Bug 457051
| Summary: | SELinux is preventing the get-updates.py (system_dbusd_t) from executing ./get-updates.py. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Charlie Brady <charlieb-fedora-bugzilla> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CANTFIX | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 9 | CC: | charlieb-redhat-bugzilla |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-08-01 14:56:02 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Charlie Brady
2008-07-29 13:42:53 UTC
ls -lZ /usr/sbin/packagekitd -rwxr-xr-x root root system_u:object_r:rpm_exec_t:s0 /usr/sbin/packagekitd Looks like this is labeled wrong. restorecon -R -v /usr/sbin/packagekitd (In reply to comment #1) > ls -lZ /usr/sbin/packagekitd > -rwxr-xr-x root root system_u:object_r:rpm_exec_t:s0 /usr/sbin/packagekitd > > Looks like this is labeled wrong. Not on my system, apparently: [charlieb@localhost ~]$ ls -lZ /usr/sbin/packagekitd -rwxr-xr-x root root system_u:object_r:bin_t:s0 /usr/sbin/packagekitd [charlieb@localhost ~]$ > > restorecon -R -v /usr/sbin/packagekitd > [charlieb@localhost ~]$ sudo /sbin/restorecon -R -v /usr/sbin/packagekitd [sudo] password for charlieb: [charlieb@localhost ~]$ ls -lZ /usr/sbin/packagekitd -rwxr-xr-x root root system_u:object_r:bin_t:s0 /usr/sbin/packagekitd [charlieb@localhost ~]$ But how would it be labelled wrongly anyway (immediately after a system wide relabel)? grep packagekitd /etc/selinux/targeted/contexts/files/file_contexts /usr/sbin/packagekitd -- system_u:object_r:rpm_exec_t:s0 Something seems strange # matchpathcon /usr/sbin/packagekitd /usr/sbin/packagekitd system_u:object_r:rpm_exec_t:s0 (In reply to comment #3) > grep packagekitd /etc/selinux/targeted/contexts/files/file_contexts > /usr/sbin/packagekitd -- system_u:object_r:rpm_exec_t:s0 > > Something seems strange > > # matchpathcon /usr/sbin/packagekitd > /usr/sbin/packagekitd system_u:object_r:rpm_exec_t:s0 > [charlieb@localhost ~]$ grep packagekitd /etc/selinux/targeted/contexts/files/file_contexts [charlieb@localhost ~]$ [charlieb@localhost ~]$ sudo /usr/sbin/matchpathcon /usr/sbin/packagekitd /usr/sbin/packagekitd system_u:object_r:bin_t:s0 [charlieb@localhost ~]$ [charlieb@localhost ~]$ rpm -qf /etc/selinux/targeted/contexts/files/file_contexts selinux-policy-targeted-3.3.1-79.fc9.noarch [charlieb@localhost ~]$ sudo rpm -V selinux-policy-targeted-3.3.1-79.fc9.noarch [charlieb@localhost ~]$ # semodule -B # ls /etc/selinux/targeted/policy *** Bug 457054 has been marked as a duplicate of this bug. *** *** Bug 457088 has been marked as a duplicate of this bug. *** (In reply to comment #6) > # semodule -B > # ls /etc/selinux/targeted/policy I'm guessing that those are instructions for me: [charlieb@localhost ~]$ ls -lR /etc/selinux/targeted/policy /etc/selinux/targeted/policy: total 3812 -rw-r--r-- 1 root root 3892998 2007-11-02 12:23 policy.21 [charlieb@localhost ~]$ rpm -qf !$ rpm -qf /etc/selinux/targeted/policy selinux-policy-targeted-3.3.1-79.fc9.noarch [charlieb@localhost ~]$ sudo rpm -V selinux-policy-targeted-3.3.1-79.fc9.noarch [sudo] password for charlieb: [charlieb@localhost ~]$ [charlieb@localhost ~]$ sudo /usr/sbin/semodule -B libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory). /usr/sbin/semodule: Failed! [charlieb@localhost ~]$ [charlieb@localhost ~]$ sudo find /etc/selinux/targeted/ /etc/selinux/targeted/ /etc/selinux/targeted/policy /etc/selinux/targeted/policy/policy.21 /etc/selinux/targeted/seusers /etc/selinux/targeted/contexts /etc/selinux/targeted/contexts/customizable_types /etc/selinux/targeted/contexts/x_contexts /etc/selinux/targeted/contexts/dbus_contexts /etc/selinux/targeted/contexts/initrc_context /etc/selinux/targeted/contexts/userhelper_context /etc/selinux/targeted/contexts/securetty_types /etc/selinux/targeted/contexts/failsafe_context /etc/selinux/targeted/contexts/removable_context /etc/selinux/targeted/contexts/files /etc/selinux/targeted/contexts/files/media /etc/selinux/targeted/contexts/files/file_contexts.homedirs /etc/selinux/targeted/contexts/files/file_contexts /etc/selinux/targeted/contexts/default_contexts /etc/selinux/targeted/contexts/users /etc/selinux/targeted/contexts/users/guest_u /etc/selinux/targeted/contexts/users/user_u /etc/selinux/targeted/contexts/users/xguest_u /etc/selinux/targeted/contexts/users/staff_u /etc/selinux/targeted/contexts/users/root /etc/selinux/targeted/contexts/users/unconfined_u /etc/selinux/targeted/contexts/netfilter_contexts /etc/selinux/targeted/contexts/default_type /etc/selinux/targeted/setrans.conf /etc/selinux/targeted/modules /etc/selinux/targeted/modules/semanage.trans.LOCK /etc/selinux/targeted/modules/semanage.read.LOCK /etc/selinux/targeted/modules/active /etc/selinux/targeted/modules/active/seusers /etc/selinux/targeted/modules/active/modules [charlieb@localhost ~]$ [charlieb@localhost ~]$ rpm -qflv /etc/selinux/targeted/ | grep targeted.mod drwxr-xr-x 2 root root 0 Jul 18 15:24 /etc/selinux/targeted/modules drwx------ 2 root root 0 Jul 18 15:24 /etc/selinux/targeted/modules/active -rw-r--r-- 1 root root 0 Jul 18 15:24 /etc/selinux/targeted/modules/semanage.read.LOCK -rw-r--r-- 1 root root 0 Jul 18 15:24 /etc/selinux/targeted/modules/semanage.trans.LOCK [charlieb@localhost ~]$ [charlieb@localhost ~]$ sudo mkdir /etc/selinux/targeted/modules/tmp [charlieb@localhost ~]$ sudo /usr/sbin/semodule -B libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory). /usr/sbin/semodule: Failed! [charlieb@localhost ~]$ So it's not just the missing /tmp directory that is the problem. open("/proc/self/task/4277/attr/current", O_RDONLY) = 3
read(3, "unconfined_u:unconfined_r:semana"..., 4095) = 40
close(3) = 0
access("/etc/selinux/targeted/modules/active", R_OK|X_OK) = 0
access("/etc/selinux/targeted/modules/semanage.read.LOCK", R_OK) = 0
access("/etc/selinux/targeted/modules/active/modules", R_OK|W_OK|X_OK) = 0
access("/etc/selinux/targeted/modules/active", R_OK|X_OK) = 0
access("/etc/selinux/targeted/modules/semanage.read.LOCK", R_OK) = 0
access("/etc/selinux/targeted/modules/active/modules", R_OK|W_OK|X_OK) = 0
access("/etc/selinux/targeted/modules/active", R_OK|X_OK) = 0
access("/etc/selinux/targeted/modules/semanage.read.LOCK", R_OK) = 0
access("/etc/selinux/targeted/modules/active/modules", R_OK|W_OK|X_OK) = 0
access("/etc/selinux/targeted/modules/active", R_OK|X_OK) = 0
access("/etc/selinux/targeted/modules/semanage.read.LOCK", R_OK) = 0
access("/etc/selinux/targeted/modules/active/modules", R_OK|W_OK|X_OK) = 0
open("/etc/selinux/targeted/modules/semanage.trans.LOCK", O_RDONLY) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
flock(3, LOCK_EX|LOCK_NB) = 0
stat("/etc/selinux/targeted/modules/tmp", 0x7fff8c973e90) = -1 ENOENT (No such
file or directory)
mkdir("/etc/selinux/targeted/modules/tmp", 0700) = 0
open("/etc/selinux/targeted/modules/active",
O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
fcntl(4, F_GETFD) = 0x1 (flags FD_CLOEXEC)
getdents(4, /* 4 entries */, 4096) = 112
getdents(4, /* 0 entries */, 4096) = 0
close(4) = 0
stat("/etc/selinux/targeted/modules/active/seusers", {st_mode=S_IFREG|0644,
st_size=127, ...}) = 0
open("/etc/selinux/targeted/modules/active/seusers", O_RDONLY) = 4
open("/etc/selinux/targeted/modules/tmp/seusers.tmp", O_WRONLY|O_CREAT|O_TRUNC,
0100644) = 5
read(4, "# This file is auto-generated by"..., 4192) = 127
write(5, "# This file is auto-generated by"..., 127) = 127
read(4, "", 4192) = 0
close(4) = 0
close(5) = 0
rename("/etc/selinux/targeted/modules/tmp/seusers.tmp",
"/etc/selinux/targeted/modules/tmp/seusers") = 0
stat("/etc/selinux/targeted/modules/active/modules", {st_mode=S_IFDIR|0700,
st_size=4096, ...}) = 0
mkdir("/etc/selinux/targeted/modules/tmp/modules", 0700) = 0
open("/etc/selinux/targeted/modules/active/modules",
O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents(4, /* 2 entries */, 4096) = 48
getdents(4, /* 0 entries */, 4096) = 0
close(4) = 0
open("/etc/selinux/targeted/modules/tmp/modules",
O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents(4, /* 2 entries */, 4096) = 48
getdents(4, /* 0 entries */, 4096) = 0
close(4) = 0
access("/etc/selinux/targeted/modules/tmp/base.pp", R_OK) = -1 ENOENT (No such
file or directory)
write(2, "libsemanage.semanage_link_sandbo"...,
35libsemanage.semanage_link_sandbox: ) = 35
write(2, "Could not access sandbox base fi"..., 77Could not access sandbox base
file /etc/selinux/targeted/modules/tmp/base.pp.) = 77
write(2, " (No such file or directory).", 29 (No such file or directory).) = 29
write(2, "\n", 1
) = 1
flock(3, LOCK_UN) = 0
close(3) = 0
open("/etc/selinux/targeted/modules/tmp",
O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents(3, /* 4 entries */, 4096) = 112
getdents(3, /* 0 entries */, 4096) = 0
close(3) = 0
stat("/etc/selinux/targeted/modules/tmp/seusers", {st_mode=S_IFREG|0644,
st_size=127, ...}) = 0
unlink("/etc/selinux/targeted/modules/tmp/seusers") = 0
stat("/etc/selinux/targeted/modules/tmp/modules", {st_mode=S_IFDIR|0700,
st_size=4096, ...}) = 0
open("/etc/selinux/targeted/modules/tmp/modules",
O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents(3, /* 2 entries */, 4096) = 48
getdents(3, /* 0 entries */, 4096) = 0
close(3) = 0
rmdir("/etc/selinux/targeted/modules/tmp/modules") = 0
rmdir("/etc/selinux/targeted/modules/tmp") = 0
write(2, "/usr/sbin/semodule: Failed!\n", 29/usr/sbin/semodule: Failed!
) = 29
exit_group(1) = ?
[charlieb@localhost ~]$
You seem to have a very screwed up machine. # yum upgrade libse\* policycore\* checkpolicy\* # setenforce 0 # rm -rf /etc/selinux # rpm Uhv --force selinux-policy*3.3.1-79.fc9.noarch.rpm # fixfiles restore (In reply to comment #12) > You seem to have a very screwed up machine. > > # yum upgrade libse\* policycore\* checkpolicy\* > # setenforce 0 > # rm -rf /etc/selinux > # rpm Uhv --force selinux-policy*3.3.1-79.fc9.noarch.rpm OK, I'm doing this, and have got this far. This looks better: [charlieb@localhost ~]$ sudo /usr/sbin/semanage user -l [sudo] password for charlieb: Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r user_u user s0 s0 user_r [charlieb@localhost ~]$ [charlieb@localhost ~]$ sudo /usr/sbin/semanage login -l Login Name SELinux User MLS/MCS Range __default__ user_u s0 root root s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 [charlieb@localhost ~]$ > # fixfiles restore And this is churning away. What can I do to try to find when/how things went wrong? I don't know. Did you update from a previous version of Fedora. Sometimes updates break things. It is usually safer to do a fresh install > # fixfiles restore > And this is churning away. It seems to have done the job. > Did you update from a previous version of Fedora. Only from the pre-release FC9. You need to execute these commands to complete the cleanup. These will cause users to log in as unconfined_t which is probably what you want. # semanage user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u # semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 __default__ # semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 root Log out and log back in id -Z should show unconfined_t |