Bug 853456
Summary: | selinux policy prevents rpm from creating directory in /var/lib/ | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Lukas Berk <lberk> | |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 17 | CC: | dominick.grift, dwalsh, fche, gmurphy, mgrepl, philip | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.7.19-163.el6 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | 798036 | |||
: | 863832 (view as bug list) | Environment: | ||
Last Closed: | 2012-09-21 23:59:51 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 798036 | |||
Bug Blocks: | 828606, 863832 |
Comment 1
Miroslav Grepl
2012-09-03 08:09:21 UTC
Hey Miroslav, I've installed a F18 VM and yum install systemtap-server. (rpm -qa | grep output attached at the end) [lberk@localhost:~]$ stap-server start Starting stap-server -a "x86_64" -r "3.6.0-0.rc2.git2.1.fc18.x86_64" -u "lberk" --log "/var/log/stap-server/log" /bin/stap-server: line 165: /var/log/stap-server/log: Permission denied /bin/stap-server: line 864: /var/run/stap-server/3546.stat: Permission denied /bin/stap-server: line 865: /var/run/stap-server/3546.stat: Permission denied /bin/stap-server: line 875: /var/run/stap-server/3546.stat: Permission denied /bin/stap-server: line 876: /var/run/stap-server/3546.stat: Permission denied /bin/stap-server: line 877: /var/run/stap-server/3546.stat: Permission denied /bin/stap-server: line 878: /var/run/stap-server/3546.stat: Permission denied /bin/stap-server: line 879: /var/run/stap-server/3546.stat: Permission denied /bin/stap-server: line 880: /var/run/stap-server/3546.stat: Permission denied /bin/stap-server: line 881: /var/run/stap-server/3546.stat: Permission denied /bin/stap-server: line 165: /var/log/stap-server/log: Permission denied [ OK ] However, [lberk@localhost:~]$ stap-server status No managed stap-server is running Trying to start the stap-server with sudo/su - fails as expected Sep 4 15:52:34: Starting stap-server -a "x86_64" -r "3.6.0-0.rc2.git2.1.fc18.x86_64" -u "root" --log "/var/log/stap-server/log" Tue Sep 4 15:52:34 2012: For security reasons, invocation of stap-serverd as root is not supported. [lberk@localhost:~]$ ls -Z /var/run/ | grep stap drwxr-xr-x. root root unconfined_u:object_r:stapserver_var_run_t:s0 stap-server grep'ing through /var/log/audit/audit.log I find: type=ADD_USER msg=audit(1346784286.359:434): pid=31164 uid=0 auid=1000 ses=5 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user acct="stap-server" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed' [lberk@localhost:~]$ rpm -qa | grep systemtap systemtap-2.0-0.2.git10c737f.fc18.x86_64 systemtap-devel-2.0-0.2.git10c737f.fc18.x86_64 systemtap-client-2.0-0.2.git10c737f.fc18.x86_64 systemtap-server-2.0-0.2.git10c737f.fc18.x86_64 systemtap-runtime-2.0-0.2.git10c737f.fc18.x86_64 systemtap-sdt-devel-2.0-0.1.git10c737f.fc18.x86_64 [lberk@localhost:~]$ rpm -qa | grep selinux selinux-policy-devel-3.11.1-7.fc18.noarch libselinux-devel-2.1.11-6.fc18.x86_64 selinux-policy-targeted-3.11.1-7.fc18.noarch libselinux-2.1.11-6.fc18.x86_64 libselinux-python-2.1.11-6.fc18.x86_64 selinux-policy-3.11.1-7.fc18.noarch libselinux-utils-2.1.11-6.fc18.x86_64 Does it work in permissive mode? # setenforce 0 Looks like its working on F18, I needed to run #service stap-server start I checked this was the case by running: $ getenforce Enforcing # yum erase systemtap-* # userdel stap-server # yum install systemtap-* # service stap-server start Starting stap-server -a "x86_64" -r "3.6.0-0.rc2.git2.1.fc18.x86_64" -u "stap-server" --log "/var/log/stap-server/log" [ OK ] $ stap-server status stap-server -a "x86_64" -r "3.6.0-0.rc2.git2.1.fc18.x86_64" -u "stap-server" -n "1727" --log "/var/log/stap-server/log" running as PID 1727 Ok, so is it working in permissive mode on F17? Permissive mode works of F17. I was looking at back porting the systemtap specific portions of commits 3bbc9bb5a88522f75e1603856a7afe520ee4b18f 3da13de0318a6d6addffc12537776768c89050d5 Could you please confirm those are the correct commits and are there any others I should be looking at? Ok, I added stapserver policy from F18. selinux-policy-3.10.0-149.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-149.fc17 Package selinux-policy-3.10.0-149.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-149.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-14301/selinux-policy-3.10.0-149.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-149.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. I still seem to be hitting this issue on a newer policy version: $ sudo yum install systemtap-server # systemtap-server.x86_64 0:1.8-5.fc17 $ rpm -qa selinux-policy* selinux-policy-devel-3.10.0-156.fc17.noarch selinux-policy-3.10.0-156.fc17.noarch selinux-policy-targeted-3.10.0-156.fc17.noarch The AVC message is - SELinux is preventing /usr/sbin/useradd from write access on the directory /var/lib. Source Context unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib [ dir ] Source useradd Source Path /usr/sbin/useradd Port <Unknown> Host localhost.localdomain Source RPM Packages shadow-utils-4.1.4.3-14.fc17.x86_64 Target RPM Packages filesystem-3-2.fc17.x86_64 Policy RPM selinux-policy-3.10.0-156.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.6.2-4.fc17.x86_64 #1 SMP Wed Oct 17 02:43:21 UTC 2012 x86_64 x86_64 There is opened bug for this #863832 |