Bug 1531858
| Summary: | On fully upgraded F27, can't install container-selinux | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Robin Powell <rlpowell> |
| Component: | container-selinux | Assignee: | Lokesh Mandvekar <lsm5> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 27 | CC: | amurdaca, dwalsh, fkluknav, jchaloup, jlebon, lsm5 |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | container-selinux-2.40-1.fc26 container-selinux-2.42-1.fc27 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-01-23 21:17:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixed in container-selinux-2.38-1.fc27 Not for me. Downloaded the noarch from https://koji.fedoraproject.org/koji/buildinfo?buildID=1013878 and: rlpowell@vrici> sudo dnf reinstall ./container-selinux-2.38-1.fc27.noarch.rpm Last metadata expiration check: 2:07:28 ago on Sat 06 Jan 2018 08:06:25 AM PST. Dependencies resolved. ============================================================================================================================================================================== Package Arch Version Repository Size ============================================================================================================================================================================== Reinstalling: container-selinux noarch 2:2.38-1.fc27 @commandline 36 k Transaction Summary ============================================================================================================================================================================== Total size: 36 k Is this ok [y/N]: y Downloading Packages: Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Reinstalling : container-selinux-2:2.38-1.fc27.noarch 1/2 Running scriptlet: container-selinux-2:2.38-1.fc27.noarch 1/2 Child type container_t exceeds bounds of parent container_runtime_t (allow container_t console_device_t (chr_file (read))) <root> allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1193 (allow container_domain console_device_t (chr_file (ioctl read write getattr lock append))) (allow container_t tty_device_t (chr_file (ioctl read write lock append))) <root> allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1192 (allow container_domain tty_device_t (chr_file (ioctl read write getattr lock append))) (allow container_t xen_devpts_t (chr_file (ioctl read write lock append))) <root> allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1189 (allow container_domain ptynode (chr_file (ioctl read write getattr lock append))) (that last output is incomplete; I didn't figure it mattered) Nope, I will fix it in next release Fixed in container-selinux-2.39-1.fc27 container-selinux-2.39-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1d288c81a2 container-selinux-2.39-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e513053ca9 Robin, this time I tried it out on my F27 box with unconfined disabled and it installed ok. Confirmed, thanks! Hmm. Let me know if you want me to open a new bug for this, but:
rlpowell@vrici> sudo semanage dontaudit off
Child type container_t exceeds bounds of parent container_runtime_t
(allow container_t user_devpts_t (chr_file (open)))
<root>
allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1199
(allow container_domain user_devpts_t (chr_file (ioctl read write getattr lock append open)))
Failed to generate binary
OSError: [Errno 0] Error
container-selinux-2.39-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1d288c81a2 Robin, you got that after the update? container-selinux-2.39-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e513053ca9 Yes, that was after sudo dnf install ./container-selinux-2.39-1.fc27.noarch.rpm Weird that the first compile/install did not find it. I did see a boolean that would allow this access daemons_use_tty --> off Fixed in container-selinux-2.40-1 container-selinux-2.41-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-8d78cc34a3 container-selinux-2.40-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-827888cfdd Confirmed. Thank you! container-selinux-2.40-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-827888cfdd container-selinux-2.41-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-8d78cc34a3 container-selinux-2.42-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-324df658f1 container-selinux-2.42-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-324df658f1 container-selinux-2.40-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. container-selinux-2.42-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |
Starting state: rlpowell@vrici> sudo dnf list installed '*selinux*' Installed Packages container-selinux.noarch 2:2.37-1.fc27 @updates libselinux.x86_64 2.7-3.fc27 @updates libselinux-devel.x86_64 2.7-3.fc27 @updates libselinux-python.x86_64 2.7-3.fc27 @updates libselinux-python3.x86_64 2.7-3.fc27 @updates libselinux-ruby.x86_64 2.7-3.fc27 @updates libselinux-utils.x86_64 2.7-3.fc27 @updates rpm-plugin-selinux.x86_64 4.14.0-2.fc27 @fedora selinux-policy.noarch 3.13.1-283.19.fc27 @updates selinux-policy-devel.noarch 3.13.1-283.19.fc27 @updates selinux-policy-doc.noarch 3.13.1-283.19.fc27 @updates selinux-policy-targeted.noarch 3.13.1-283.19.fc27 @updates This host has unconfined disabled. And: rlpowell@vrici> sudo dnf reinstall container-selinux.noarch Last metadata expiration check: 1:39:47 ago on Fri 05 Jan 2018 10:33:43 PM PST. Dependencies resolved. ===================================================================================================================================================================================================================== Package Arch Version Repository Size ===================================================================================================================================================================================================================== Reinstalling: container-selinux noarch 2:2.37-1.fc27 updates 36 k Transaction Summary ===================================================================================================================================================================================================================== Total download size: 36 k Is this ok [y/N]: y Downloading Packages: container-selinux-2.37-1.fc27.noarch.rpm 66 kB/s | 36 kB 00:00 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 32 kB/s | 36 kB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Reinstalling : container-selinux-2:2.37-1.fc27.noarch 1/2 Running scriptlet: container-selinux-2:2.37-1.fc27.noarch 1/2 Child type container_t exceeds bounds of parent container_runtime_t Child type container_t exceeds bounds of parent container_runtime_t (allow container_t container_file_t (chr_file (map execute))) <root> allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1284 (allow container_t container_file_t (chr_file (ioctl read getattr map execute open))) (allow container_t console_device_t (chr_file (read))) <root> allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1191 (allow container_domain console_device_t (chr_file (ioctl read write getattr lock append))) (allow container_t tty_device_t (chr_file (ioctl read write lock append))) <root> allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1190 (allow container_domain tty_device_t (chr_file (ioctl read write getattr lock append))) (allow container_t xen_devpts_t (chr_file (ioctl read write lock append))) <root> allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1187 (allow container_domain ptynode (chr_file (ioctl read write getattr lock append))) (allow container_t svirt_tcg_devpts_t (chr_file (ioctl read write lock append))) <See previous> (allow container_t svirt_devpts_t (chr_file (ioctl read write lock append))) <See previous> (allow container_t uml_devpts_t (chr_file (ioctl read write lock append))) <See previous> (allow container_t telnetd_devpts_t (chr_file (ioctl read write lock append))) <See previous> (allow container_t sandbox_devpts_t (chr_file (ioctl read write lock append))) <See previous> (allow container_t rssh_devpts_t (chr_file (ioctl read write lock append))) <See previous> (allow container_t rlogind_devpts_t (chr_file (ioctl read write lock append))) <See previous> (allow container_t rhgb_devpts_t (chr_file (ioctl read write lock append))) <See previous> (allow container_t pppd_devpts_t (chr_file (ioctl read write lock append))) <See previous> (allow container_t openfortivpn_devpts_t (chr_file (ioctl read write lock append))) <See previous> (allow container_t nx_server_devpts_t (chr_file (ioctl read write lock append))) <See previous> (allow container_t ipsec_mgmt_devpts_t (chr_file (ioctl read write lock append))) <See previous> (allow container_t games_devpts_t (chr_file (ioctl read write lock append))) <See previous> (allow container_t ajaxterm_devpts_t (chr_file (ioctl read write lock append))) <See previous> Failed to generate binary /usr/sbin/semodule: Failed! Erasing : container-selinux-2:2.37-1.fc27.noarch 2/2 Running scriptlet: container-selinux-2:2.37-1.fc27.noarch 2/2 Verifying : container-selinux-2:2.37-1.fc27.noarch 1/2 Verifying : container-selinux-2:2.37-1.fc27.noarch 2/2 Reinstalled: container-selinux.noarch 2:2.37-1.fc27 Complete!