Bug 856506

Summary: rhts selinux module fails to load on RHEL-6.0 Server (released)
Product: [Retired] Beaker Reporter: Jan Stancek <jstancek>
Component: beahAssignee: Amit Saha <asaha>
Status: CLOSED CURRENTRELEASE QA Contact: Qixiang Wan <qwan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 0.9CC: asaha, bpeck, dcallagh, ebaak, gozen, jbrier, jburke, kbaker, mishin, pbunyan, qwan, rmancy, skannan
Target Milestone: 0.11   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: SELinux
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-17 04:34:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Stancek 2012-09-12 07:47:23 UTC 
Description of problem:
Beaker reports AVC errors on access to /mnt/testarea/ files, for example:

type=SYSCALL msg=audit(1347429444.519:21): arch=40000003 syscall=11 success=yes exit=0 a0=9d78a00 a1=9d782c8 a2=9d77918 a3=9d782c8 items=0 ppid=1945 pid=1946 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="semodule" exe="/usr/sbin/semodule" subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347429444.519:21): avc:  denied  { append } for  pid=1946 comm="semodule" path="/mnt/testarea/TESTOUT.log" dev=dm-0 ino=920733 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file
type=AVC msg=audit(1347429444.519:21): avc:  denied  { append } for  pid=1946 comm="semodule" path="/mnt/testarea/selinux.log" dev=dm-0 ino=920746 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file

Problem is that rhts selinux module is not loaded:
# semodule -l | grep rhts

# semodule -v -i /usr/share/selinux/packages/rhts/rhts.pp
Attempting to install module '/usr/share/selinux/packages/rhts/rhts.pp':
Ok: return value of 0.
Committing changes:
libsepol.permission_copy_callback: Module rhts depends on permission read_policy in class security, not satisfied (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

Version-Release number of selected component (if applicable):
rhts-test-env-4.51-1.el6eng.noarch

How reproducible:
100%

Steps to Reproduce:
1. install RHEL 6.0 released

Actual results:
rhts selinux module not loaded

Expected results:
rhts selinux module loaded, no AVCs in /distribution/install

Additional info:
Based on executed history, it started likely in early August 2012.
Comment 2 Nick Coghlan 2012-10-17 04:36:10 UTC 
Bulk reassignment of issues as Bill has moved to another team.
Comment 3 Dan Callaghan 2012-10-29 05:49:26 UTC 
The bug is actually that our pre-built SELinux policy for RHEL6 is named with a dist tag of 'el6eso' but our dist tag is now 'el6eng'. So the pre-compiled policy is not taking effect.
Comment 4 Amit Saha 2012-12-11 08:36:21 UTC 
On Gerrit: http://gerrit.beaker-project.org/#/c/1552/
Comment 9 Qixiang Wan 2013-01-04 05:40:43 UTC 
Verified with rhts-test-env-4.53-1.git.4.8f5e156.el6

rhts selinux policy is loaded successfully after system provision.
Comment 10 Dan Callaghan 2013-01-17 04:34:11 UTC 
Beaker 0.11.0 has been released.