Bug 853456

We will need to backport stap-server policy to F17.

Lukas,
any chance you could test in on F18 or I could build F17 stapserver policy for you to testing.

Hey Miroslav,

I've installed a F18 VM and yum install systemtap-server. (rpm -qa | grep output attached at the end)

[lberk@localhost:~]$ stap-server start
Starting stap-server -a "x86_64" -r "3.6.0-0.rc2.git2.1.fc18.x86_64" -u "lberk" --log "/var/log/stap-server/log"
/bin/stap-server: line 165: /var/log/stap-server/log: Permission denied
/bin/stap-server: line 864: /var/run/stap-server/3546.stat: Permission denied
/bin/stap-server: line 865: /var/run/stap-server/3546.stat: Permission denied
/bin/stap-server: line 875: /var/run/stap-server/3546.stat: Permission denied
/bin/stap-server: line 876: /var/run/stap-server/3546.stat: Permission denied
/bin/stap-server: line 877: /var/run/stap-server/3546.stat: Permission denied
/bin/stap-server: line 878: /var/run/stap-server/3546.stat: Permission denied
/bin/stap-server: line 879: /var/run/stap-server/3546.stat: Permission denied
/bin/stap-server: line 880: /var/run/stap-server/3546.stat: Permission denied
/bin/stap-server: line 881: /var/run/stap-server/3546.stat: Permission denied
/bin/stap-server: line 165: /var/log/stap-server/log: Permission denied
                                                           [  OK  ]
However, 
[lberk@localhost:~]$ stap-server status
No managed stap-server is running

Trying to start the stap-server with sudo/su - fails as expected
Sep 4 15:52:34: Starting stap-server -a "x86_64" -r "3.6.0-0.rc2.git2.1.fc18.x86_64" -u "root" --log "/var/log/stap-server/log"
Tue Sep  4 15:52:34 2012: For security reasons, invocation of stap-serverd as root is not supported.

[lberk@localhost:~]$ ls -Z /var/run/ | grep stap
drwxr-xr-x. root    root     unconfined_u:object_r:stapserver_var_run_t:s0 stap-server

grep'ing through /var/log/audit/audit.log I find:

type=ADD_USER msg=audit(1346784286.359:434): pid=31164 uid=0 auid=1000 ses=5 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user acct="stap-server" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed'

[lberk@localhost:~]$ rpm -qa | grep systemtap
systemtap-2.0-0.2.git10c737f.fc18.x86_64
systemtap-devel-2.0-0.2.git10c737f.fc18.x86_64
systemtap-client-2.0-0.2.git10c737f.fc18.x86_64
systemtap-server-2.0-0.2.git10c737f.fc18.x86_64
systemtap-runtime-2.0-0.2.git10c737f.fc18.x86_64
systemtap-sdt-devel-2.0-0.1.git10c737f.fc18.x86_64

[lberk@localhost:~]$ rpm -qa | grep selinux
selinux-policy-devel-3.11.1-7.fc18.noarch
libselinux-devel-2.1.11-6.fc18.x86_64
selinux-policy-targeted-3.11.1-7.fc18.noarch
libselinux-2.1.11-6.fc18.x86_64
libselinux-python-2.1.11-6.fc18.x86_64
selinux-policy-3.11.1-7.fc18.noarch
libselinux-utils-2.1.11-6.fc18.x86_64

Does it work in permissive mode?

# setenforce 0

Looks like its working on F18, I needed to run #service stap-server start

I checked this was the case by running:

$ getenforce
Enforcing

# yum erase systemtap-*

# userdel stap-server

# yum install systemtap-*

# service stap-server start
Starting stap-server -a "x86_64" -r "3.6.0-0.rc2.git2.1.fc18.x86_64" -u "stap-server" --log "/var/log/stap-server/log"
                                                           [  OK  ]
$ stap-server status
stap-server -a "x86_64" -r "3.6.0-0.rc2.git2.1.fc18.x86_64" -u "stap-server" -n "1727" --log "/var/log/stap-server/log" running as PID 1727

Ok, so is it working in permissive mode on F17?

Permissive mode works of F17.  I was looking at back porting the systemtap specific portions of commits

3bbc9bb5a88522f75e1603856a7afe520ee4b18f
3da13de0318a6d6addffc12537776768c89050d5

Could you please confirm those are the correct commits and are there any others I should be looking at?

Ok, I added stapserver policy from F18.

selinux-policy-3.10.0-149.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-149.fc17

Package selinux-policy-3.10.0-149.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-149.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-14301/selinux-policy-3.10.0-149.fc17
then log in and leave karma (feedback).

selinux-policy-3.10.0-149.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

I still seem to be hitting this issue on a newer policy version: 

$ sudo yum install systemtap-server 
# systemtap-server.x86_64 0:1.8-5.fc17  

$ rpm -qa selinux-policy*
selinux-policy-devel-3.10.0-156.fc17.noarch
selinux-policy-3.10.0-156.fc17.noarch
selinux-policy-targeted-3.10.0-156.fc17.noarch

The AVC message is - 
SELinux is preventing /usr/sbin/useradd from write access on the directory /var/lib.

Source Context                unconfined_u:system_r:useradd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib [ dir ]
Source                        useradd
Source Path                   /usr/sbin/useradd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           shadow-utils-4.1.4.3-14.fc17.x86_64
Target RPM Packages           filesystem-3-2.fc17.x86_64
Policy RPM                    selinux-policy-3.10.0-156.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.6.2-4.fc17.x86_64 #1
                              SMP Wed Oct 17 02:43:21 UTC 2012 x86_64 x86_64

There is opened bug for this

#863832