+++ This bug was initially created as a clone of Bug #1211010 +++ Description of problem: was trying to create a rawhide workstation livecd SELinux is preventing restorecon from 'associate' accesses on the filesystem debug. ***** Plugin filesystem_associate (99.5 confidence) suggests ************** If you believe restorecon should be allowed to create debug files Then you need to use a different command. You are not allowed to preserve the SELinux context on the target file system. Do use a command like "cp -p" to preserve all permissions except SELinux context. ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that restorecon should be allowed associate access on the debug filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep restorecon /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:object_r:debugfs_t:s0 Target Context system_u:object_r:sysfs_t:s0 Target Objects debug [ filesystem ] Source restorecon Source Path restorecon Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-105.9.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.19.2-201.fc21.x86_64 #1 SMP Tue Mar 24 03:08:23 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-04-11 20:44:44 PDT Last Seen 2015-04-11 20:44:44 PDT Local ID 9c829e4e-b46e-4637-aa76-05ef76e97f9d Raw Audit Messages type=AVC msg=audit(1428810284.346:548): avc: denied { associate } for pid=30291 comm="restorecon" name="debug" dev="sysfs" ino=744 scontext=system_u:object_r:debugfs_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0 Hash: restorecon,debugfs_t,sysfs_t,filesystem,associate Version-Release number of selected component: selinux-policy-3.13.1-105.9.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.2-201.fc21.x86_64 type: libreport --- Additional comment from Miroslav Grepl on 2015-04-13 08:51:46 EDT --- (In reply to Moez Roy from comment #0) > Description of problem: > was trying to create a rawhide workstation livecd Could you paste your steps? --- Additional comment from Moez Roy on 2015-04-13 10:23:15 EDT --- (In reply to Miroslav Grepl from comment #1) > (In reply to Moez Roy from comment #0) > > Description of problem: > > was trying to create a rawhide workstation livecd > > Could you paste your steps? yum install livecd-tools wget wget https://kojipkgs.fedoraproject.org//work/tasks/8354/9468354/fedora-live-workstation-1564226.ks mkdir cacheDir tmpDir livecd-creator --config=fedora-live-workstation-1564226.ks --cache=cacheDir --tmpdir=tmpDir --verbose Note: you should also see warnings like "/sbin/setfiles: tmpDir/something is not located in /etc/selinux/targeted/contexts/files/file_contexts" --- Additional comment from Miroslav Grepl on 2015-04-14 08:59:49 EDT --- Added to rawhide commit a0bf28db6a603defbc8ec2ee4c9b72c834edfe61 Author: Miroslav Grepl <mgrepl> Date: Tue Apr 14 14:58:59 2015 +0200 Allow debugfs associate to a sysfs filesystem.
>Note: you should also see warnings like "/sbin/setfiles: tmpDir/something is >not located in /etc/selinux/targeted/contexts/files/file_contexts" There is broken "setfiles -r" functionality.
(In reply to Miroslav Grepl from comment #1) > >Note: you should also see warnings like "/sbin/setfiles: tmpDir/something is >not located in /etc/selinux/targeted/contexts/files/file_contexts" > > There is broken > > "setfiles -r" > > functionality. I don't understand. Is this the problem with LiveCD-Tools using "setfiles" instead of using "setfiles -r"?
(In reply to Moez Roy from comment #2) > I don't understand. Is this the problem with LiveCD-Tools using "setfiles" > instead of using "setfiles -r"? No, there's a bug in setfiles code. The following patch fixes it: --- a/policycoreutils-2.3/setfiles/setfiles.c +++ b/policycoreutils-2.3/setfiles/setfiles.c @@ -334,7 +334,7 @@ int main(int argc, char **argv) argv[0]); exit(-1); } - set_rootpath(argv[optind]); + set_rootpath(optarg); break; case 's': use_input_file = 1;
Yes, this bug has two parts - policy bug + setfiles bug. Petr, thanks for the patch. It works for me as expected.
I believe this may be causing https://bugzilla.redhat.com/show_bug.cgi?id=1190377 . Investigating.
policycoreutils-2.3-17.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/policycoreutils-2.3-17.fc22
policycoreutils-2.3-8.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/policycoreutils-2.3-8.fc21
Package policycoreutils-2.3-8.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing policycoreutils-2.3-8.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-10818/policycoreutils-2.3-8.fc21 then log in and leave karma (feedback).
policycoreutils-2.3-17.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
policycoreutils-2.3-8.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.