Bug 677450

rpm -q selinux-policy-targeted

selinux-policy-targeted-3.9.14-2.fc15.noarch

Doesn't work in permissive mode either.

restorecon -R -v /etc/selinux

Created attachment 479224 [details]
setsebool strace

restorecon reports nothing.

grep -F /tmp /data/sw/tmp/setsebool.strace
8767  stat("/etc/selinux/targeted/modules/tmp", 0x7fff91e8e440) = -1 ENOENT (No such file or directory)
8767  mkdir("/etc/selinux/targeted/modules/tmp", 0700) = 0
8767  mkdir("/etc/selinux/targeted/modules/tmp/modules", 0700) = 0
8767  open("/etc/selinux/targeted/modules/tmp/commit_num", O_RDONLY) = -1 ENOENT (No such file or directory)
8767  open("/etc/selinux/targeted/modules/tmp//booleans.local", O_RDONLY) = -1 ENOENT (No such file or directory)
8767  open("/etc/selinux/targeted/modules/tmp/commit_num", O_RDONLY) = -1 ENOENT (No such file or directory)
8767  open("/etc/selinux/targeted/modules/tmp/commit_num", O_RDONLY) = -1 ENOENT (No such file or directory)
8767  open("/etc/selinux/targeted/modules/tmp/commit_num", O_RDONLY) = -1 ENOENT (No such file or directory)
8767  access("/etc/selinux/targeted/modules/tmp/disable_dontaudit", F_OK) = -1 ENOENT (No such file or directory)
8767  unlink("/etc/selinux/targeted/modules/tmp/disable_dontaudit") = -1 ENOENT (No such file or directory)
8767  open("/etc/selinux/targeted/modules/tmp/modules", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 4
8767  access("/etc/selinux/targeted/modules/tmp/base.pp", R_OK) = -1 ENOENT (No such file or directory)
8767  open("/etc/selinux/targeted/modules/tmp", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
8767  stat("/etc/selinux/targeted/modules/tmp/modules", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
8767  open("/etc/selinux/targeted/modules/tmp/modules", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
8767  rmdir("/etc/selinux/targeted/modules/tmp/modules") = 0
8767  rmdir("/etc/selinux/targeted/modules/tmp") = 0

It appears nothing creates base.pp before it is attempted to be accessed.

Installation of gcl-selinux is failing in F-15 and Rawhide with the same error message.  The failing step in the postinstall script is this:

/usr/sbin/semodule -i /usr/share/selinux/packages/gcl/gcl.pp

Does 

yum reinstall selinux-policy-targeted

blow up?

Appears to get stuck:

Running Transaction
  Installing : selinux-policy-targeted-3.9.14-2.fc15.noarch                                 1/1 

UID        PID  PPID  C STIME TTY          TIME CMD
root     20795 20792  0 16:43 pts/0    00:00:00 -bash
root     20824 20795  2 16:44 pts/0    00:00:04 /usr/bin/python /usr/bin/yum reinstall selinux-policy-targeted

# strace -fp 20824
Process 20824 attached - interrupt to quit
futex(0x7fc961823dbc, FUTEX_WAIT, 1, NULL^C <unfinished ...>
Process 20824 detached

After killing that process (kill -9), setsebool -P works.


This was in the install.log:

Installing selinux-policy-targeted-3.9.14-2.fc15.noarch
libsepol.policydb_write: policy version 15 cannot support MLS
libsepol.policydb_to_image: could not compute policy length
libsepol.policydb_to_image: could not create policy image
SELinux:  Could not downgrade policy file /etc/selinux/targeted/policy/policy.24, searching for an older version.
SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.24:  No such file or directory
/sbin/load_policy:  Can't load policy:  No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/policy.kern to /etc/selinux/targeted/policy/policy.24. (No such file or directory).
semodule:  Failed!

yum reinstall selinux-policy-targeted still seems to hang in the same place though.

Could you reinstall libsemanage.

Not sure why it is trying to use policy.15?

Something wacky is going on.

That reinstall hangs too.  I suspect rpm.  Filed bug 678644.

cat /selinux/policyvers
sestatus

Yes this is caused by the rpm problems.  Not an SELinux issue.

Sorry, but how is this "NOTABUG"?  I can reproduce this every time I've installed F15 so far.  Is there another bug filed for the cause?  The rpm problem was only affecting the attempts to reinstall packages, not the original report.

[root@vmrawhide ~]# cat /selinux/policyvers
24[root@vmrawhide ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

Well not an SELinux bug if rpm is causing the install to blow up.

The original report looked like there was no base.pp, which implies that the original install of the policy package failed too and we have an incomplete /etc/selinux/targeted/modules tree.

What is the evidence that it is an rpm problem that is causing the install to fail?  Certainly there problems with the install (comment 8), but do we know what is causing it?

We have seen other bugs like this and it turned out to be a problem with RPM.

Yes, this was the rpm problem which should be now fixed.

https://bugzilla.redhat.com/show_bug.cgi?id=678644

No, that was a separate issue.  yum reinstall hungs.  That was discovered in the process of debugging this issue, but I can't imagine it being related to the original problem of selinux getting messed up at install time.

Well, you are right. The original problem was with "yum reinstall". But I believe the rpm issue also caused other issues with the policy.

In the VT2 terminal during the install, sestatus is fine (policy 24).  run in %post, I get:

+ cat /selinux/policyvers
cat: /selinux/policyvers: No such file or directory
sestatus
+ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   unknown (No such file or directory)
Mode from config file:          enforcing
Policy version:                 15
Policy from config file:        targeted

Does /selinux need to be in the chroot?  Anaconda issue?

That's interesting.  load_policy would need /selinux to be mounted in order to work.  If we're installing in a chroot though, I'd think that we wouldn't want to perform the policy load at that time and thus should be using semodule -n.

Confirmed that F15 anaconda does not mount /mnt/sysimage/selinux, which is causing the above selinux install issues.

This may be related to commit ae30136b9a1b8657d724e5abf56736ef201ecaf4 where /selinux mounting was moved to storage.

Please attach the installer's logs. If your install has completed and you've rebooted into the installed system, they'll be here:

 /var/log/anaconda/anaconda.log
 /var/log/anaconda/anaconda.storage.log
 /var/log/anaconda/anaconda.program.log
 /var/log/anaconda/anaconda.syslog

If you're still in the installer, in the shell on vt2, they'll be here:

 /tmp/anaconda.log
 /tmp/storage.log
 /tmp/program.log
 /tmp/syslog

Please attach them individually -- not as a tarball. Thanks.

Created attachment 481153 [details]
anaconda.log

Created attachment 481154 [details]
program.log

Created attachment 481155 [details]
storage.log

Created attachment 481156 [details]
syslog

Thanks. I have a patch that I have verified in local testing. I will post it for review later today and am proposing this an F15Beta blocker NTH.

*** Bug 681663 has been marked as a duplicate of this bug. ***

Fixed for Fedora 15 in anaconda-15.22-1.

anaconda-15.22-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/anaconda-15.22-1.fc15

Discussed at 2011-03-11 blocker review meeting.  This issue is fixed and available for testing in anaconda-15.22-1.  The issue has been accepted as a beta blocker.

anaconda-15.22-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.