Bug 425798 - Cannot start cyphesis with selinux active
Cannot start cyphesis with selinux active
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: cyphesis (Show other bugs)
8
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Wart
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-15 17:28 EST by Alexey Torkhov
Modified: 2008-01-15 18:09 EST (History)
0 users

See Also:
Fixed In Version: 0.5.15-3.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-15 18:09:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alexey Torkhov 2007-12-15 17:28:32 EST
Description of problem:
Cannot start cyphesis in default configuration with selinux active.

Version-Release number of selected component (if applicable):
cyphesis-0.5.13-2.fc8 and also cyphesis-0.5.14-1.fc8

How reproducible:
Always.

Steps to Reproduce:
Run 'service start cyphesis'
  
Actual results:
"Cannot find user cyphesis to run cyphesis service." in console.

Expected results:
All is right.

Additional info:
In selinux logs:
avc: denied { read write } for comm=su dev=devpts name=8 path=/dev/pts/8
pid=16267 scontext=system_u:system_r:initrc_su_t:s0 tclass=chr_file
tcontext=system_u:object_r:unconfined_devpts_t:s0 
avc: denied { execute } for comm=su dev=sdc3 name=nologin pid=16296
scontext=system_u:system_r:initrc_su_t:s0 tclass=file
tcontext=system_u:object_r:bin_t:s0 
avc: denied { execute } for comm=su dev=sdc3 name=xauth pid=16295
scontext=system_u:system_r:initrc_su_t:s0 tclass=file
tcontext=system_u:object_r:xauth_exec_t:s0 
avc: denied { read write } for comm=su dev=devpts name=8 pid=16295
scontext=system_u:system_r:initrc_su_t:s0 tclass=chr_file
tcontext=system_u:object_r:unconfined_devpts_t:s0
Comment 1 Wart 2007-12-15 21:13:47 EST
Somewhere between F7 and F8, 'su <username> -c /bin/true' stopped working if the
user's shell was /sbin/nologin.  This caused cyphesis to fail to start, since it
is launched with 'su cyphesis -c ...'.  In response, I changed the default shell
for the cyphesis user to /bin/bash, but neglected to change the shell for
existing installs.

My guess is that you had previously installed cyphesis and ended up with the
cyphesis user's shell as /sbin/nologin.  I'll add a patch to the spec file to
change the shell to /bin/bash if the cyphesis use already exists.  Until the
update is available, you can workaround the problem by changing the cyphesis
user's shell manually:

# chsh cyphesis -s /bin/bash

btw, this has nothing to do with selinux.  This also fails when selinux is disabled.
Comment 2 Alexey Torkhov 2007-12-16 03:09:29 EST
It was first installation of cyphesis-0.5.13 on almost clean F8.
And, yes, cyphesis had /sbin/nologin shell.

Thanks for workaround, seems that it starts. But I'm still getting selinux
denies, it's a bit annoying.
Comment 3 Wart 2007-12-16 23:07:59 EST
Are these selinux denials actually preventing cyphesis from starting up?  I seem
to recall that these AVC denials are normal when you start/stop cyphesis from
the command line as opposed to letting the system start cyphesis during the
normal boot process.
Comment 4 Alexey Torkhov 2007-12-17 03:25:29 EST
No, they are not preventing. But 15(!) alerts, for me, is signal that something
going wrong. How can I be sure it is fully functional? There should be no
alerts. Compare, for example, with postgresql - there are no alerts at start.

Please, if possible, cure cyphesis to get rid to alerts. I can send my logs or
any other info, if needed.

Also about postgres. There is written in its startup script - "For SELinux we
need to use 'runuser' not 'su'". But su is used in cyphesis script. May be here
is the problem? I've changed to runuser and get much less alerts than with su.
Comment 5 Alexey Torkhov 2007-12-18 03:05:20 EST
Also logs are saved into /var/tmp/cyphesis_event.log and logwatch are also
getting avc denies:
avc: denied { getattr } for comm=0logwatch dev=sdc3 egid=0 euid=0
exe=/usr/bin/perl exit=-13 fsgid=0 fsuid=0 gid=0 items=0
path=/var/tmp/cyphesis_event.log pid=4046
scontext=system_u:system_r:logwatch_t:s0 sgid=0
subj=system_u:system_r:logwatch_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:tmp_t:s0 tty=(none) uid=0 

Probably, logs should go to /var/log and then logfile will get correct selinux
context.
Comment 6 Wart 2007-12-20 12:32:31 EST
I've pushed cyphesis-1.5.0-2 to the F-8 testing repository.  This contains the
runuser fix and moves the log files to the proper /var/log directory.  Can you
let me know if this fixes these issues?

yum --enablerepo updates-testing upgrade cyphesis
Comment 7 Alexey Torkhov 2007-12-20 13:13:11 EST
No, it create new ones :)
It don't allow cyphesis to write to /var/log/cyphesis:
SELinux is preventing cyphesis (cyphesis_t) "write" to (var_log_t).
avc: denied { write } for comm=cyphesis dev=sdc3 name=cyphesis pid=11673
scontext=system_u:system_r:cyphesis_t:s0 tclass=dir
tcontext=system_u:object_r:var_log_t:s0

Also one avc deny is when starting, not sure how is it important, but I want so
there is no any avc denies:
SELinux is preventing cyphesis (cyphesis_t) "setfscreate" ΠΊ (cyphesis_t).
avc: denied { setfscreate } for comm=cyphesis pid=11673
scontext=system_u:system_r:cyphesis_t:s0 tclass=process
tcontext=system_u:system_r:cyphesis_t:s0
Comment 8 Fedora Update System 2007-12-20 15:11:20 EST
cyphesis-0.5.15-2.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cyphesis'
Comment 9 Wart 2007-12-21 01:00:00 EST
I think I have these two avc denials fixed, and cyphesis can now create its own
log file.  Can you try out the 0.5.15-3 packages from:

http://www.kobold.org/~wart/fedora/core8/RPMS/i386/
http://www.kobold.org/~wart/fedora/core8/RPMS/x86_64/

I would have pushed them to updates-testing, but the lag for getting packages
into the testing repo is too long.
Comment 10 Alexey Torkhov 2007-12-21 04:28:35 EST
On rpm update I get this warnings/errors:
libsemanage.semanage_direct_upgrade: Previous module cyphesis is same or newer.
/usr/sbin/semodule:  Failed on /usr/share/selinux/mls/cyphesis.pp!
libsemanage.semanage_direct_upgrade: Previous module cyphesis is same or newer.
/usr/sbin/semodule:  Failed on /usr/share/selinux/strict/cyphesis.pp!
libsemanage.semanage_direct_upgrade: Previous module cyphesis is same or newer.
/usr/sbin/semodule:  Failed on /usr/share/selinux/targeted/cyphesis.pp!

But this is minor issue, and after removing and installing again cyphesis I get
it fine and working. Thanks! :)
Comment 11 Fedora Update System 2007-12-23 17:50:44 EST
cyphesis-0.5.15-3.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cyphesis'
Comment 12 Fedora Update System 2007-12-26 18:51:41 EST
cyphesis-0.5.15-3.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update cyphesis'
Comment 13 Fedora Update System 2008-01-15 18:09:23 EST
cyphesis-0.5.15-3.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.