Bug 185475
Summary: | system-install-packages won't install unsigned packages | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David Bentley <david.r.bentley> | ||||||
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||||
Status: | CLOSED RAWHIDE | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | rawhide | CC: | dwalsh, schwandter+bugs | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2006-05-09 12:52:50 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
David Bentley
2006-03-14 23:53:40 UTC
The package in question is installable via rpm -i or yum localinstall (if package signing is temperarily turned off) checked /var/log/yum.log and there is an entry for each attempted install when install anyway was clicked. Mar 14 23:31:05 Installed: AdobeReader_enu.i386 7.0.5-1 Mar 14 23:35:52 Installed: AdobeReader_enu.i386 7.0.5-1 Mar 14 23:39:52 Installed: AdobeReader_enu.i386 7.0.5-1 Mar 14 23:56:34 Installed: AdobeReader_enu.i386 7.0.5-1 So what is install packages actually doing as no evidence could be found for anything having been writen to disk (I checked in the place where it was installed by the rpm -i method on another system and no sign of anything. NB it actually gets installed in /usr/local/Adobe with rpm -i It was rather late when I found this issue last night so I will test further when I get home from work. First I will see if I can get system-install- packages to install a signed package by double clicking it and if this does'nt work either I will re-boot with enforcing=0 and test again to see if it is an selinux compatibility issue. I will post results of further testing about 19:30 GMT. If you double click the manually downloaded package gnome-backgrounds-2.14.0-1.noarch.rpm system-install-packages complains unable to verify and if you open details it says that the required public key is not installed so install anyway and it works. Doing the same for AdobeReader_enu-7.0.5-1.i386.rpm you get the same unable to verify message and if you open details it says Package AdobeReader_enu-7.0.5-1.i386.rpm is not signed and clicking install anyway goes through the motions but nothing is installed. If you re-boot with enforcing=0 you get all the same dialogues but this time the unsigned package gets installed properly. So there is an issue with pirut installing unsigned packages when selinux is active (policy-targeted) Oh and another minor cosmetic hitch. If you use add/remove software to remove something it actually tells you it has installed it successfully. So if one dialoge is used for both installing and removal how about it saying "software changes made successfully" SELinux shouldn't really impact anything at all as far as enabling/disabling unsigned packages. I'm wondering if there's something stupid about the package which is causing a scriptlet error when done from pirut Are there any error messages in your X session log or any AVC messages? I will do some more testing tonight when I get home from work. I will try launching system-install-packages from a terminal and pass the package name on the command line if this is possible and see what output is shown here as well if I can. I will also check other logs and report my findings later this evening (by about 20:00 GMT) when system-install-packages is run in a terminal window with selinux active system-install-packages AdobeReader_enu-7.0.5-1.i386.rpm the following output is seen :- AdobeReader_enu-7.0.5-1.i386.rpm error: %pre(AdobeReader_enu-7.0.5-1.i386) scriptlet failed, exit status 255 error: install: %pre scriptlet failed (2), skipping AdobeReader_enu-7.0.5-1 and when run with enforcing=0 at boot all that is seen is as follows ;- AdobeReader_enu-7.0.5-1.i386.rpm nothing shows up in any log that I can find. So it would seem that when you attempt to install this package with selinux on using system-install-packages there is a problem. But doing a yum localinstall with with seliux on works. see following :- (echo config gpgcheck 0; echo localinstall AdobeReader_enu-7.0.5-1.i386.rpm; echo run) > yum-cmd yum shell yum-cmd Loading "installonlyn" plugin Setting up Yum Shell Setting up Local Package Process Examining AdobeReader_enu-7.0.5-1.i386.rpm: AdobeReader_enu - 7.0.5-1.i386 Marking AdobeReader_enu-7.0.5-1.i386.rpm to be installed Setting up repositories development [1/2] development 100% |=========================| 1.1 kB 00:00 extras-development [2/2] extras-development 100% |=========================| 1.1 kB 00:00 Reading repository metadata in from local files --> Populating transaction set with selected packages. Please wait. ---> Package AdobeReader_enu.i386 0:7.0.5-1 set to be updated --> Running transaction check ============================================================================= Package Arch Version Repository Size ============================================================================= Installing: AdobeReader_enu i386 7.0.5-1 AdobeReader_enu-7.0.5-1.i386.rpm 94 M Transaction Summary ============================================================================= Install 1 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 94 M Is this ok [y/N]: y Downloading Packages: Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing: AdobeReader_enu ######################### [1/1] Installed: AdobeReader_enu.i386 0:7.0.5-1 Finished Transaction Leaving Shell all done after issuing su to become root. There's definitely a scriptlet there doing something that perhaps it shouldn't. Can you provide the output of rpm -qp --scripts on the package? Created attachment 126268 [details]
script_op.txt
Output from rpm -qp --scripts AdobeReader_enu-7.0.5-1.i386.rpm as requested
Attacment created with output as requested see comment #10 Another ppackage that system-install-packages has a problem with is realplayer although it installs the files the post install script fails. It installs OK with RPM -i though. output from running system-install-packages in a terminal. system-install-packages RealPlayer-10.0.6.776-20050915.i586.rpm RealPlayer-10.0.6.776-20050915.i586.rpm error: %post(RealPlayer-10.0.6.776-20050915.i586) scriptlet failed, exit status 255 I will attach the output of rpm -qp --scripts for info. Created attachment 126467 [details]
script output for realplayer
Aha, this is a policy bug. Policy fix is --- serefpolicy-2.2.30/policy/modules/admin/rpm.fc.foo 2006-04-12 11:50:46.000000000 -0400 +++ serefpolicy-2.2.30/policy/modules/admin/rpm.fc 2006-04-12 11:51:44.000000000 -0400 @@ -15,6 +15,7 @@ /usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) ') You can fix your system with chcon system_u:object_r:rpm_exec_t:s0 /usr/sbin/system-install-packages We seem to have had the selinux policy update now in FC5 as well as rawhide so I will do some tests and see if all is now fixed. |