Bug 185475 - system-install-packages won't install unsigned packages
system-install-packages won't install unsigned packages
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-14 18:53 EST by David Bentley
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-09 08:52:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
script_op.txt (12.29 KB, text/plain)
2006-03-17 04:36 EST, David Bentley
no flags Details
script output for realplayer (6.01 KB, text/plain)
2006-03-22 06:44 EST, David Bentley
no flags Details

  None (edit)
Description David Bentley 2006-03-14 18:53:40 EST
Description of problem:
Double click on downloaded package (eg AdobeReader_enu-7.0.5-1.i386.rpm)
supply root password when prompted and then click apply, dependancies are
resolved and you get a message saying that the package is not signed with the
option to see details you also get the option to install anyway or cancel.
Doing either results in the package not being installed although install anyway
appears to go through the motions and presents a dialogue box saying installed
successfully when nothing has actually been done.

Version-Release number of selected component (if applicable):
pirut-1.0.1-1


How reproducible:
always

Steps to Reproduce:
see description
Actual results:


Expected results:
instalation of package

Additional info:
Comment 1 David Bentley 2006-03-14 19:04:31 EST
The package in question is installable via rpm -i or yum localinstall (if
package signing is temperarily turned off)
Comment 2 David Bentley 2006-03-14 19:42:03 EST
checked /var/log/yum.log and there is an entry for each attempted install when
install anyway was clicked.

Mar 14 23:31:05 Installed: AdobeReader_enu.i386 7.0.5-1
Mar 14 23:35:52 Installed: AdobeReader_enu.i386 7.0.5-1
Mar 14 23:39:52 Installed: AdobeReader_enu.i386 7.0.5-1
Mar 14 23:56:34 Installed: AdobeReader_enu.i386 7.0.5-1

So what is install packages actually doing as no evidence could be found for
anything having been writen to disk (I checked in the place where it was
installed by the rpm -i method on another system and no sign of anything.

NB it actually gets installed in /usr/local/Adobe with rpm -i
Comment 3 David Bentley 2006-03-15 07:33:55 EST
It was rather late when I found this issue last night so I will test further 
when I get home from work. First I will see if I can get system-install-
packages to install a signed package by double clicking it and if this does'nt 
work either I will re-boot with enforcing=0 and test again to see if it is an 
selinux compatibility issue.

I will post results of further testing about 19:30 GMT. 
Comment 4 David Bentley 2006-03-15 14:37:15 EST
If you double click the manually downloaded package
gnome-backgrounds-2.14.0-1.noarch.rpm system-install-packages complains unable
to verify and if you open details it says that the required public key is not
installed so install anyway and it works. Doing the same for
AdobeReader_enu-7.0.5-1.i386.rpm you get the same unable to verify message and
if you open details it says Package AdobeReader_enu-7.0.5-1.i386.rpm is not
signed and clicking install anyway goes through the motions but nothing is
installed.

If you re-boot with enforcing=0 you get all the same dialogues but this time the
unsigned package gets installed properly.

So there is an issue with pirut installing unsigned packages when selinux is
active (policy-targeted)
Comment 5 David Bentley 2006-03-15 14:49:45 EST
Oh and another minor cosmetic hitch.
If you use add/remove software to remove something it actually tells you it has
installed it successfully. So if one dialoge is used for both installing and
removal how about it saying "software changes made successfully"
Comment 6 Jeremy Katz 2006-03-16 00:14:05 EST
SELinux shouldn't really impact anything at all as far as enabling/disabling
unsigned packages.  I'm wondering if there's something stupid about the package
which is causing a scriptlet error when done from pirut

Are there any error messages in your X session log or any AVC messages?
Comment 7 David Bentley 2006-03-16 06:24:33 EST
I will do some more testing tonight when I get home from work.
I will try launching system-install-packages from a terminal and pass the 
package name on the command line if this is possible and see what output is 
shown here as well if I can. I will also check other logs and report my 
findings later this evening (by about 20:00 GMT)
Comment 8 David Bentley 2006-03-16 16:00:01 EST
when system-install-packages is run in a terminal window with selinux active 

system-install-packages AdobeReader_enu-7.0.5-1.i386.rpm

the following output is seen :-

AdobeReader_enu-7.0.5-1.i386.rpm
error: %pre(AdobeReader_enu-7.0.5-1.i386) scriptlet failed, exit status 255
error:   install: %pre scriptlet failed (2), skipping AdobeReader_enu-7.0.5-1

and when run with enforcing=0 at boot all that is seen is as follows ;-

AdobeReader_enu-7.0.5-1.i386.rpm

nothing shows up in any log that I can find.

So it would seem that when you attempt to install this package with selinux on
using system-install-packages there is a problem.

But doing a yum localinstall with with seliux on works. see following :-

(echo config gpgcheck 0; echo localinstall AdobeReader_enu-7.0.5-1.i386.rpm;
echo run) > yum-cmd
yum shell yum-cmd
Loading "installonlyn" plugin
Setting up Yum Shell
Setting up Local Package Process
Examining AdobeReader_enu-7.0.5-1.i386.rpm: AdobeReader_enu - 7.0.5-1.i386
Marking AdobeReader_enu-7.0.5-1.i386.rpm to be installed
Setting up repositories
development                                                          [1/2]
development               100% |=========================| 1.1 kB    00:00
extras-development                                                   [2/2]
extras-development        100% |=========================| 1.1 kB    00:00
Reading repository metadata in from local files
--> Populating transaction set with selected packages. Please wait.
---> Package AdobeReader_enu.i386 0:7.0.5-1 set to be updated
--> Running transaction check

=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Installing:
 AdobeReader_enu         i386       7.0.5-1         
AdobeReader_enu-7.0.5-1.i386.rpm   94 M

Transaction Summary
=============================================================================
Install      1 Package(s)
Update       0 Package(s)
Remove       0 Package(s)
Total download size: 94 M
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing: AdobeReader_enu              ######################### [1/1]

Installed: AdobeReader_enu.i386 0:7.0.5-1
Finished Transaction
Leaving Shell

all done after issuing su to become root.
Comment 9 Jeremy Katz 2006-03-16 16:11:02 EST
There's definitely a scriptlet there doing something that perhaps it shouldn't.

Can you provide the output of rpm -qp --scripts on the package?
Comment 10 David Bentley 2006-03-17 04:36:30 EST
Created attachment 126268 [details]
script_op.txt

Output from rpm -qp --scripts AdobeReader_enu-7.0.5-1.i386.rpm as requested
Comment 11 David Bentley 2006-03-17 04:39:32 EST
Attacment created with output as requested see comment #10
Comment 12 David Bentley 2006-03-22 06:38:57 EST
Another ppackage that system-install-packages has a problem with is realplayer
although it installs the files the post install script fails. It installs OK
with RPM -i though.

output from running system-install-packages in a terminal.

system-install-packages RealPlayer-10.0.6.776-20050915.i586.rpm
RealPlayer-10.0.6.776-20050915.i586.rpm
error: %post(RealPlayer-10.0.6.776-20050915.i586) scriptlet failed, exit status 255

I will attach the output of rpm -qp --scripts for info.
Comment 13 David Bentley 2006-03-22 06:44:31 EST
Created attachment 126467 [details]
script output for realplayer
Comment 14 Jeremy Katz 2006-04-12 11:51:20 EDT
Aha, this is a policy bug.  Policy fix is
--- serefpolicy-2.2.30/policy/modules/admin/rpm.fc.foo  2006-04-12
11:50:46.000000000 -0400
+++ serefpolicy-2.2.30/policy/modules/admin/rpm.fc      2006-04-12
11:51:44.000000000 -0400
@@ -15,6 +15,7 @@
 /usr/bin/fedora-rmdevelrpms    --      gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/pirut                        --     
gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/pup                  --      gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/system-install-packages      --     
gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/rhn_check            --      gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/up2date              --      gen_context(system_u:object_r:rpm_exec_t,s0)
 ')


You can fix your system with
  chcon system_u:object_r:rpm_exec_t:s0 /usr/sbin/system-install-packages
Comment 16 David Bentley 2006-05-07 07:55:10 EDT
We seem to have had the selinux policy update now in FC5 as well as rawhide so I
will do some tests and see if all is now fixed.

Note You need to log in before you can comment on or make changes to this bug.