Bug 162452
Summary: | sudo gives Tons of errors after disabling SELinux | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Luis A. Florit <cacho96> |
Component: | libselinux | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | 4 | CC: | n3npq, nobody+pnasrat |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-01-06 15:46:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Luis A. Florit
2005-07-05 02:07:15 UTC
This looks like rpm is not checking if SELinux is enabled? Well, I know nothing about SELinux, but it appears to behave like so. I have another almost identical machine that I installed without SELinux from the beginning, and it works perfect. This is important: The same operation when doing by a local user (in particular, with a standard $HOME) gives no error. rpm performs this check to see if SELinux is enabled: ts->selinuxEnabled = is_selinux_enabled(); AFAIK, that is still the libselinux API to be used. ts->selinuxEnabled = is_selinux_enabled() >0; Should be used. Bzzzt! Why? Every usage of ts->selinuxEnabled checks for > 0, the variable conatins exactly (the non-boolean) value returned from libselinux. "Tons of errors" after an upgrade to a broken policy package is the problem, not rpm. Ok, but rpm should not be calling matchpathcon if selinux is disabled. Bzzzt! Then file a different bug. The intent was to permit verification of file context policy against installed selinux xattrs with selinux disabled for QA purposes. That was successfully and correctly implemented. The addition of matchpathcon for MLS purposes has been imperfectly implemented in the Red Hat rpm. Which is why the patch is not upstream. The bug in setrans which you are refering to has been fixed. What other part of matchpathcon is broken? If the underlying cause of "tons of errors" is the "bug in setrans", then this bug should be closed. If matchpathcon() should not be called if selinux is disabled, then another bug should be added against rpm, as that is not the current behavior (nor was it the original implementation intent) in rpm afaik. |