Bug 455744 - Revisor don't launch with SELinux in enforcing mode
Revisor don't launch with SELinux in enforcing mode
Product: Fedora
Classification: Fedora
Component: revisor (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jeroen van Meeuwen
Fedora Extras Quality Assurance
: 476210 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2008-07-17 11:07 EDT by Couret Charles-Antoine
Modified: 2009-11-23 11:28 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-11-23 11:28:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Couret Charles-Antoine 2008-07-17 11:07:30 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9) Gecko/2008061712 Fedora/3.0-1.fc9 Firefox/3.0

Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1-Set SELinux mode enforcing 
2-Launch Revisor

Actual Results:
Revisor don't launch et one pop-up says :
« SELinux is in enforcing mode on this host. Composing media will fail. Please set SELinux to permissive mode. »

Expected Results:
Revisor should engage with SELinux mode enforcing

Additional info:
[root@CHAMBRECAC ~]# revisor
SELinux is in enforcing mode on this host. Composing media will fail. Please set SELinux to permissive mode.
Comment 1 Jeroen van Meeuwen 2008-07-31 17:20:41 EDT
Revisor simply doesn't work with SELinux in enforcing mode. I'm not sure what
you think we can do about it.
Comment 2 Matthew Booth 2008-12-08 18:21:52 EST
Precisely what fails when it is in enforcing mode? I have not yet come across an intractible SELinux problem.
Comment 3 Daniel Walsh 2008-12-09 08:27:43 EST
I think we need to make similar modifications to revisor that were made to livecd and then it can run in an SELinux environment.

I don't really know revisor, but if it works similarly to livecd in that it essentially does an install in a chroot environment, then we need to make sure that the installation does not effect the host environment.  We also have to allow for different policy and file context in the chroot then on the host.  Bot of these issues now work in F10 with livecd.

Eric Paris and I can help the revisor people fix this problem, I believe.
Comment 4 Jeroen van Meeuwen 2008-12-10 06:03:12 EST
livecd-tools (or actually the imgcreate python module from livecd-tools) is what Revisor uses to create the live media, so any changes going to livecd-tools making it possible for them to perform installs to a chroot environment should work for Revisor as well.

However, Revisor also creates installation media, like pungi -but doesn't use pungi. I'm not sure that can run with SELinux in enforcing mode, yet. It relates to anaconda's buildinstall/upd-instroot/mk-images bash scripts. These scripts essentially do run installs to a chroot including some foo to make install.img as small as possible.

Second, and I'm not sure this is even relevant, Revisor allows cross-composing; all current Fedora releases including rawhide can be composed on a system with a current Fedora release, including rawhide.
Comment 5 Daniel Walsh 2008-12-10 09:13:19 EST
Which is also fine.  

You can build Rawhide, RHEL5 or any other SELinux distribution within livecd now in F10 and Rawhide.  So we should be able to get this to all work within revisor,

THe running of the anaconda should all be possible now, not saying this would not be some work, but it would be usefull to eventually get the build systems to not be able to attack the network or attack other machines using SELinux for protection.
Comment 6 Jeroen van Meeuwen 2008-12-11 10:34:38 EST
OK, this is something I would need to test then.
Comment 7 Fedora Admin XMLRPC Client 2009-01-31 19:06:04 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 8 Jerry Amundson 2009-03-05 23:43:45 EST
*** Bug 476210 has been marked as a duplicate of this bug. ***
Comment 9 Christopher Beland 2009-03-08 03:38:10 EDT
This is also a problem with revisor-2.1.1-7.fc9.noarch.  I was trying to compose a Rawhide ISO using Fedora 9.
Comment 10 Jeroen van Meeuwen 2009-11-08 18:03:17 EST
I have Revisor running with SELinux in enforcing now,  but I'm afraid I'm going to create a world of pain when releasing this in a final product.
Comment 11 Daniel Walsh 2009-11-09 13:22:46 EST
Comment 12 Bug Zapper 2009-11-18 03:13:48 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
Comment 13 Christopher Beland 2009-11-18 12:40:45 EST
revisor-2.1.7-1.fc11.noarch (Fedora 11) is at least launching without errors.
Comment 14 Jeroen van Meeuwen 2009-11-23 11:28:56 EST
I've built (not yet released) a version that does not check for SELinux's status anymore.

Note You need to log in before you can comment on or make changes to this bug.