Bug 185475

Summary: system-install-packages won't install unsigned packages
Product: [Fedora] Fedora Reporter: David Bentley <david.r.bentley>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, schwandter+bugs
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-09 12:52:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
script_op.txt
none
script output for realplayer none

Description David Bentley 2006-03-14 23:53:40 UTC
Description of problem:
Double click on downloaded package (eg AdobeReader_enu-7.0.5-1.i386.rpm)
supply root password when prompted and then click apply, dependancies are
resolved and you get a message saying that the package is not signed with the
option to see details you also get the option to install anyway or cancel.
Doing either results in the package not being installed although install anyway
appears to go through the motions and presents a dialogue box saying installed
successfully when nothing has actually been done.

Version-Release number of selected component (if applicable):
pirut-1.0.1-1


How reproducible:
always

Steps to Reproduce:
see description
Actual results:


Expected results:
instalation of package

Additional info:

Comment 1 David Bentley 2006-03-15 00:04:31 UTC
The package in question is installable via rpm -i or yum localinstall (if
package signing is temperarily turned off)

Comment 2 David Bentley 2006-03-15 00:42:03 UTC
checked /var/log/yum.log and there is an entry for each attempted install when
install anyway was clicked.

Mar 14 23:31:05 Installed: AdobeReader_enu.i386 7.0.5-1
Mar 14 23:35:52 Installed: AdobeReader_enu.i386 7.0.5-1
Mar 14 23:39:52 Installed: AdobeReader_enu.i386 7.0.5-1
Mar 14 23:56:34 Installed: AdobeReader_enu.i386 7.0.5-1

So what is install packages actually doing as no evidence could be found for
anything having been writen to disk (I checked in the place where it was
installed by the rpm -i method on another system and no sign of anything.

NB it actually gets installed in /usr/local/Adobe with rpm -i


Comment 3 David Bentley 2006-03-15 12:33:55 UTC
It was rather late when I found this issue last night so I will test further 
when I get home from work. First I will see if I can get system-install-
packages to install a signed package by double clicking it and if this does'nt 
work either I will re-boot with enforcing=0 and test again to see if it is an 
selinux compatibility issue.

I will post results of further testing about 19:30 GMT. 

Comment 4 David Bentley 2006-03-15 19:37:15 UTC
If you double click the manually downloaded package
gnome-backgrounds-2.14.0-1.noarch.rpm system-install-packages complains unable
to verify and if you open details it says that the required public key is not
installed so install anyway and it works. Doing the same for
AdobeReader_enu-7.0.5-1.i386.rpm you get the same unable to verify message and
if you open details it says Package AdobeReader_enu-7.0.5-1.i386.rpm is not
signed and clicking install anyway goes through the motions but nothing is
installed.

If you re-boot with enforcing=0 you get all the same dialogues but this time the
unsigned package gets installed properly.

So there is an issue with pirut installing unsigned packages when selinux is
active (policy-targeted)

Comment 5 David Bentley 2006-03-15 19:49:45 UTC
Oh and another minor cosmetic hitch.
If you use add/remove software to remove something it actually tells you it has
installed it successfully. So if one dialoge is used for both installing and
removal how about it saying "software changes made successfully"

Comment 6 Jeremy Katz 2006-03-16 05:14:05 UTC
SELinux shouldn't really impact anything at all as far as enabling/disabling
unsigned packages.  I'm wondering if there's something stupid about the package
which is causing a scriptlet error when done from pirut

Are there any error messages in your X session log or any AVC messages?

Comment 7 David Bentley 2006-03-16 11:24:33 UTC
I will do some more testing tonight when I get home from work.
I will try launching system-install-packages from a terminal and pass the 
package name on the command line if this is possible and see what output is 
shown here as well if I can. I will also check other logs and report my 
findings later this evening (by about 20:00 GMT)

Comment 8 David Bentley 2006-03-16 21:00:01 UTC
when system-install-packages is run in a terminal window with selinux active 

system-install-packages AdobeReader_enu-7.0.5-1.i386.rpm

the following output is seen :-

AdobeReader_enu-7.0.5-1.i386.rpm
error: %pre(AdobeReader_enu-7.0.5-1.i386) scriptlet failed, exit status 255
error:   install: %pre scriptlet failed (2), skipping AdobeReader_enu-7.0.5-1

and when run with enforcing=0 at boot all that is seen is as follows ;-

AdobeReader_enu-7.0.5-1.i386.rpm

nothing shows up in any log that I can find.

So it would seem that when you attempt to install this package with selinux on
using system-install-packages there is a problem.

But doing a yum localinstall with with seliux on works. see following :-

(echo config gpgcheck 0; echo localinstall AdobeReader_enu-7.0.5-1.i386.rpm;
echo run) > yum-cmd
yum shell yum-cmd
Loading "installonlyn" plugin
Setting up Yum Shell
Setting up Local Package Process
Examining AdobeReader_enu-7.0.5-1.i386.rpm: AdobeReader_enu - 7.0.5-1.i386
Marking AdobeReader_enu-7.0.5-1.i386.rpm to be installed
Setting up repositories
development                                                          [1/2]
development               100% |=========================| 1.1 kB    00:00
extras-development                                                   [2/2]
extras-development        100% |=========================| 1.1 kB    00:00
Reading repository metadata in from local files
--> Populating transaction set with selected packages. Please wait.
---> Package AdobeReader_enu.i386 0:7.0.5-1 set to be updated
--> Running transaction check

=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Installing:
 AdobeReader_enu         i386       7.0.5-1         
AdobeReader_enu-7.0.5-1.i386.rpm   94 M

Transaction Summary
=============================================================================
Install      1 Package(s)
Update       0 Package(s)
Remove       0 Package(s)
Total download size: 94 M
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing: AdobeReader_enu              ######################### [1/1]

Installed: AdobeReader_enu.i386 0:7.0.5-1
Finished Transaction
Leaving Shell

all done after issuing su to become root.

Comment 9 Jeremy Katz 2006-03-16 21:11:02 UTC
There's definitely a scriptlet there doing something that perhaps it shouldn't.

Can you provide the output of rpm -qp --scripts on the package?

Comment 10 David Bentley 2006-03-17 09:36:30 UTC
Created attachment 126268 [details]
script_op.txt

Output from rpm -qp --scripts AdobeReader_enu-7.0.5-1.i386.rpm as requested

Comment 11 David Bentley 2006-03-17 09:39:32 UTC
Attacment created with output as requested see comment #10

Comment 12 David Bentley 2006-03-22 11:38:57 UTC
Another ppackage that system-install-packages has a problem with is realplayer
although it installs the files the post install script fails. It installs OK
with RPM -i though.

output from running system-install-packages in a terminal.

system-install-packages RealPlayer-10.0.6.776-20050915.i586.rpm
RealPlayer-10.0.6.776-20050915.i586.rpm
error: %post(RealPlayer-10.0.6.776-20050915.i586) scriptlet failed, exit status 255

I will attach the output of rpm -qp --scripts for info.

Comment 13 David Bentley 2006-03-22 11:44:31 UTC
Created attachment 126467 [details]
script output for realplayer

Comment 14 Jeremy Katz 2006-04-12 15:51:20 UTC
Aha, this is a policy bug.  Policy fix is
--- serefpolicy-2.2.30/policy/modules/admin/rpm.fc.foo  2006-04-12
11:50:46.000000000 -0400
+++ serefpolicy-2.2.30/policy/modules/admin/rpm.fc      2006-04-12
11:51:44.000000000 -0400
@@ -15,6 +15,7 @@
 /usr/bin/fedora-rmdevelrpms    --      gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/pirut                        --     
gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/pup                  --      gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/system-install-packages      --     
gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/rhn_check            --      gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/up2date              --      gen_context(system_u:object_r:rpm_exec_t,s0)
 ')


You can fix your system with
  chcon system_u:object_r:rpm_exec_t:s0 /usr/sbin/system-install-packages

Comment 16 David Bentley 2006-05-07 11:55:10 UTC
We seem to have had the selinux policy update now in FC5 as well as rawhide so I
will do some tests and see if all is now fixed.