Bug 175449 - fails installation on pre and post scriptlets via rpm or yum
fails installation on pre and post scriptlets via rpm or yum
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
https://www.redhat.com/archives/fedor...
:
Depends On:
Blocks: 174919
  Show dependency treegraph
 
Reported: 2005-12-10 16:23 EST by Jim Cornette
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-01-05 14:47:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
These rpms were duplicates of previous installed rpms (1.33 KB, text/plain)
2005-12-11 23:15 EST, Jim Cornette
no flags Details

  None (edit)
Description Jim Cornette 2005-12-10 16:23:19 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20051018 Fedora/1.7.12-2

Description of problem:
Discussions have related about problems with post and pre script failures. I am having problems which related to this problem also.

Some severe problems, like the system not being bootable because there was no policy.20 created have also been reported.


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. run yum to update programs on system
2. get failures for several packages since pre scripts failed.
3. try to install cached yum rpm with rpm -Uvh
4. Get same script failure as described
3. Boot the system with selinux=0
4. change to yum cache  (as root user)
5.try to install same rpm from yum cached rpms
  

Actual Results:  With selinux active, pre script failures never installed downloaded rpms which met deps according to yum or rpm.

With SELinux off, rpms installed without failure

Expected Results:  The packages should have installed without problems.

Additional info:

This problem is causing post install scripts leaving entries for the old packages when the newer rpm programs are installed.

This problem is also causing bailing out from downloaded rpms which never install.
Comment 1 Jim Cornette 2005-12-10 16:26:23 EST
from testing with and without selinux enabled.

SELINUX enforcing:

> Downloading Packages:
> (1/1): selinux-policy-tar 100% |=========================| 221 kB    00:00
> Running Transaction Test
> Finished Transaction Test
> Transaction Test Succeeded
> Running Transaction
> error: %pre(selinux-policy-targeted-2.1.1-1.noarch) scriptlet failed, exit
status 255
> error:   install: %pre scriptlet failed (2), skipping
selinux-policy-targeted-2.1.1-1
>
> Updated: selinux-policy-targeted.noarch 0:2.1.1-1
> Complete!
> [root@cornette-lt ~]# rpm -q selinux-policy-targeted
> selinux-policy-targeted-2.1.0-1
> [root@cornette-lt ~]# cd /var/cache/yum/development/packages/
> [root@cornette-lt packages]# ls
> selinux-policy-targeted-2.1.1-1.noarch.rpm
> [root@cornette-lt packages]# rpm -Uvh sel*.rpm
> Preparing...                ########################################### [100%]
> error: %pre(selinux-policy-targeted-2.1.1-1.noarch) scriptlet failed, exit
status 255
> error:   install: %pre scriptlet failed (2), skipping
selinux-policy-targeted-2.1.1-1
>

SELINUX disabled:

ls
selinux-policy-targeted-2.1.1-1.noarch.rpm
[root@cornette-lt packages]# rpm -Uvh sel*.rpm
Preparing...                ########################################### [100%]
   1:selinux-policy-targeted########################################### [100%]
[root@cornette-lt packages]# rpm -q selinux-policy-targeted
selinux-policy-targeted-2.1.1-1
[root@cornette-lt packages]# rpm -q --verify selinux-policy-targeted 
Comment 2 Jim Cornette 2005-12-11 23:12:55 EST
I queried the rpm database and found duplicates of many packages. I feel that
these were left in a bad state due to scripting errors triggered by security
policies.

A listing of rpms will be in an attached file.
Comment 3 Jim Cornette 2005-12-11 23:15:53 EST
Created attachment 122119 [details]
These rpms were duplicates of previous installed rpms

There were other rpms where I had to remove with the noscripts option to rpm.
These are not on the listing. They were mainly java related packages.
Comment 4 Daniel Walsh 2005-12-13 10:04:13 EST
When you turn selinux back on and relable are you seeing the same rpm behavior?
Comment 5 Jim Cornette 2005-12-13 22:00:14 EST
Using the policy installation as an example, I have the below output after
relabeling the system, removing the db entries for the duplicated rpms.

No packages now are downloaded but not installed. --verify does show the below
output.

 rpm  -qa |grep selinux
libselinux-1.29.1-2
libselinux-devel-1.29.1-2
libselinux-python-1.29.1-2
selinux-policy-targeted-2.1.4-1
[root@cornette-lt ~]#
[root@cornette-lt ~]# rpm -qV selinux-policy-targeted-2.1.4-1
........C   /etc/selinux/targeted/modules/active
........C c /etc/selinux/targeted/modules/active/seusers


I'll check the system for fallout from lefover db entries lingering after the
upgrading is completed and report back.
Comment 6 Jim Cornette 2005-12-13 22:38:51 EST
No duplicate packages were found within the rpmdb other than kernel and
repository keys.

No updates other than pcmciautils.i386 007-1.1 available for install but not
updatable. (openoffice removed along with other log term dep problem apps)

 rpm -qaV >/home/rpm-verify
prelink: /usr/lib/libavcodec-CVS.so: Could not parse
`/usr/lib/libavcodec-CVS.so: error while loading shared libraries:
libxvidcore.so.4: cannot enable executable stack as shared object requires:
Permission denied'
prelink: /usr/lib/libavformat-CVS.so: Could not parse
`/usr/lib/libavformat-CVS.so: error while loading shared libraries:
libmp3lame.so.0: cannot enable executable stack as shared object requires:
Permission denied'
prelink: /usr/lib/libpostproc.so.0.0.1.#prelink#.a7ZrbE Could not trace symbol
resolving

cat rpm-verify
S.?......   /usr/lib/libavcodec-CVS.so
S.?......   /usr/lib/libavformat-CVS.so
S.?......   /usr/lib/libpostproc.so.0.0.1
S.5....T. c /etc/aliases

I believe the problem is not showing up at present.

# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
Comment 7 Daniel Walsh 2005-12-14 13:30:23 EST
Try restorecon -R -v /usr/lib
Comment 8 Jim Cornette 2005-12-14 17:36:15 EST
After running restorecon as in comment #7 rpm -qaV spits out the following output.

 cat /home/rpm-restorecon
S.?......   /usr/lib/libavcodec-CVS.so
S.?......   /usr/lib/libavformat-CVS.so
....L...C   /usr/lib/libpostproc.so.0
S.?......   /usr/lib/libpostproc.so.0.0.1
S.?......   /usr/bin/enca
S.5....T. c /etc/aliases
S.?......   /usr/bin/mc
........C   /usr/bin/latex
........C   /usr/bin/pdflatex
S.5....T.   /usr/share/texmf-var/web2c/latex.fmt
S.5....T.   /usr/share/texmf-var/web2c/pdflatex.fmt
Comment 9 Jim Cornette 2005-12-15 07:09:30 EST
Another incident for exit code and multipackages.

Running Transaction
  Updating  : lirc                         ######################### [1/4]
error: %post(lirc-0.8.0-0.2.pre2.fc5.i386) scriptlet failed, exit status 255
  Updating  : SDL_ttf                      ######################### [2/4]
  Cleanup   : SDL_ttf                      ######################### [3/4]

Updated: SDL_ttf.i386 0:2.0.7-3.fc5 lirc.i386 0:0.8.0-0.2.pre2.fc5
Complete!

]# rpm -q lirc
lirc-0.8.0-0.2.pre1.fc5
lirc-0.8.0-0.2.pre2.fc5

Comment 10 Ivan Gyurdiev 2006-01-02 06:19:14 EST
What version of policy is this?
How long since you last rebooted?
What does id -Z return before you run rpm?

I had this problem earlier, caused by login-related issues with the
users/seusers file - something to do with running an non-MLS enabled policy with
MLS-enabled files, but I don't remember the details.


Comment 11 Hans de Goede 2006-01-05 09:26:28 EST
I'm seeing this too, fully up2date rawhide, running the latest kernel after a
fresh boot with "autorelabel" on the kernel cmd line to just make sure.

Any rpm with script causes an "scriptlet failed, exit status 255" message no
matter if I install it through ymu or directly with rpm.

Depending on how I become root this works or not:
-direct log in as root on console, no problem
-log into gdm as normal user then su or "su -" from xterm fails
-login as normal user on console then su or "su -" works fine
 for my fully up2date home x86_64 system, but I believe to remember that on my
 i386 rawhide system at work this scenario fails though.

id -Z after "su -" from xterm:
[root@shalem ~]# id -Z
user_u:system_r:xdm_t:SystemLow-SystemHigh

id -Z directly logged in on console:
[root@shalem ~]# id -Z
root:system_r:unconfined_t:SystemLow-SystemHigh

and for reference id -Z after "su -" from normal user on console:
[root@shalem ~]# id -Z
user_u:system_r:unconfined_t:SystemLow-SystemHigh
Comment 12 Daniel Walsh 2006-01-05 09:45:57 EST
xdm_t is the wrong context.

What policy are you running.

rpm -q selinux-policy-targeted
Comment 13 Hans de Goede 2006-01-05 10:12:06 EST
Hmm,

[hans@shalem devel]$ rpm -q selinux-policy-targeted
package selinux-policy-targeted is not installed

[hans@shalem devel]$ rpm -qf /etc/selinux/targeted/setrans.conf 
file /etc/selinux/targeted/setrans.conf is not owned by any package

[hans@shalem devel]$ rpm -qf /etc/selinux/targeted/contexts/default_type 
file /etc/selinux/targeted/contexts/default_type is not owned by any package

Dunno how that happened, doing a yum -y install selinux-policy-targeted as we
speak, once the relabel is done I'll mv all the rpmnew files just created over
the old ones, reboot with autorelabel and report back.
Comment 14 Hans de Goede 2006-01-05 14:20:02 EST
Installing the latest version and then relabeling seems to have fixed things, id
-Z after su - from an xterm now gives:
[root@shalem ~]# id -Z
user_u:system_r:unconfined_t:SystemLow-SystemHigh
Comment 15 Daniel Walsh 2006-01-05 14:47:47 EST
The bad libsetrans from earlier in the week probably caused this.  So I am going
to close this bug

Note You need to log in before you can comment on or make changes to this bug.