Bug 216551 - selinux-policy-strict - "Could not copy files to sandbox ..."
selinux-policy-strict - "Could not copy files to sandbox ..."
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-20 20:15 EST by Michal Jaegermann
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:12:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
error messages output during yum update (1.76 KB, text/plain)
2007-01-08 16:51 EST, Will Woods
no flags Details

  None (edit)
Description Michal Jaegermann 2006-11-20 20:15:28 EST
Description of problem:

In the course of the most recent update one gets something of that sort


  Updating  : selinux-policy-strict        ####################### [15/40]
libsemanage.semanage_make_sandbox: Could not copy files to sandbox
/etc/selinux/strict/modules/tmp.
semodule:  Failed on base.pp!

A peek with 'rpm -q --scripts selinux-policy-strict' makes
"postinstall scriptlet" the most likely candidate.  Indeed, the
following commands:

cd /usr/share/selinux/strict
semodule -b base.pp -i prelink.pp -s strict

reproduce the quoted error message and an exit status is 1.
Luckily this is not the last operation of postinstall so we are
not left with installed duplicate packages.  No idea if overall
update results are correct.

Creating a non-existent directory /etc/selinux/strict/modules/tmp
does not help.  OTOH after a failed operation this directory
is removed. :-)

Version-Release number of selected component (if applicable):
selinux-policy-strict-2.4.3-10.fc6

How reproducible:
always
Comment 1 Daniel Walsh 2006-11-28 16:20:21 EST
Does 

restorecon -R -v /etc/selinux
fix the problem.

Dan
Comment 2 Michal Jaegermann 2006-11-28 18:40:56 EST
> Does 'restorecon -R -v /etc/selinux' fix the problem.

No, it does not.  I got the same error message.

Is relevant that on a machine where this happens selinux is, in this
moment, turned off while selinux-policy-strict-2.4.3-10.fc6 and
selinux-policy-targeted-2.4.3-10.fc6 package are actually installed?

Comment 3 Michal Jaegermann 2006-12-20 16:52:26 EST
I was installing selinux-policy-strict-2.4.6-7.fc6.i386 on another
machine and this time I got an error:

libsepol.scope_copy_callback: authlogin: Duplicate declaration in module:
type/attribute system_chkpwd_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

The same shows up after just:

cd /usr/share/selinux/strict
semodule -b base.pp -i prelink.pp -s strict

Is this another manifestation of the same issue as before or this
is something new?  That machine has at this moment installed
these packages:

selinux-policy-2.4.6-7.fc6
selinux-policy-targeted-2.4.6-7.fc6
selinux-policy-strict-2.4.6-7.fc6

Comment 4 Michal Jaegermann 2006-12-21 13:34:02 EST
The same error like the one described in comment #3 showed up
on an update to selinux-policy-strict-2.4.6-13.fc6
Comment 5 Daniel Walsh 2006-12-29 10:43:57 EST
Please remove prelink.pp.  This file is now included in the base policy package.


semodule -r prelink
rm /usr/share/selinux/srict/prelink.pp

Install the rpm packages.
Comment 6 Michal Jaegermann 2006-12-29 13:12:46 EST
> Please remove prelink.pp.
??? 
# rpm -qf /usr/share/selinux/strict/prelink.pp
selinux-policy-strict-2.4.6-13.fc6

> semodule -r prelink
> rm /usr/share/selinux/strict/prelink.pp

OK

> Install the rpm packages.

You mean those from 'updates-testing'?
....
  Updating  : selinux-policy-strict        ######################### [3/6]
libsemanage.semanage_make_sandbox: Could not copy files to sandbox
/etc/selinux/strict/modules/tmp.
semodule:  Failed on base.pp!
....
Updated: selinux-policy.noarch 0:2.4.6-17.fc6 selinux-policy-strict.noarch
0:2.4.6-17.fc6 selinux-policy-targeted.noarch 0:2.4.6-17.fc6
Complete!

Now /usr/share/selinux/strict/prelink.pp is back as a part of
selinux-policy-strict-2.4.6-17.fc6 and 'rpm -q --scripts selinux-policy-strict'
explicitely says:

( cd /usr/share/selinux/strict;
semodule -b base.pp -i prelink.pp -i acct.pp .... );

If you will try just 'semodule -b base.pp -i acct.pp' this responds with

libsepol.print_missing_requirements: amavis's global requirements were not met:
type/attribute crond_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

I am afraid that I am lost here.
Comment 7 Will Woods 2007-01-08 16:51:48 EST
Created attachment 145109 [details]
error messages output during yum update

I seem to have the same problem while updating from 2.4.6-17.fc6  to
2.4.6-23.fc6.
Comment 8 Daniel Walsh 2007-08-22 10:12:00 EDT
Fixed in current release

Note You need to log in before you can comment on or make changes to this bug.