Description of problem: rolekit (actually roled) forks and exec()s 'yum install' to ensure that all of the packages it needs for a role deployment are in place. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-90.fc21.noarch How reproducible: Every time Steps to Reproduce: 1. Install a completely pristine Fedora Server 21 Beta system with all defaults. 2. run 'rolectl deploy --settings-file=/root/settings.json domaincontroller' with an appropriate settings.json (see https://fedorahosted.org/rolekit/wiki/DomainController) Actual results: The deployment fails during package installation, throwing script errors in the logs. Expected results: The deployment should succeed. Additional info: found 1 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing yum from using the transition access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that yum should be allowed transition access on processes labeled rpm_script_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep yum /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:rolekit_t:s0 Target Context system_u:system_r:rpm_script_t:s0 Target Objects /usr/bin/bash [ process ] Source yum Source Path yum Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages bash-4.3.30-2.fc21.x86_64 Policy RPM selinux-policy-3.13.1-90.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name freeipa.rc1.beta.validation Platform Linux freeipa.rc1.beta.validation 3.17.1-302.fc21.x86_64 #1 SMP Fri Oct 17 20:05:46 UTC 2014 x86_64 x86_64 Alert Count 70 First Seen 2014-10-24 06:29:11 EDT Last Seen 2014-10-24 06:30:51 EDT Local ID 74efb75d-0eeb-4ac6-917f-3319c5955648 Raw Audit Messages type=AVC msg=audit(1414146651.343:464): avc: denied { transition } for pid=1213 comm="yum" path="/usr/bin/bash" dev="dm-0" ino=267821 scontext=system_u:system_r:rolekit_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process permissive=0 Hash: yum,rolekit_t,rpm_script_t,process,transition
Proposed as a Blocker for 21-beta by Fedora user sgallagh using the blocker tracking app because: "Unless explicitly specified otherwise, after system installation SELinux must be enabled and in enforcing mode." and "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully started, stopped, brought to a working configuration, and queried."
in case I don't wake up in time for the meeting tomorrow, I'm +1 blocker.
We need to add optional_policy(` rpm_transition_script(rolekit_t, system_r) ')
commit cf74a399b86a6244a4927446a72aad7f955db03d Author: Miroslav Grepl <mgrepl> Date: Fri Oct 24 15:50:24 2014 +0200 Allow rolekit transition to rpm_script_t.
Discussed at 2014-10-24 Go/No-Go meeting: http://meetbot.fedoraproject.org/fedora-meeting-2/2014-10-24/f21_beta_gono-go_meeting.2014-10-24-17.01.log.txt . Accepted as a blocker per criterion cited in c#1.
sgallagh reports that the -91 build resolves the issue, so setting VERIFIED for blocker tracking purposes. We need an update submitted with that build in it.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-92.fc21?_csrf_token=eac04ed70627cfb42637cbabfc3629c7a1036ba9 build added to updates.
Lukas, for future reference, we really need you to submit the *exact build that was pulled through the freeze*, not a later one. It's usually not critical for Beta, but it absolutely is for Final, because the frozen tree *has* to match what's on the ISOs.
Actually it turns out it is critical for Beta, as we wanted to provide a frozen Beta tree for secondary arches to base their Beta build on. dgilmore has tagged -91 for stable manually, so this should be OK now, but we really need to have the correct build submitted to Bodhi in future, thanks.
Adam, Sorry, my mistake, I'll avoid this.