Bug 863832
| Summary: | selinux policy prevents rpm from creating directory in /var/lib/ | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Frank Ch. Eigler <fche> |
| Component: | systemtap | Assignee: | Frank Ch. Eigler <fche> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 18 | CC: | dominick.grift, dsmith, dwalsh, fche, jistone, lberk, mgrepl, mjw, nathans, philip, scox, wcohen |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 853456 | Environment: | |
| Last Closed: | 2013-09-27 13:37:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 798036, 853456 | ||
| Bug Blocks: | 828606 | ||
|
Description
Frank Ch. Eigler
2012-10-07 19:20:18 UTC
What does # ls -dZ /var/lib/stap-server # matchpathcon /var/lib/stap-server This is after the "setenforce 0" reinstallation; it looks OK. (Before the "setenforce 0", no directory was created at all.) # ls -dZ /var/lib/stap-server drwxr-xr-x. stap-server stap-server system_u:object_r:stapserver_var_lib_t:s0 /var/lib/stap-server # matchpathcon /var/lib/stap-server /var/lib/stap-server system_u:object_r:stapserver_var_lib_t:s0 /var/lib/stap-server should be in the payload of systemtap, and then rpm would have created and labelled this correctly. OK, we can try that. Can this be fixed from the selinux side too? Yes we have added a fix for this in SELinux policy also. But all packages should own the directories they use. Dan, just checking if you know off the top of your head, does this create a chicken-egg problem for rpm? If the /var/lib/stap-server %dir is included in %files, but is owned by a userid that doesn't exist until the rpm %pre script, which failed (perhaps) because of the missing %dir, how does that work? Apache has a similar problem, but they do
%pre
# Add the "apache" user
/usr/sbin/useradd -c "Apache" -u 48 \
-s /sbin/nologin -r -d %{contentdir} apache 2> /dev/null || :
%files
%attr(0710,root,apache) %dir /run/httpd
%attr(0700,root,root) %dir %{_localstatedir}/log/httpd
%attr(0700,apache,apache) %dir %{_localstatedir}/lib/dav
%attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd
%attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd/proxy
Daniel, we have had a report of this problem reappearing with the systemtap-2.1-1.f18 builds, even though they include the %dir as discussed in comment #3. It appears that selinux is still blocking, despite the directory being included as an rpm payload, and with the correct ownership/permission. I'm still seeing basically this in f18 with latest update.
useradd: cannot create directory /var/lib/stap-server
Installing : systemtap-server-2.1-1.fc18.x86_64 1/1
warning: user stap-server does not exist - using root
warning: user stap-server does not exist - using root
runuser: user stap-server does not exist
As per previous comments, setting selinux to Permissive avoids the issue.
Here's some of the other details:
# tail /var/log/audit/audit.log
type=ADD_USER msg=audit(1362590329.176:376): pid=8744 uid=0 auid=1000 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user id=155 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1362590329.186:377): avc: denied { write } for pid=8744 comm="useradd" name="lib" dev="sda3" ino=2621442 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1362590329.186:377): arch=c000003e syscall=83 success=no exit=-13 a0=7fff2d9d6844 a1=0 a2=7f9451a61758 a3=6165726373662f72 items=0 ppid=8741 pid=8744 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts5 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=ADD_USER msg=audit(1362590329.186:378): pid=8744 uid=0 auid=1000 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding home directory id=155 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed'
type=ADD_USER msg=audit(1362590329.186:379): pid=8744 uid=0 auid=1000 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user acct="stap-server" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed'
type=ADD_USER msg=audit(1362590329.435:380): pid=8745 uid=0 auid=1000 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user id=991 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1362590329.445:381): avc: denied { write } for pid=8745 comm="useradd" name="lib" dev="sda3" ino=2621442 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1362590329.445:381): arch=c000003e syscall=83 success=no exit=-13 a0=7fff618c2844 a1=0 a2=7f83c98f0758 a3=6165726373662f72 items=0 ppid=8741 pid=8745 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts5 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=ADD_USER msg=audit(1362590329.445:382): pid=8745 uid=0 auid=1000 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding home directory id=991 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed'
type=ADD_USER msg=audit(1362590329.445:383): pid=8745 uid=0 auid=1000 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user acct="stap-server" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed'
# ls -dZ /var/lib/stap-server
drwxr-x---. stap-server stap-server system_u:object_r:stapserver_var_lib_t:s0 /var/lib/stap-server
# matchpathcon /var/lib/stap-server
/var/lib/stap-server system_u:object_r:stapserver_var_lib_t:s0
Note that the systemtap spec file, until a commit made a moment ago, still used # useradd -c .. -u .. -g .. -d /var/lib/stap-server -m -r -s ... stap-server Note the -m. Perhaps useradd is being run before the %dir directive created the directory, and thus the %dir stuff from comment #3 was moot, so selinux still needs to help permit this mkdir. This -m is removed with and upstream stap commit, as another step in the workarounds for this problem. Is useradd run in the preinstall? BTW I installed this on F19 without a problem (In reply to comment #11) > Is useradd run in the preinstall? Yes (the %pre section of the -server subrpm). Which means the -m could and would cause this problem. We have this problem fixed in rawhide since we are no longer transitioning from rpm_script_t to useradd, but would have a hard time fixing this in older releases. systemtap v2.2+ include the "no -m" fix commit 7734bd4f. |