Bug 660653
Summary: | SELinux AVCs during RPM installation | ||
---|---|---|---|
Product: | Red Hat Enterprise MRG | Reporter: | Jan Sarenik <jsarenik> |
Component: | condor | Assignee: | Matthew Farrellee <matt> |
Status: | CLOSED ERRATA | QA Contact: | Jan Sarenik <jsarenik> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 1.3 | CC: | matt |
Target Milestone: | 1.3.2 | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | condor-7.4.5-0.3 | Doc Type: | Bug Fix |
Doc Text: |
On Red Hat Enterprise Linux 5, the %post scriptlet in the RPM spec file used a pipeline to filter out certain unimportant messages. Consequent to this, various denial messages could be reported by SELinux during the installation of this package. With this update, the %post scriptlet has been adapted no to use pipelines, and such messages no longer appear.
|
Story Points: | --- |
Clone Of: | Environment: |
RHEL5 (up-to-date with RHN)
|
|
Last Closed: | 2011-02-15 12:12:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Sarenik
2010-12-07 13:58:01 UTC
Just to make it clear: there is no such postinstall line in RHEL4 version of Condor's RPM. This bug prevents me from successful test run in case I install condor during the test. E.g. see https://beaker.engineering.redhat.com/jobs/37019 Bug 490108 should have been CLOSED as WONTFIX instead of NOTABUG, which is the case now. This was evaluated, with consultation from SELinux experts, and was not viewed to be an issue worth fixing at the time. If this becomes an issue that impacts execution of the rpm installation/upgrade or the condor_startd after installation, we can re-evaluate. But I am sure the "|grep" pipe is not vital there. Simple removal of it would make my Beaker tests pass. Please consider removing the pipe from postinstall script. Excuse me for putting this back to ASSIGNED, but I would like to get at least a reply. Thanks. Bug 472084 is the source of this. EL5's current semanage (policycoreutils-1.33.12-14.8.el5) does not complain about duplicate fcontext -a's. # semanage fcontext -l | grep startd /usr/sbin/condor_startd all files system_u:object_r:unconfined_execmem_exec_t:s0 # semanage fcontext -a -t unconfined_execmem_exec_t /usr/sbin/condor_startd If the change to semanage is intentional then the |grep may be removed altogether. I'm going to remove the |grep from the semanage line, should be available post 7.4.5-0.2, watch the Fixed In Version field. Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: C: On EL5, the condor package's %post install script filtered out an innocuous message when redefining an already defined fcontext with semanage. C: The SELinux policy for EL5 would report errors from the pipe usage. Errors are bellow. The errors were non-fatal. F: semanage no longer produces the innocuous messages and the pipe use in %post has been removed. R: No more SELinux messages as part of a second install/upgrade. Verified on condor-7.4.5-0.3.el5 on current RHN updated RHEL5.5 x86_64. Thank you for the fix! There is still an other problem, even after removing the "|grep" pipe. I will get back with more info when it gets clearer. If it is a different issue, please file another BZ. The new one is bug 664684. This one is verified for condor-7.4.5-0.3.el5 according to the spec file. Also verified practically both on RHEL5 x86_64 and i386. Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,4 +1 @@ -C: On EL5, the condor package's %post install script filtered out an innocuous message when redefining an already defined fcontext with semanage. +On Red Hat Enterprise Linux 5, the %post scriptlet in the RPM spec file used a pipeline to filter out certain unimportant messages. Consequent to this, various denial messages could be reported by SELinux during the installation of this package. With this update, the %post scriptlet has been adapted no to use pipelines, and such messages no longer appear.-C: The SELinux policy for EL5 would report errors from the pipe usage. Errors are bellow. The errors were non-fatal. -F: semanage no longer produces the innocuous messages and the pipe use in %post has been removed. -R: No more SELinux messages as part of a second install/upgrade. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0217.html |