Hide Forgot
Description of problem: Feel free to re-assign this bug to the appropriate component as I don't know what that is right now. Basically if I try to install packages using cloud-init in the Fedora 22 cloud image then I get denials and my install scriptlets don't work: type=AVC msg=audit(1433271374.623:169): avc: denied { transition } for pid=872 comm="dnf" path="/usr/sbin/ldconfig" dev="vda1" ino=4512 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process permissive=0 type=AVC msg=audit(1433271375.095:170): avc: denied { transition } for pid=873 comm="dnf" path="/usr/bin/bash" dev="vda1" ino=4844 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process permissive=0 Version-Release number of selected component (if applicable): Fedora-Cloud-Base-22-20150521.x86_64.qcow2 How reproducible: Always Steps to Reproduce: 1. Start cloud image with the following user-data and observe errors in audit.log and journalctl output during boot: #cloud-config: packages: - tmux - firewalld - vim - nginx - wget runcmd: - [systemctl, enable, nginx.service] - [systemctl, enable, firewalld.service] - [wget, "http://roshi.fedorapeople.org", -O, /tmp/index.html] - [firewall-cmd, --add--service, http] - [cp, /tmp/index.html, /usr/share/nginx/html/]
Workaround that enables further testing (disables selinux on boot): #cloud-config: bootcmd: - setenforce 0 packages: - tmux - firewalld - vim - nginx - wget runcmd: - [systemctl, enable, nginx.service] - [systemctl, enable, firewalld.service] - [wget, "http://roshi.fedorapeople.org", -O, /tmp/index.html] - [firewall-cmd, --add-service, http] - [cp, /tmp/index.html, /usr/share/nginx/html/]
Added workarounds to the CommonBugs page.
Adding the CommonBugs URL.
RPM insists on running scriplets with system_r:rpm_script_t role and tyoe. The policy has to facilitate that. I never understood why the scriptlets have to fail in enforcing mode if they are not run with system_r:rpm_script_t. Nor do i understand why this is hard-coded into RPM.
(In reply to dac.override from comment #4) > RPM insists on running scriplets with system_r:rpm_script_t role and tyoe. > The policy has to facilitate that. > Can we get the policy to facilitate this transition? Is anyone looking to make this happen?
commit 257ed1a2706ce8ae6d1f54f6c311c3e50d44c768 Author: Miroslav Grepl <mgrepl> Date: Tue Jun 16 10:43:31 2015 +0200 Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484)
(In reply to Miroslav Grepl from comment #6) > commit 257ed1a2706ce8ae6d1f54f6c311c3e50d44c768 > Author: Miroslav Grepl <mgrepl> > Date: Tue Jun 16 10:43:31 2015 +0200 > > Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484) When will this get built? I still don't see it: https://admin.fedoraproject.org/updates/selinux-policy
selinux-policy-3.13.1-128.2.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-128.2.fc22
Package selinux-policy-3.13.1-128.2.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-128.2.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-10299/selinux-policy-3.13.1-128.2.fc22 then log in and leave karma (feedback).
I was able to test this today.. installing rpms using cloud-init seems to work for selinux-policy-3.13.1-128.2.fc22 from updates-testing. Passed the test!
selinux-policy-3.13.1-128.2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.