Bug 1333952
| Summary: | Wrong SELinux label on /etc/group after installation | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Brian Lane <bcl> | ||||||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Stefan Dordevic <sdordevi> | ||||||||
| Severity: | urgent | Docs Contact: | |||||||||
| Priority: | urgent | ||||||||||
| Version: | 7.3 | CC: | bcl, lcapitulino, lvrabec, mgrepl, mmalik, plautrba, pvrabec, sdordevi, ssekidde | ||||||||
| Target Milestone: | rc | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | selinux-policy-3.13.1-72.el7 | Doc Type: | Bug Fix | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2016-11-04 02:28:46 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
Brian Lane
2016-05-06 19:00:33 UTC
Created attachment 1154729 [details]
journalctl output while trying to sudo
Here's a journalctl log with selinux permissive, trying to sudo. Also includes setting it to permissive without reboot, and finally adding user to /etc/sudoers.
running restorecon -rv /etc changes /etc/group from :shadow_t to :passwd_file_t It's probably already reported and fixed problem in lorax - https://bugzilla.redhat.com/show_bug.cgi?id=1332147 Please try the latest compose where it should be fixed. Created attachment 1156249 [details]
restorecon -rv / output
No, this is a different problem. Login works fine and most of the filesystem is labeled correctly.
Note: The cause of this bug is probably same as for https://bugzilla.redhat.com/show_bug.cgi?id=1334800 *** Bug 1334800 has been marked as a duplicate of this bug. *** This is related to the change in selinux requiring /etc/selinux/config to exist. The current lorax sets this up in the installer environment, which has fixed most of the problems people were seeing (no login to new system for example). I ran some tests today and if I create an empty /mnt/sysimage/etc/selinux/config in a kickstart %pre-install section (this runs right before package installation) then /etc/group has the correct label. If I run a restorecon on the new system it still fixes/complains about all the *other* entries in comment 5 as well as the /etc/selinux/config file. Everything else is ok. I'm not sure why selinux acts this way, but given that it almost gets it all correct I think the fix lies with selinux, not Anaconda. Note that anaconda has no control over the order of package installation, and that selinux-policy is the 177th package installed. /etc/group is installed by setup which is the 3rd package installed. Created attachment 1157401 [details]
packaging.log
Packages installed and their order.
Thanks for the investigation. Indeed it's missing fix in selinux-policy.spec file - http://pkgs.fedoraproject.org/cgit/rpms/selinux-policy.git/commit/?id=19cd06ec8a0214a9dc09ca80ae3c757b2b7e248d This commit needs to be backported. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |