1098728 – selinux prevents installing to ~/bin

Bug 1098728 - selinux prevents installing to ~/bin

Summary: selinux prevents installing to ~/bin

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libselinux
Sub Component:
Version:	20
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-05-17 18:58 UTC by RIchard Gladman
Modified:	2015-06-29 20:40 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-06-29 20:40:36 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
*This patch will make file_context..bin match the permissions of the source** (1.48 KB, patch) 2014-08-18 13:10 UTC, Daniel Walsh	no flags	Details \| Diff
View All

Description RIchard Gladman 2014-05-17 18:58:29 UTC

User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140427 Firefox/24.0 PaleMoon/24.5.0
Build Identifier: 

It looks like there may be a permissions issue with some of the context files such as /etc/selinux/targeted/contexts/files/file_contexts.homedirs.bin



Reproducible: Always

Steps to Reproduce:

Clean install from the Fedora Xfce 64 bit live iso using VirtualBox
First boot with no updates

Code:

rpm -q libselinux
libselinux-2.1.13-19.fc20.x86_64

sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

cd /etc/selinux/targeted/contexts/files
ls -l

-rw-r--r--. 1 root root 340180 Dec  2 14:33 file_contexts
-rw-r--r--. 1 root root  12198 Dec  2 14:33 file_contexts.homedirs
-rw-r--r--. 1 root root      0 Dec  2 14:33 file_contexts.local
-rw-r--r--. 1 root root      0 Dec  2 14:32 file_contexts.subs
-rw-r--r--. 1 root root    314 Dec  2 14:32 file_contexts.subs_dist
-rw-r--r--. 1 root root    139 Dec  2 14:32 media


Looks OK...

Code:

cd ~
mkdir bin


cd -
ls -l

-rw-r--r--. 1 root root 340180 Dec  2 14:33 file_contexts
-rw-r--r--. 1 root root  12198 Dec  2 14:33 file_contexts.homedirs
-rw-r--r--. 1 root root      0 Dec  2 14:33 file_contexts.local
-rw-r--r--. 1 root root      0 Dec  2 14:32 file_contexts.subs
-rw-r--r--. 1 root root    314 Dec  2 14:32 file_contexts.subs_dist
-rw-r--r--. 1 root root    139 Dec  2 14:32 media


No change to files here
Code:

sudo yum update

Reboot

Code:

cd /etc/selinux/targeted/contexts/files/
ls -l

-rw-r--r--. 1 root root  352642 May 17 18:25 file_contexts
-rw-------. 1 root root 1365943 May 17 18:25 file_contexts.bin
-rw-r--r--. 1 root root   12625 May 17 18:25 file_contexts.homedirs
-rw-------. 1 root root   44976 May 17 18:25 file_contexts.homedirs.bin
-rw-r--r--. 1 root root       0 Apr 25 13:21 file_contexts.local
-rw-------. 1 root root      16 May 17 18:25 file_contexts.local.bin
-rw-r--r--. 1 root root       0 Apr 25 13:21 file_contexts.subs
-rw-r--r--. 1 root root     381 Apr 25 13:21 file_contexts.subs_dist
-rw-r--r--. 1 root root     139 Apr 25 13:21 media


Looking a bit more interesting... and looks buggy... Time to grab the software

Code:

Install wget
sudo yum install wget

cd ~/Downloads
wget http://downloads.activestate.com/Kom...-x86_64.tar.gz
tar -xvzf Komodo-Edit-8.5.3-14067-linux-x86_64.tar.gz
cd Komodo-Edit-8.5.3-14067-linux-x86_64/
./install.sh
Enter ~/bin/komodo when asked for the directory


Install directory: ~/bin/komodo

install: error: [Errno 13] Permission denied: '/etc/selinux/targeted/contexts/files/file_contexts.bin'


Reset install
Code:

rm ~/Desktop/komodo-edit-8.desktop
rm -rf ~/bin/komodo

Be careful with that last one

Let's reset the permissions and try the install again.

Code:

cd /etc/selinux/targeted/contexts/files/
sudo chomod 0744 *

ls -l

-rwxr--r--. 1 root root  352642 May 17 18:25 file_contexts
-rwxr--r--. 1 root root 1365943 May 17 18:25 file_contexts.bin
-rwxr--r--. 1 root root   12625 May 17 18:25 file_contexts.homedirs
-rwxr--r--. 1 root root   44976 May 17 18:25 file_contexts.homedirs.bin
-rwxr--r--. 1 root root       0 Apr 25 13:21 file_contexts.local
-rwxr--r--. 1 root root      16 May 17 18:25 file_contexts.local.bin
-rwxr--r--. 1 root root       0 Apr 25 13:21 file_contexts.subs
-rwxr--r--. 1 root root     381 Apr 25 13:21 file_contexts.subs_dist
-rwxr--r--. 1 root root     139 Apr 25 13:21 media

cd ~/Downloads/Komodo-Edit-8.5.3-14067-linux-x86_64/
./install.sh

Enter ~/bin/komodo for the directory


Install directory: ~/bin/komodo


Actual Results:  
Until the permissions are updated the software installation fails with an error

Expected Results:  
The software should have installed.

The error still seems to happen whether selinux is enabled or disabled

Comment 1 Richard J. Turner 2014-07-31 16:18:31 UTC

I've just encountered exactly the same issue, oddly enough also attempting to install Komodo IDE.

Thanks for the detailed bug report; I was easily able to install the software by following your instructions.

Comment 2 Daniel Walsh 2014-08-06 21:35:37 UTC

Is the Komodo IDE doing somekind of semanage command or setsebool when you install it?

I wonder if it has something to do with the umask you are running with when running these commands.

Comment 3 Richard J. Turner 2014-08-08 10:09:25 UTC

My umask was set to 0022.

install.sh invokes a Python script, which does make use of an SELinux lib (written by ActiveState). I haven't trawled through the code to see what it does (I'm not very fluent in Python). So, probably this is a Komodo bug, not a Fedora one.

Is it worth me attaching these Python scripts for someone to review?

Comment 4 Daniel Walsh 2014-08-16 10:47:12 UTC

# umask
0022
# semanage fcontext -a -t etc_t /dan
# ls -lZ /etc/selinux/targeted/contexts/files/file_contexts*bin
-rw-------. 1 root root staff_u:object_r:file_context_t:s0 1396370 Aug 16 06:45 /etc/selinux/targeted/contexts/files/file_contexts.bin
-rw-------. 1 root root staff_u:object_r:file_context_t:s0  182739 Aug 16 06:45 /etc/selinux/targeted/contexts/files/file_contexts.homedirs.bin
-rw-------. 1 root root staff_u:object_r:file_context_t:s0    1916 Aug 16 06:45 /etc/selinux/targeted/contexts/files/file_contexts.local.bin

No it is a umask problem.

We need to change libselinux to override the mask.

Comment 5 Daniel Walsh 2014-08-18 13:10:39 UTC

Created attachment 927881 [details]
This patch will make file_context.*.bin match the permissions of the source

Comment 6 RIchard Gladman 2014-08-18 13:20:09 UTC

I also reported this to Activestate so they would be aware of the issue and hopefully fix anything needing fixing at their end.

Comment 7 Fedora End Of Life 2015-05-29 11:52:35 UTC

This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 8 Fedora End Of Life 2015-06-29 20:40:36 UTC

Fedora 20 changed to end-of-life (EOL) status on 2015-06-23. Fedora 20 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.