Bug 1513720
Summary: | SELinux is preventing abrt-action-lis from 'map' accesses on the archivo /var/lib/rpm/Basenames. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Rubén <rlledo> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | artemio.silva, as.maps, c.crispino8611, drusek, dwalsh, edosurina, garrett.figueroa, ianpas78, igor.raits, i, klier.daniel.19, lvrabec, matt.fagnani, mdipperstein, mgrepl, mithrial, mjw, packaging-team-maint, peter, plautrba, pmatilai, pmoravco, przemek, rapidlinq, sergei.for.dev, tpkc2003, utrescu, vmukhame |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:6c5b81c9f4747d9f6af192243c3e20b8131b91990dfc4d8b8edc7e36f3a565a5;VARIANT_ID=workstation; | ||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-11-30 22:50:08 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Rubén
2017-11-15 20:42:42 UTC
Hi rpm team, Is there any change how Basenames file is created or created in other path and then moved to /var/lib/rpm/ ? These is a wrong label for this file so we need to know how is this file created. Thanks, Lukas. Description of problem: Opennig different programs Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.13-300.fc27.x86_64 type: libreport I dont think creation of initial db has changed in any way, but --rebuilddb operates quite differently now: it replaces the entire /var/lib/rpm directory instead of moving individual db files around from a rebuild directory. The new db gets created in /var/lib/rpmrebuilddb.<pid> (as it always was), I think there even used to be a policy for that but it only never worked right, probably because /usr/bin/rpmdb (which is the executable that actually does the db rebuild) has just a generic bin_t context: [root@sopuli ~]# ls -lZ /usr/bin/rpmdb -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 15976 Nov 1 15:40 /usr/bin/rpmdb *** Bug 1519249 has been marked as a duplicate of this bug. *** Panu, Could you do following: # semanage fcontext -a -t rpm_exec_t /usr/bin/rpmdb Then try to do rebuild and see if label for /var/lib/rpm/Basenames is right one? Thanks, Lukas. Nope, doesn't help. I think somebody in a related bug said it did, but at least in F27 it doesn't. But... looking closer at that rebuilddb context rule, this doesn't seem right, and certainly doesn't do anything: /var/lib/rpmrebuilddb.*(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) ^^ The rebuilddb directory path is /var/lib/rpmrebuilddb.<pid>, and the above is trying to match two or more characters where there only is one '.', which would explain why the above rule doesn't seem to do anything at all. Is there a way to try that without rebuilding the whole selinux-policy? You can try this: # semanage fcontext -a -t rpm_var_lib_t "/var/lib/rpmrebuilddb(/.*)?" But I afraid it won't help. But try it please. Description of problem: After typing "dnf history list". dnf-automatic install timer was enabled and running: $ sudo systemctl list-timers [sudo] password for ruben: NEXT LEFT LAST PASSED UNIT ACTIVATES Sat 2018-01-13 22:32:59 CET 26min left Sat 2018-01-13 21:32:55 CET 33min ago dnf-makecache.timer dnf-makeca Sun 2018-01-14 00:00:00 CET 1h 53min left Sat 2018-01-13 00:00:00 CET 22h ago unbound-anchor.timer unbound-an Sun 2018-01-14 20:37:41 CET 22h left Sat 2018-01-13 20:37:41 CET 1h 28min ago systemd-tmpfiles-clean.timer systemd-tm n/a n/a Sat 2018-01-13 21:22:42 CET 43min ago dnf-automatic-install.timer dnf-automa 4 timers listed. Pass --all to see loaded but inactive timers, too. sudo dnf check-update Última comprobación de caducidad de metadatos hecha hace 1:34:02, el sáb 13 ene 2018 20:32:52 CET. Security: kernel-core-4.14.13-300.fc27.x86_64 is an installed security update Security: kernel-core-4.14.11-300.fc27.x86_64 is the currently running version ruben ~ sudo dnf history list Traceback (most recent call last): File "/bin/dnf", line 58, in <module> main.user_main(sys.argv[1:], exit_code=True) File "/usr/lib/python3.6/site-packages/dnf/cli/main.py", line 179, in user_main errcode = main(args) File "/usr/lib/python3.6/site-packages/dnf/cli/main.py", line 64, in main return _main(base, args, cli_class, option_parser_class) File "/usr/lib/python3.6/site-packages/dnf/cli/main.py", line 99, in _main return cli_run(cli, base) File "/usr/lib/python3.6/site-packages/dnf/cli/main.py", line 115, in cli_run cli.run() File "/usr/lib/python3.6/site-packages/dnf/cli/cli.py", line 1014, in run return self.command.run() File "/usr/lib/python3.6/site-packages/dnf/cli/commands/__init__.py", line 971, in run ret = self.output.historyListCmd(self.transaction_ids) File "/usr/lib/python3.6/site-packages/dnf/cli/output.py", line 1479, in historyListCmd tids = self._history_list_transactions(extcmds) File "/usr/lib/python3.6/site-packages/dnf/cli/output.py", line 1441, in _history_list_transactions old = self.history.last() File "/usr/lib/python3.6/site-packages/dnf/yum/history.py", line 1313, in last ret = self.old([], 1, complete_transactions_only) File "/usr/lib/python3.6/site-packages/dnf/yum/history.py", line 1262, in old executeSQL(cur, sql, params) File "/usr/lib/python3.6/site-packages/dnf/yum/sqlutils.py", line 167, in executeSQLQmark return cursor.execute(query) sqlite3.OperationalError: database is locked Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.14.11-300.fc27.x86_64 type: libreport *** Bug 1542804 has been marked as a duplicate of this bug. *** *** Bug 1539377 has been marked as a duplicate of this bug. *** *** Bug 1539605 has been marked as a duplicate of this bug. *** *** Bug 1540820 has been marked as a duplicate of this bug. *** *** Bug 1542776 has been marked as a duplicate of this bug. *** *** Bug 1482354 has been marked as a duplicate of this bug. *** (In reply to Lukas Vrabec from comment #7) > You can try this: > > # semanage fcontext -a -t rpm_var_lib_t "/var/lib/rpmrebuilddb(/.*)?" > > But I afraid it won't help. But try it please. No it doesn't. And now that I think of it, somebody in some related bug didn't say *that* would fix it, but had some other slightly more complicated thing that did. Only I can't find the bug now :( However I believe it had to do with what dwalsh says here: https://bugzilla.redhat.com/show_bug.cgi?id=1167946#c13 - the unconfined_t -> rpm_t transition is missing and apparently the fix never made it anywhere. *** Bug 1544100 has been marked as a duplicate of this bug. *** Description of problem: Open file manager Version-Release number of selected component: selinux-policy-3.13.1-260.8.fc26.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.15.3-300.fc27.x86_64 type: libreport Description of problem: Upon installation of Fedora Workstation 27 I already had working distro (OpenSUSE 42.2) installed. I did not use selinux in that installation (OpenSUSE). In OpenSUSE I had (and in Fedora I still have) a distinct partition for /home directory. I did not format /home partition upon installation of Fedora Workstation 27. After install I had to chcon /home, and /home/<user-name> in order SDDM to login and to eliminate "logging with / as home" in console. Now I receive sealert a couple of times a day about some directories in ~/.local even though I did chcon for these directories and restorecon as SELinux Alert Browser suggested, Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.15.14-300.fc27.x86_64 type: libreport *** Bug 1630496 has been marked as a duplicate of this bug. *** This message is a reminder that Fedora 27 is nearing its end of life. On 2018-Nov-30 Fedora will stop maintaining and issuing updates for Fedora 27. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '27'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 27 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 27 changed to end-of-life (EOL) status on 2018-11-30. Fedora 27 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |