Red Hat Bugzilla – Bug 162452
sudo gives Tons of errors after disabling SELinux
Last modified: 2007-11-30 17:11:09 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Galeon/1.3.21
Description of problem:
Sorry if this is not a bug, but after searching in Google with no results,
I posted this in Fedoraforum.org and noone answered. So, I assume it is a bug.
I installed FC4 with SELinux enabled, and then I turned it OFF, since
I don't run any server (and I have no experience with SELinux).
I use NFS, with a non-standard HOME directory.
The system is working fine, but when running 'sudo rpm -Uvh <package>'
I get, just before installing the package, TONS of errors like:
/etc/selinux/targeted/contexts/files/file_contexts: line 1712 has invalid context system_u:object_r:texrel_shlib_t
/etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 56 has invalid context root:object_r:user_home_dir_t
One error for each line in files file_contexts(.homedirs), so hundreds
of errors! After all this, the package is correctly installed.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Just running "sudo rpm -Uvh <package>".
This looks like rpm is not checking if SELinux is enabled?
Well, I know nothing about SELinux, but it appears to behave like so.
I have another almost identical machine that I installed without SELinux from
the beginning, and it works perfect.
This is important:
The same operation when doing by a local user (in particular, with a standard
$HOME) gives no error.
rpm performs this check to see if SELinux is enabled:
ts->selinuxEnabled = is_selinux_enabled();
AFAIK, that is still the libselinux API to be used.
ts->selinuxEnabled = is_selinux_enabled() >0;
Should be used.
Bzzzt! Why? Every usage of ts->selinuxEnabled checks for > 0, the variable
conatins exactly (the non-boolean) value returned from libselinux.
"Tons of errors" after an upgrade to a broken policy package is the problem, not rpm.
Ok, but rpm should not be calling matchpathcon if selinux is disabled.
Bzzzt! Then file a different bug.
The intent was to permit verification of file context policy against installed
selinux xattrs with selinux disabled for QA purposes. That was successfully
and correctly implemented.
The addition of matchpathcon for MLS purposes has been imperfectly implemented
in the Red Hat rpm. Which is why the patch is not upstream.
The bug in setrans which you are refering to has been fixed. What other part of
matchpathcon is broken?
If the underlying cause of "tons of errors" is the "bug in setrans", then this bug should
If matchpathcon() should not be called if selinux is disabled, then another bug should be
added against rpm, as that is not the current behavior (nor was it the original implementation
intent) in rpm afaik.