Description of problem: Cannot start cyphesis in default configuration with selinux active. Version-Release number of selected component (if applicable): cyphesis-0.5.13-2.fc8 and also cyphesis-0.5.14-1.fc8 How reproducible: Always. Steps to Reproduce: Run 'service start cyphesis' Actual results: "Cannot find user cyphesis to run cyphesis service." in console. Expected results: All is right. Additional info: In selinux logs: avc: denied { read write } for comm=su dev=devpts name=8 path=/dev/pts/8 pid=16267 scontext=system_u:system_r:initrc_su_t:s0 tclass=chr_file tcontext=system_u:object_r:unconfined_devpts_t:s0 avc: denied { execute } for comm=su dev=sdc3 name=nologin pid=16296 scontext=system_u:system_r:initrc_su_t:s0 tclass=file tcontext=system_u:object_r:bin_t:s0 avc: denied { execute } for comm=su dev=sdc3 name=xauth pid=16295 scontext=system_u:system_r:initrc_su_t:s0 tclass=file tcontext=system_u:object_r:xauth_exec_t:s0 avc: denied { read write } for comm=su dev=devpts name=8 pid=16295 scontext=system_u:system_r:initrc_su_t:s0 tclass=chr_file tcontext=system_u:object_r:unconfined_devpts_t:s0
Somewhere between F7 and F8, 'su <username> -c /bin/true' stopped working if the user's shell was /sbin/nologin. This caused cyphesis to fail to start, since it is launched with 'su cyphesis -c ...'. In response, I changed the default shell for the cyphesis user to /bin/bash, but neglected to change the shell for existing installs. My guess is that you had previously installed cyphesis and ended up with the cyphesis user's shell as /sbin/nologin. I'll add a patch to the spec file to change the shell to /bin/bash if the cyphesis use already exists. Until the update is available, you can workaround the problem by changing the cyphesis user's shell manually: # chsh cyphesis -s /bin/bash btw, this has nothing to do with selinux. This also fails when selinux is disabled.
It was first installation of cyphesis-0.5.13 on almost clean F8. And, yes, cyphesis had /sbin/nologin shell. Thanks for workaround, seems that it starts. But I'm still getting selinux denies, it's a bit annoying.
Are these selinux denials actually preventing cyphesis from starting up? I seem to recall that these AVC denials are normal when you start/stop cyphesis from the command line as opposed to letting the system start cyphesis during the normal boot process.
No, they are not preventing. But 15(!) alerts, for me, is signal that something going wrong. How can I be sure it is fully functional? There should be no alerts. Compare, for example, with postgresql - there are no alerts at start. Please, if possible, cure cyphesis to get rid to alerts. I can send my logs or any other info, if needed. Also about postgres. There is written in its startup script - "For SELinux we need to use 'runuser' not 'su'". But su is used in cyphesis script. May be here is the problem? I've changed to runuser and get much less alerts than with su.
Also logs are saved into /var/tmp/cyphesis_event.log and logwatch are also getting avc denies: avc: denied { getattr } for comm=0logwatch dev=sdc3 egid=0 euid=0 exe=/usr/bin/perl exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path=/var/tmp/cyphesis_event.log pid=4046 scontext=system_u:system_r:logwatch_t:s0 sgid=0 subj=system_u:system_r:logwatch_t:s0 suid=0 tclass=file tcontext=system_u:object_r:tmp_t:s0 tty=(none) uid=0 Probably, logs should go to /var/log and then logfile will get correct selinux context.
I've pushed cyphesis-1.5.0-2 to the F-8 testing repository. This contains the runuser fix and moves the log files to the proper /var/log directory. Can you let me know if this fixes these issues? yum --enablerepo updates-testing upgrade cyphesis
No, it create new ones :) It don't allow cyphesis to write to /var/log/cyphesis: SELinux is preventing cyphesis (cyphesis_t) "write" to (var_log_t). avc: denied { write } for comm=cyphesis dev=sdc3 name=cyphesis pid=11673 scontext=system_u:system_r:cyphesis_t:s0 tclass=dir tcontext=system_u:object_r:var_log_t:s0 Also one avc deny is when starting, not sure how is it important, but I want so there is no any avc denies: SELinux is preventing cyphesis (cyphesis_t) "setfscreate" ΠΊ (cyphesis_t). avc: denied { setfscreate } for comm=cyphesis pid=11673 scontext=system_u:system_r:cyphesis_t:s0 tclass=process tcontext=system_u:system_r:cyphesis_t:s0
cyphesis-0.5.15-2.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update cyphesis'
I think I have these two avc denials fixed, and cyphesis can now create its own log file. Can you try out the 0.5.15-3 packages from: http://www.kobold.org/~wart/fedora/core8/RPMS/i386/ http://www.kobold.org/~wart/fedora/core8/RPMS/x86_64/ I would have pushed them to updates-testing, but the lag for getting packages into the testing repo is too long.
On rpm update I get this warnings/errors: libsemanage.semanage_direct_upgrade: Previous module cyphesis is same or newer. /usr/sbin/semodule: Failed on /usr/share/selinux/mls/cyphesis.pp! libsemanage.semanage_direct_upgrade: Previous module cyphesis is same or newer. /usr/sbin/semodule: Failed on /usr/share/selinux/strict/cyphesis.pp! libsemanage.semanage_direct_upgrade: Previous module cyphesis is same or newer. /usr/sbin/semodule: Failed on /usr/share/selinux/targeted/cyphesis.pp! But this is minor issue, and after removing and installing again cyphesis I get it fine and working. Thanks! :)
cyphesis-0.5.15-3.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update cyphesis'
cyphesis-0.5.15-3.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.