| Summary: | makedb refuses to write nss db files if selinux is disabled | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Robert Kennedy <rt> | ||||
| Component: | glibc | Assignee: | Jeff Law <law> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 16 | CC: | fweimer, jakub, law, schwab | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | glibc-2.14.90-21 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-12-10 20:08:10 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
glibc-2.14.90-15.1 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/glibc-2.14.90-15.1 I have tested the updated RPMs and they fix the issue. Thanks! Package glibc-2.14.90-15.1: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing glibc-2.14.90-15.1' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-15723 then log in and leave karma (feedback). Package glibc-2.14.90-15.2: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing glibc-2.14.90-15.2' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-15723 then log in and leave karma (feedback). This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. Package glibc-2.14.90-16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing glibc-2.14.90-16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-15723 then log in and leave karma (feedback). glibc-2.14.90-18 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/glibc-2.14.90-18 Somewhere between 2.14.90-15.1 and 2.14.90-18 the makedb fix seems to have been lost? Any more explanation on this change? * Tue Nov 15 2011 Jeff Law <law> - 2.14.90-17 Revert bogus commits/rebasing of Nov 14, Nov 11 and Nov 8. Sources should be equivalent to Fedora 16's initial release. All the commits for -15 & -16 were reverted as they were causing a multitude of problems. -17 should have been exactly as F16 GA, so any fixes from -15 & -16 were expected to be lost. -18 added a locale fix, mostly so I could get more familiar with certain processes. -19 & -20 add fixes for malloc problems. A large part of the problem was Andreas kept rebasing to the master glibc development sources instead of applying targeted bugfixes. This led to incredible instability. Furthermore, Andreas wasn't communicating well with other developers and the overall community. This ultimately led to FESCO revoking his commit privileges to Fedora. Unfortunately Andreas has largely refused to communicate after the FESCO decision and I'm not terribly familiar with the glibc code base. This means it's going to take a little time for me to figure out what patch fixed this bug, then get that fix into an update. If you wanted to extract that fix (and any subsequent updates to the fix) it'd be a great help. I've moved the bug back into a NEW state so that it's clear the bug still needs to be addressed. jeff Created attachment 538632 [details]
Upstream patch for makedb.c to prevent makedb from failing when selinux is disabled
From glibc commit 3d7ba52b68e4dc5c4d3eb19de436c66ed9bb2f0d
Thanks, that's a big help. I'll review it and hopefully include it in -21. jeff glibc-2.14.90-21 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/glibc-2.14.90-21 Package glibc-2.14.90-21: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing glibc-2.14.90-21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16665/glibc-2.14.90-21 then log in and leave karma (feedback). glibc-2.14.90-21 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: If SELinux is disabled, makedb cannot write the /var/db/*.db files used by nss_db. Looking at the makedb.c code it looks like this bit: /* Check if SELinux is enabled, and remember. */ if (enabled == 0) enabled = is_selinux_enabled (); if (enabled < 0) return; Needs to instead return if (enabled < 1). Otherwise it goes on to get a -1 from security_getenforce(), which makes enforcing=1 here: enforcing = security_getenforce () ? 1 : -1; And 'enforcing' is the only thing checked before trying to set the security context for the file write. Version-Release number of selected component (if applicable): glibc-2.14.90-14.x86_64 How reproducible: Always Steps to Reproduce: 1. Disable selinux 2. cd /var/db; make Actual results: passwd... makedb: cannot set file creation context for `/var/db/passwd.db' make: *** [/var/db/passwd.db] Error 1 Expected results: passwd... done. Additional info: