Bug 445166 - ppc new install with latest selinux-policy-targeted problems
Summary: ppc new install with latest selinux-policy-targeted problems
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-05 03:16 UTC by Kevin Fenzi
Modified: 2008-07-02 19:41 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-02 19:41:45 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Kevin Fenzi 2008-05-05 03:16:08 UTC 
When doing a new fresh install on a ppc machine with all the latested updated
packages, (ie with all updates spun into the install tree), the resulting
install has some odd selinux issues. 

root ends up with: 
root seems to get uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=system_u:system_r:hotplug_t:s0-s0:c0.c1023

which doesn't allow root to login at all. 

type=AVC msg=audit(1209955458.284:14): avc:  denied  { entrypoint } for 
pid=2199 comm="gdm-binary" path="/usr/bin/gnome-keyring-daemon" dev=hda4
ino=6486205 scontext=system_u:system_r:hotplug_t:s0-s0:c0.c1023
tcontext=system_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1209955458.794:17): avc:  denied  { entrypoint } for 
pid=2201 comm="gdm-binary" path="/etc/X11/xinit/Xsession" dev=hda4 ino=1865418
scontext=system_u:system_r:hotplug_t:s0-s0:c0.c1023
tcontext=system_u:object_r:file_t:s0 tclass=file

I see in install.log: 

Installing selinux-policy-targeted - 3.0.8-98.fc8.noarch
/usr/sbin/semanage: range not supported on Non MLS machines
/usr/sbin/semanage: Invalid prefix guest
/usr/sbin/semanage: Invalid prefix xguest

Note that this doesn't happen on x86 installs... ;( 

Note further that a normal f8 stock install, then updated to the latest via yum
works fine, it's only a fresh install with the latest that causes the issue. 

Also, a 'touch /.autorelabel; reboot' fixes it...
Comment 1 Jeroen van Meeuwen 2008-05-06 15:49:00 UTC 
Although caused by the latest Fedora Unity Re-Spin - and as such not by any
means RH/FP's responsibility, this pretty much sums up what things need to be
enhanced for, like being discussed at the SELinux mailing list @rh.c
Comment 2 Jeroen van Meeuwen 2008-05-06 15:50:05 UTC 
Thread at
https://www.redhat.com/archives/fedora-selinux-list/2008-April/msg00047.html
Comment 3 Daniel Walsh 2008-05-06 20:28:02 UTC 
This looks like the kernel was not built with MLS turned on.  Is there a chance
the ppc kernel was built differently then the x86?

I don't see how this relates to the other problem.  The AVC you have aove
indicates /etc/X11/xinit/Xsession was not labeled on install.  (file_t).  Is
this a file moved from some other location?  The semanage commands that are
failing indicates that you have a kernel that does not support MLS/MCS Labeles
but policy was built with this support.
Comment 4 Jeroen van Meeuwen 2008-05-06 23:11:56 UTC 
Daniel, the installation media he used was composed with SELinux in enforcing
mode, which will end up with the policies not being available during the
installation -although available in RPM form, the installer runs without SELinux
and can therefore apply the right context to files it installs, and hence once
done installing wrong labels are all over the place.
Comment 5 Daniel Walsh 2008-05-07 09:55:47 UTC 
OK there has been some movement on this for the kernel,  once we have the kernel
in place that allows rpm to put down the correct contexts, we can trick
selinux-policy rpm to do the right thing.
Comment 6 Kevin Fenzi 2008-05-07 15:38:22 UTC 
ok, so I guess we can close this bug off? and wait for progress on other fronts?
Thanks for explaining what was going on Jeroen...
Note You need to log in before you can comment on or make changes to this bug.