Bug 455744
Summary: | Revisor don't launch with SELinux in enforcing mode | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Couret Charles-Antoine <renault> |
Component: | revisor | Assignee: | Jeroen van Meeuwen <vanmeeuwen+fedora> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 10 | CC: | beland, djuran, dwalsh, eparis, jbacik, jonathansteffan, mbooth, skarllot, vanmeeuwen+fedora |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-11-23 16:28:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Couret Charles-Antoine
2008-07-17 15:07:30 UTC
Revisor simply doesn't work with SELinux in enforcing mode. I'm not sure what you think we can do about it. Precisely what fails when it is in enforcing mode? I have not yet come across an intractible SELinux problem. I think we need to make similar modifications to revisor that were made to livecd and then it can run in an SELinux environment. I don't really know revisor, but if it works similarly to livecd in that it essentially does an install in a chroot environment, then we need to make sure that the installation does not effect the host environment. We also have to allow for different policy and file context in the chroot then on the host. Bot of these issues now work in F10 with livecd. Eric Paris and I can help the revisor people fix this problem, I believe. livecd-tools (or actually the imgcreate python module from livecd-tools) is what Revisor uses to create the live media, so any changes going to livecd-tools making it possible for them to perform installs to a chroot environment should work for Revisor as well. However, Revisor also creates installation media, like pungi -but doesn't use pungi. I'm not sure that can run with SELinux in enforcing mode, yet. It relates to anaconda's buildinstall/upd-instroot/mk-images bash scripts. These scripts essentially do run installs to a chroot including some foo to make install.img as small as possible. Second, and I'm not sure this is even relevant, Revisor allows cross-composing; all current Fedora releases including rawhide can be composed on a system with a current Fedora release, including rawhide. Which is also fine. You can build Rawhide, RHEL5 or any other SELinux distribution within livecd now in F10 and Rawhide. So we should be able to get this to all work within revisor, also. THe running of the anaconda should all be possible now, not saying this would not be some work, but it would be usefull to eventually get the build systems to not be able to attack the network or attack other machines using SELinux for protection. OK, this is something I would need to test then. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. *** Bug 476210 has been marked as a duplicate of this bug. *** This is also a problem with revisor-2.1.1-7.fc9.noarch. I was trying to compose a Rawhide ISO using Fedora 9. I have Revisor running with SELinux in enforcing now, but I'm afraid I'm going to create a world of pain when releasing this in a final product. Why? This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping revisor-2.1.7-1.fc11.noarch (Fedora 11) is at least launching without errors. I've built (not yet released) a version that does not check for SELinux's status anymore. |