Bug 445166 - ppc new install with latest selinux-policy-targeted problems
ppc new install with latest selinux-policy-targeted problems
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2008-05-04 23:16 EDT by Kevin Fenzi
Modified: 2008-07-02 15:41 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-02 15:41:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kevin Fenzi 2008-05-04 23:16:08 EDT
When doing a new fresh install on a ppc machine with all the latested updated
packages, (ie with all updates spun into the install tree), the resulting
install has some odd selinux issues. 

root ends up with: 
root seems to get uid=0(root) gid=0(root)

which doesn't allow root to login at all. 

type=AVC msg=audit(1209955458.284:14): avc:  denied  { entrypoint } for 
pid=2199 comm="gdm-binary" path="/usr/bin/gnome-keyring-daemon" dev=hda4
ino=6486205 scontext=system_u:system_r:hotplug_t:s0-s0:c0.c1023
tcontext=system_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1209955458.794:17): avc:  denied  { entrypoint } for 
pid=2201 comm="gdm-binary" path="/etc/X11/xinit/Xsession" dev=hda4 ino=1865418
tcontext=system_u:object_r:file_t:s0 tclass=file

I see in install.log: 

Installing selinux-policy-targeted - 3.0.8-98.fc8.noarch
/usr/sbin/semanage: range not supported on Non MLS machines
/usr/sbin/semanage: Invalid prefix guest
/usr/sbin/semanage: Invalid prefix xguest

Note that this doesn't happen on x86 installs... ;( 

Note further that a normal f8 stock install, then updated to the latest via yum
works fine, it's only a fresh install with the latest that causes the issue. 

Also, a 'touch /.autorelabel; reboot' fixes it...
Comment 1 Jeroen van Meeuwen 2008-05-06 11:49:00 EDT
Although caused by the latest Fedora Unity Re-Spin - and as such not by any
means RH/FP's responsibility, this pretty much sums up what things need to be
enhanced for, like being discussed at the SELinux mailing list @rh.c
Comment 3 Daniel Walsh 2008-05-06 16:28:02 EDT
This looks like the kernel was not built with MLS turned on.  Is there a chance
the ppc kernel was built differently then the x86?

I don't see how this relates to the other problem.  The AVC you have aove
indicates /etc/X11/xinit/Xsession was not labeled on install.  (file_t).  Is
this a file moved from some other location?  The semanage commands that are
failing indicates that you have a kernel that does not support MLS/MCS Labeles
but policy was built with this support.
Comment 4 Jeroen van Meeuwen 2008-05-06 19:11:56 EDT
Daniel, the installation media he used was composed with SELinux in enforcing
mode, which will end up with the policies not being available during the
installation -although available in RPM form, the installer runs without SELinux
and can therefore apply the right context to files it installs, and hence once
done installing wrong labels are all over the place.
Comment 5 Daniel Walsh 2008-05-07 05:55:47 EDT
OK there has been some movement on this for the kernel,  once we have the kernel
in place that allows rpm to put down the correct contexts, we can trick
selinux-policy rpm to do the right thing.
Comment 6 Kevin Fenzi 2008-05-07 11:38:22 EDT
ok, so I guess we can close this bug off? and wait for progress on other fronts?
Thanks for explaining what was going on Jeroen... 

Note You need to log in before you can comment on or make changes to this bug.