Bug 595280
Summary: | SELinux is preventing /usr/sbin/semodule "read" access on passwd. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | upgradeservices |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 12 | CC: | dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:02c15353d58fe90e907b732b581b11ebd170f4e8f727159b9a20346e7ae4ce30 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-10-01 06:06:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
upgradeservices
2010-05-24 09:26:51 UTC
was running pungi: pungi --name=fx64 --ver=F12 --destdir=/somedir/p_dest --cachedir=/somedir/p_cache --nosource --nosplitmedia --force --config=/somedir/ks.cfg -G -C -B For some reason, some app relabeled /etc/passwd to shadow_t, which is wrong. restorecon /etc/passwd will fix. Any idea how it got mislabeled? Did you use some kind of tool to add a user? I am trying to reproduce it with pungi tool. Guys, could it be that selinux reporting tool picks up the errors from the image which is being created with pungi as opposed to the 'host' os? Here is what i have on the host where pungi runs: ls --lcontext /etc/passwd -rw-r--r--. 1 system_u:object_r:etc_t:s0 root 2.2K 2010-05-18 20:21 /etc/passwd ls --lcontext /etc/shadow ----------. 1 system_u:object_r:shadow_t:s0 root 1.3K 2010-05-18 20:21 /etc/shadow restorecon /etc/passwd ls --lcontext /etc/passwd -rw-r--r--. 1 system_u:object_r:etc_t:s0 root root 2208 2010-05-18 20:21 /etc/passwd Above seems to be OK - right? I can provide the ks used for pungi [if this is related at all], it contains entries to automatically add user among other things, and I recon this is when selinux alert is triggered. Also note, spinned image has selinux set to enforcing by default, when i change this option in the ks to disabled, no errors are generated at all. I think we need to ignore all avc messages created when running pungi. It is too strange an environment, and is very mislabeled when it runs. Maybe once we have policy for mock we can look at supporting pungi. |