Red Hat Bugzilla – Bug 185475
system-install-packages won't install unsigned packages
Last modified: 2007-11-30 17:11:27 EST
Description of problem:
Double click on downloaded package (eg AdobeReader_enu-7.0.5-1.i386.rpm)
supply root password when prompted and then click apply, dependancies are
resolved and you get a message saying that the package is not signed with the
option to see details you also get the option to install anyway or cancel.
Doing either results in the package not being installed although install anyway
appears to go through the motions and presents a dialogue box saying installed
successfully when nothing has actually been done.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
instalation of package
The package in question is installable via rpm -i or yum localinstall (if
package signing is temperarily turned off)
checked /var/log/yum.log and there is an entry for each attempted install when
install anyway was clicked.
Mar 14 23:31:05 Installed: AdobeReader_enu.i386 7.0.5-1
Mar 14 23:35:52 Installed: AdobeReader_enu.i386 7.0.5-1
Mar 14 23:39:52 Installed: AdobeReader_enu.i386 7.0.5-1
Mar 14 23:56:34 Installed: AdobeReader_enu.i386 7.0.5-1
So what is install packages actually doing as no evidence could be found for
anything having been writen to disk (I checked in the place where it was
installed by the rpm -i method on another system and no sign of anything.
NB it actually gets installed in /usr/local/Adobe with rpm -i
It was rather late when I found this issue last night so I will test further
when I get home from work. First I will see if I can get system-install-
packages to install a signed package by double clicking it and if this does'nt
work either I will re-boot with enforcing=0 and test again to see if it is an
selinux compatibility issue.
I will post results of further testing about 19:30 GMT.
If you double click the manually downloaded package
gnome-backgrounds-2.14.0-1.noarch.rpm system-install-packages complains unable
to verify and if you open details it says that the required public key is not
installed so install anyway and it works. Doing the same for
AdobeReader_enu-7.0.5-1.i386.rpm you get the same unable to verify message and
if you open details it says Package AdobeReader_enu-7.0.5-1.i386.rpm is not
signed and clicking install anyway goes through the motions but nothing is
If you re-boot with enforcing=0 you get all the same dialogues but this time the
unsigned package gets installed properly.
So there is an issue with pirut installing unsigned packages when selinux is
Oh and another minor cosmetic hitch.
If you use add/remove software to remove something it actually tells you it has
installed it successfully. So if one dialoge is used for both installing and
removal how about it saying "software changes made successfully"
SELinux shouldn't really impact anything at all as far as enabling/disabling
unsigned packages. I'm wondering if there's something stupid about the package
which is causing a scriptlet error when done from pirut
Are there any error messages in your X session log or any AVC messages?
I will do some more testing tonight when I get home from work.
I will try launching system-install-packages from a terminal and pass the
package name on the command line if this is possible and see what output is
shown here as well if I can. I will also check other logs and report my
findings later this evening (by about 20:00 GMT)
when system-install-packages is run in a terminal window with selinux active
the following output is seen :-
error: %pre(AdobeReader_enu-7.0.5-1.i386) scriptlet failed, exit status 255
error: install: %pre scriptlet failed (2), skipping AdobeReader_enu-7.0.5-1
and when run with enforcing=0 at boot all that is seen is as follows ;-
nothing shows up in any log that I can find.
So it would seem that when you attempt to install this package with selinux on
using system-install-packages there is a problem.
But doing a yum localinstall with with seliux on works. see following :-
(echo config gpgcheck 0; echo localinstall AdobeReader_enu-7.0.5-1.i386.rpm;
echo run) > yum-cmd
yum shell yum-cmd
Loading "installonlyn" plugin
Setting up Yum Shell
Setting up Local Package Process
Examining AdobeReader_enu-7.0.5-1.i386.rpm: AdobeReader_enu - 7.0.5-1.i386
Marking AdobeReader_enu-7.0.5-1.i386.rpm to be installed
Setting up repositories
development 100% |=========================| 1.1 kB 00:00
extras-development 100% |=========================| 1.1 kB 00:00
Reading repository metadata in from local files
--> Populating transaction set with selected packages. Please wait.
---> Package AdobeReader_enu.i386 0:7.0.5-1 set to be updated
--> Running transaction check
Package Arch Version Repository Size
AdobeReader_enu i386 7.0.5-1
AdobeReader_enu-7.0.5-1.i386.rpm 94 M
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 94 M
Is this ok [y/N]: y
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Installing: AdobeReader_enu ######################### [1/1]
Installed: AdobeReader_enu.i386 0:7.0.5-1
all done after issuing su to become root.
There's definitely a scriptlet there doing something that perhaps it shouldn't.
Can you provide the output of rpm -qp --scripts on the package?
Created attachment 126268 [details]
Output from rpm -qp --scripts AdobeReader_enu-7.0.5-1.i386.rpm as requested
Attacment created with output as requested see comment #10
Another ppackage that system-install-packages has a problem with is realplayer
although it installs the files the post install script fails. It installs OK
with RPM -i though.
output from running system-install-packages in a terminal.
error: %post(RealPlayer-10.0.6.776-20050915.i586) scriptlet failed, exit status 255
I will attach the output of rpm -qp --scripts for info.
Created attachment 126467 [details]
script output for realplayer
Aha, this is a policy bug. Policy fix is
--- serefpolicy-2.2.30/policy/modules/admin/rpm.fc.foo 2006-04-12
+++ serefpolicy-2.2.30/policy/modules/admin/rpm.fc 2006-04-12
@@ -15,6 +15,7 @@
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
You can fix your system with
chcon system_u:object_r:rpm_exec_t:s0 /usr/sbin/system-install-packages
We seem to have had the selinux policy update now in FC5 as well as rawhide so I
will do some tests and see if all is now fixed.