1556787 – setsebool fails with "type conntrackd_var_run_t is not defined"

Bug 1556787 - setsebool fails with "type conntrackd_var_run_t is not defined"

Summary: setsebool fails with "type conntrackd_var_run_t is not defined"

Keywords:
Status:	CLOSED DUPLICATE of bug 1559174
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	28
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-03-15 09:22 UTC by Christian Heimes
Modified:	2018-03-24 20:22 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2018-03-24 20:22:44 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Christian Heimes 2018-03-15 09:22:28 UTC

Description of problem:
FreeIPA installer is having trouble because setsebool is failing to set SELinux booleans.

Version-Release number of selected component (if applicable):
policycoreutils-2.7-14.fc28.x86_64
selinux-policy-3.14.1-13.fc28.noarch

How reproducible:
always

Steps to Reproduce:
1. setsebool -P httpd_can_network_connect=on

Actual results:
# setsebool -P httpd_can_network_connect=on httpd_manage_ipa=on httpd_run_ipa=on httpd_dbus_sssd=on
libsepol.context_from_record: type conntrackd_var_run_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:conntrackd_var_run_t:s0 to sid
invalid context system_u:object_r:conntrackd_var_run_t:s0

Expected results:
No error

Additional info:
Related FreeIPA upstream bug: https://pagure.io/freeipa/issue/7448

Comment 1 Petr Lautrbach 2018-03-15 10:40:14 UTC

Both setsebool and dnf install freeipa-server work for me on update Fedora-Cloud-Base-28-20180310 image.

Lukas, any idea?

Comment 2 Christian Heimes 2018-03-15 10:59:03 UTC

I forgot to mention that the machine has been upgraded from F27 to F28.

The FreeIPA error occurs during ipa-server-install with latest build from git master. Fedora 28 has freeipa-server 4.6.3, which is broken.

According to seinfo, the type is available:

# seinfo -t | grep conntrackd_var_run_t
   conntrackd_var_run_t

Despite the error, setsebool seems to flip the switches just fine:

# getsebool httpd_can_network_connect
httpd_can_network_connect --> off
# setsebool -P httpd_can_network_connect=on
libsepol.context_from_record: type conntrackd_var_run_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:conntrackd_var_run_t:s0 to sid
invalid context system_u:object_r:conntrackd_var_run_t:s0
# getsebool httpd_can_network_connect
httpd_can_network_connect --> on

Comment 4 Daniel Walsh 2018-03-18 11:58:52 UTC

I would figure it is no longer available in your image store so it can not be recompiled.

Comment 5 Lukas Vrabec 2018-03-23 12:30:09 UTC

Christian, 

Moving this ticket to POST state, we have more issues with upgrading from F27 to F28, it should be in updates-testing repos for both F27 and F28 soon.

Comment 6 Lukas Vrabec 2018-03-24 20:22:44 UTC


*** This bug has been marked as a duplicate of bug 1559174 ***

Note You need to log in before you can comment on or make changes to this bug.