Description of problem: Above error message when livecd-creator is about to exit to its chroot shell Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-85.fc21.noarch How reproducible: Every time Steps to Reproduce: 1. Build custom Xfce live DVD Actual results: rpm --verify selinux-policy-targeted shows "missing /etc/selinux/targeted/modules/active/modules/vbetool.pp" Above error message Expected results: No errors or missing files Additional info: Can provide a kickstart file resulting in the problem.
I fixed the vbetool problem. I see this type in rawhide policy seinfo -tsystemd_networkd_exec_t -x systemd_networkd_exec_t file_type exec_type entry_type non_security_file_type direct_init_entry non_auth_file_type rpm -q selinux-policy selinux-policy-3.13.1-85.fc22.noarch
It works for me on my F21. What does # yum reinstall selinux-policy
Created attachment 947309 [details] portion of livecd-creator chroot output yum reinstall failed because there's no repository available in livecd-creator chroot. I copied the rpm to INSTALL_ROOT from outside the shell. As this attachment shows, yum reinstall, pointing to this rpm, works normally.
With selinux-policy-targeted-3.13.1-86.fc21.noarch, I get: rpm --verify selinux-policy-targeted-3.13.1-86.fc21.noarch gives "missing /etc/selinux/targeted/modules/active/modules/vbetool.pp", but rpm -ql selinux-policy-targeted-3.13.1-86.fc21.noarch shows it in the list! grep -n networkd /etc/selinux/targeted/contexts/files/file_contexts^ gives: "2284:/var/run/systemd/netif(/.*)? system_u:object_r:systemd_networkd_var_run_t:s0^ 5502:/usr/lib/systemd/systemd-networkd -- system_u:object_r:systemd_networkd_exec_t:s0^ 5706:/usr/lib/systemd/system/systemd-networkd\.service system_u:object_r:systemd_networkd_unit_file_t:s0^" Just before livecd-creator exits to the chroot shell, I now get: "/etc/selinux/targeted/contexts/files/file_contexts: has invalid context system_u:object_r:systemd_networkd_var_run_t:s0". Furthermore, I need the following .te files to allow me to login to my custom live build: "$ cat kernel0000.te module kernel0000 0.0.0.0; require { type unconfined_t; type kernel_t; class process transition; } #============= kernel_t ============== allow kernel_t unconfined_t:process transition; bash-4.2$ cat login0000.te module login0000 0.0.0.0; require { type unconfined_t; type root_t; class file entrypoint; } #============= unconfined_t ============== allow unconfined_t root_t:file entrypoint; " If I disable either, and try to log out and log in, I get an AVC alert. If that's a separate bug, I'm willing to file it as such.
selinux-policy-3.13.1-88.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-88.fc21
Package selinux-policy-3.13.1-88.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-88.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-13454/selinux-policy-3.13.1-88.fc21 then log in and leave karma (feedback).
I still have the problem with selinux-policy-3.13.1-88.fc21.noarch and selinux-policy-targeted-3.13.1-88.fc21.noarch: missing vbetool and invalid context message.
Package selinux-policy-3.13.1-90.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-90.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-13454/selinux-policy-3.13.1-90.fc21 then log in and leave karma (feedback).
Still have the problem with selinux-policy-3.13.1-91.fc21 in a custom live build. To reiterate: 1. rpm --verify selinux-policy complains about missing vbetool.pp. Also, trying to list the files in rpm -ql selinux-policy shows other missing files. Perhaps these are optional, hence not loaded. 2. In order boot, I need two .te files. I install these during the build phase. If I disable either, I get a recommendation to reinstall and enable the same .te (diff shows only the name of the .te is different). I don't mind having to add these files, but I'd like to be sure using them would not create a security risk if I give my build to a final user. Here are the files I am using: kernel0000.te: module kernel0000 0.0.0.0; require { type unconfined_t; type kernel_t; class process transition; } #============= kernel_t ============== allow kernel_t unconfined_t:process transition; login0000.te: module login0000 0.0.0.0; require { type unconfined_t; type root_t; class file entrypoint; } #============= unconfined_t ============== allow unconfined_t root_t:file entrypoint; 3. To build, I used the following FC21 packages on a FC20 system. I think I got an unbootable DVD when I tried to use the FC20 versions, but I will carefully reinstall the FC20 versions and repeating the FC20 test. As this is a new system, I'd like to target FC21. The FC21's I had were: python-imgcreate-21.3-1.fc21.x86_64 lorax-21.26-1.fc21.x86_64 syslinux-extlinux-nonlinux-6.03-1.fc21.noarch syslinux-6.03-1.fc21.x86_64 pykickstart-1.99.63-2.fc21.noarch syslinux-extlinux-6.03-1.fc21.x86_64 livecd-tools-21.3-1.fc21.x86_64 syslinux-nonlinux-6.03-1.fc21.noarch .
Created attachment 950727 [details] see comment 9, point 1.
Created attachment 950728 [details] audit.log resulting in kernel0000.te file for comment 9, point 2.
Created attachment 950729 [details] audit.log resulting in login0000.te
Tried building on a FC20 system. In other words, python-imgcreate-21.3-1.fc21.x86_64 was replaced with python-imgcreate-20.5-1.fc20.x86_64 lorax-21.26-1.fc21.x86_64 was replaced with lorax-20.5-1.fc20.x86_64 syslinux-extlinux-nonlinux-6.03-1.fc21.noarch was replaced with (nothing) syslinux-6.03-1.fc21.x86_64 was replaced with syslinux-4.05-7.fc20.x86_64 pykickstart-1.99.63-2.fc21.noarch was replaced with pykickstart-1.99.48-1.fc20.noarch syslinux-extlinux-6.03-1.fc21.x86_64 was replaced with syslinux-extlinux-4.05-7.fc20.x86_64 livecd-tools-21.3-1.fc21.x86_64 was replaced with livecd-tools-20.5-1.fc20.x86_64 syslinux-nonlinux-6.03-1.fc21.noarch was replaced with (nothing) When I tried to boot the resulting DVD image, I got an ISOLINUX 6.03 identification message, followed by a "Faild to load ldlinux.c32". I also got the invalid contexts message.
selinux-policy-3.13.1-90.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
On an EC2 instance: $ rpm --verify selinux-policy-targeted-3.13.1-103.fc21.noarch missing /etc/selinux/targeted/modules/active/modules/vbetool.pp