart-1.99.63-2.fc21.noarch
syslinux-extlinux-6.03-1.fc21.x86_64
livecd-tools-21.3-1.fc21.x86_64
syslinux-nonlinux-6.03-1.fc21.noarch .
Created attachment 950727 [details] see comment 9, point 1. Created attachment 950728 [details] audit.log resulting in kernel0000.te file for comment 9, point 2. Created attachment 950729 [details]
audit.log resulting in login0000.te
Tried building on a FC20 system. In other words, python-imgcreate-21.3-1.fc21.x86_64 was replaced with python-imgcreate-20.5-1.fc20.x86_64 lorax-21.26-1.fc21.x86_64 was replaced with lorax-20.5-1.fc20.x86_64 syslinux-extlinux-nonlinux-6.03-1.fc21.noarch was replaced with (nothing) syslinux-6.03-1.fc21.x86_64 was replaced with syslinux-4.05-7.fc20.x86_64 pykickstart-1.99.63-2.fc21.noarch was replaced with pykickstart-1.99.48-1.fc20.noarch syslinux-extlinux-6.03-1.fc21.x86_64 was replaced with syslinux-extlinux-4.05-7.fc20.x86_64 livecd-tools-21.3-1.fc21.x86_64 was replaced with livecd-tools-20.5-1.fc20.x86_64 syslinux-nonlinux-6.03-1.fc21.noarch was replaced with (nothing) When I tried to boot the resulting DVD image, I got an ISOLINUX 6.03 identification message, followed by a "Faild to load ldlinux.c32". I also got the invalid contexts message. selinux-policy-3.13.1-90.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. On an EC2 instance: $ rpm --verify selinux-policy-targeted-3.13.1-103.fc21.noarch missing /etc/selinux/targeted/modules/active/modules/vbetool.pp |