Bug 677450
Summary: | anaconda does not mount /mnt/sysimage/selinux | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> | ||||||||||||
Component: | anaconda | Assignee: | David Lehman <dlehman> | ||||||||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||
Severity: | unspecified | Docs Contact: | |||||||||||||
Priority: | unspecified | ||||||||||||||
Version: | 15 | CC: | anaconda-maint-list, dwalsh, eparis, jlaska, jonathan, loganjerry, mgrepl, pcfe, sdsmall, vanmeeuwen+fedora | ||||||||||||
Target Milestone: | --- | Keywords: | Reopened | ||||||||||||
Target Release: | --- | ||||||||||||||
Hardware: | Unspecified | ||||||||||||||
OS: | Unspecified | ||||||||||||||
Whiteboard: | AcceptedBlocker | ||||||||||||||
Fixed In Version: | anaconda-15.22-1.fc15 | Doc Type: | Bug Fix | ||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||
Clone Of: | Environment: | ||||||||||||||
Last Closed: | 2011-03-16 04:06:44 UTC | Type: | --- | ||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||
Documentation: | --- | CRM: | |||||||||||||
Verified Versions: | Category: | --- | |||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
Embargoed: | |||||||||||||||
Bug Depends On: | |||||||||||||||
Bug Blocks: | 494832, 657618 | ||||||||||||||
Attachments: |
|
Description
Orion Poplawski
2011-02-14 21:06:38 UTC
rpm -q selinux-policy-targeted selinux-policy-targeted-3.9.14-2.fc15.noarch Doesn't work in permissive mode either. restorecon -R -v /etc/selinux Created attachment 479224 [details]
setsebool strace
restorecon reports nothing.
grep -F /tmp /data/sw/tmp/setsebool.strace
8767 stat("/etc/selinux/targeted/modules/tmp", 0x7fff91e8e440) = -1 ENOENT (No such file or directory)
8767 mkdir("/etc/selinux/targeted/modules/tmp", 0700) = 0
8767 mkdir("/etc/selinux/targeted/modules/tmp/modules", 0700) = 0
8767 open("/etc/selinux/targeted/modules/tmp/commit_num", O_RDONLY) = -1 ENOENT (No such file or directory)
8767 open("/etc/selinux/targeted/modules/tmp//booleans.local", O_RDONLY) = -1 ENOENT (No such file or directory)
8767 open("/etc/selinux/targeted/modules/tmp/commit_num", O_RDONLY) = -1 ENOENT (No such file or directory)
8767 open("/etc/selinux/targeted/modules/tmp/commit_num", O_RDONLY) = -1 ENOENT (No such file or directory)
8767 open("/etc/selinux/targeted/modules/tmp/commit_num", O_RDONLY) = -1 ENOENT (No such file or directory)
8767 access("/etc/selinux/targeted/modules/tmp/disable_dontaudit", F_OK) = -1 ENOENT (No such file or directory)
8767 unlink("/etc/selinux/targeted/modules/tmp/disable_dontaudit") = -1 ENOENT (No such file or directory)
8767 open("/etc/selinux/targeted/modules/tmp/modules", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 4
8767 access("/etc/selinux/targeted/modules/tmp/base.pp", R_OK) = -1 ENOENT (No such file or directory)
8767 open("/etc/selinux/targeted/modules/tmp", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
8767 stat("/etc/selinux/targeted/modules/tmp/modules", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
8767 open("/etc/selinux/targeted/modules/tmp/modules", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
8767 rmdir("/etc/selinux/targeted/modules/tmp/modules") = 0
8767 rmdir("/etc/selinux/targeted/modules/tmp") = 0
It appears nothing creates base.pp before it is attempted to be accessed.
Installation of gcl-selinux is failing in F-15 and Rawhide with the same error message. The failing step in the postinstall script is this: /usr/sbin/semodule -i /usr/share/selinux/packages/gcl/gcl.pp Does yum reinstall selinux-policy-targeted blow up? Appears to get stuck: Running Transaction Installing : selinux-policy-targeted-3.9.14-2.fc15.noarch 1/1 UID PID PPID C STIME TTY TIME CMD root 20795 20792 0 16:43 pts/0 00:00:00 -bash root 20824 20795 2 16:44 pts/0 00:00:04 /usr/bin/python /usr/bin/yum reinstall selinux-policy-targeted # strace -fp 20824 Process 20824 attached - interrupt to quit futex(0x7fc961823dbc, FUTEX_WAIT, 1, NULL^C <unfinished ...> Process 20824 detached After killing that process (kill -9), setsebool -P works. This was in the install.log: Installing selinux-policy-targeted-3.9.14-2.fc15.noarch libsepol.policydb_write: policy version 15 cannot support MLS libsepol.policydb_to_image: could not compute policy length libsepol.policydb_to_image: could not create policy image SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.24, searching for an older version. SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.24: No such file or directory /sbin/load_policy: Can't load policy: No such file or directory libsemanage.semanage_reload_policy: load_policy returned error code 2. libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/policy.kern to /etc/selinux/targeted/policy/policy.24. (No such file or directory). semodule: Failed! yum reinstall selinux-policy-targeted still seems to hang in the same place though. Could you reinstall libsemanage. Not sure why it is trying to use policy.15? Something wacky is going on. That reinstall hangs too. I suspect rpm. Filed bug 678644. cat /selinux/policyvers sestatus Yes this is caused by the rpm problems. Not an SELinux issue. Sorry, but how is this "NOTABUG"? I can reproduce this every time I've installed F15 so far. Is there another bug filed for the cause? The rpm problem was only affecting the attempts to reinstall packages, not the original report. [root@vmrawhide ~]# cat /selinux/policyvers 24[root@vmrawhide ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted Well not an SELinux bug if rpm is causing the install to blow up. The original report looked like there was no base.pp, which implies that the original install of the policy package failed too and we have an incomplete /etc/selinux/targeted/modules tree. What is the evidence that it is an rpm problem that is causing the install to fail? Certainly there problems with the install (comment 8), but do we know what is causing it? We have seen other bugs like this and it turned out to be a problem with RPM. Yes, this was the rpm problem which should be now fixed. https://bugzilla.redhat.com/show_bug.cgi?id=678644 No, that was a separate issue. yum reinstall hungs. That was discovered in the process of debugging this issue, but I can't imagine it being related to the original problem of selinux getting messed up at install time. Well, you are right. The original problem was with "yum reinstall". But I believe the rpm issue also caused other issues with the policy. In the VT2 terminal during the install, sestatus is fine (policy 24). run in %post, I get: + cat /selinux/policyvers cat: /selinux/policyvers: No such file or directory sestatus + sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: unknown (No such file or directory) Mode from config file: enforcing Policy version: 15 Policy from config file: targeted Does /selinux need to be in the chroot? Anaconda issue? That's interesting. load_policy would need /selinux to be mounted in order to work. If we're installing in a chroot though, I'd think that we wouldn't want to perform the policy load at that time and thus should be using semodule -n. Confirmed that F15 anaconda does not mount /mnt/sysimage/selinux, which is causing the above selinux install issues. This may be related to commit ae30136b9a1b8657d724e5abf56736ef201ecaf4 where /selinux mounting was moved to storage. Please attach the installer's logs. If your install has completed and you've rebooted into the installed system, they'll be here: /var/log/anaconda/anaconda.log /var/log/anaconda/anaconda.storage.log /var/log/anaconda/anaconda.program.log /var/log/anaconda/anaconda.syslog If you're still in the installer, in the shell on vt2, they'll be here: /tmp/anaconda.log /tmp/storage.log /tmp/program.log /tmp/syslog Please attach them individually -- not as a tarball. Thanks. Created attachment 481153 [details]
anaconda.log
Created attachment 481154 [details]
program.log
Created attachment 481155 [details]
storage.log
Created attachment 481156 [details]
syslog
Thanks. I have a patch that I have verified in local testing. I will post it for review later today and am proposing this an F15Beta blocker NTH. *** Bug 681663 has been marked as a duplicate of this bug. *** Fixed for Fedora 15 in anaconda-15.22-1. anaconda-15.22-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/anaconda-15.22-1.fc15 Discussed at 2011-03-11 blocker review meeting. This issue is fixed and available for testing in anaconda-15.22-1. The issue has been accepted as a beta blocker. anaconda-15.22-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |