Red Hat Bugzilla – Bug 455744
Revisor don't launch with SELinux in enforcing mode
Last modified: 2009-11-23 11:28:56 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9) Gecko/2008061712 Fedora/3.0-1.fc9 Firefox/3.0
Description of problem:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1-Set SELinux mode enforcing
Revisor don't launch et one pop-up says :
« SELinux is in enforcing mode on this host. Composing media will fail. Please set SELinux to permissive mode. »
Revisor should engage with SELinux mode enforcing
[root@CHAMBRECAC ~]# revisor
SELinux is in enforcing mode on this host. Composing media will fail. Please set SELinux to permissive mode.
Revisor simply doesn't work with SELinux in enforcing mode. I'm not sure what
you think we can do about it.
Precisely what fails when it is in enforcing mode? I have not yet come across an intractible SELinux problem.
I think we need to make similar modifications to revisor that were made to livecd and then it can run in an SELinux environment.
I don't really know revisor, but if it works similarly to livecd in that it essentially does an install in a chroot environment, then we need to make sure that the installation does not effect the host environment. We also have to allow for different policy and file context in the chroot then on the host. Bot of these issues now work in F10 with livecd.
Eric Paris and I can help the revisor people fix this problem, I believe.
livecd-tools (or actually the imgcreate python module from livecd-tools) is what Revisor uses to create the live media, so any changes going to livecd-tools making it possible for them to perform installs to a chroot environment should work for Revisor as well.
However, Revisor also creates installation media, like pungi -but doesn't use pungi. I'm not sure that can run with SELinux in enforcing mode, yet. It relates to anaconda's buildinstall/upd-instroot/mk-images bash scripts. These scripts essentially do run installs to a chroot including some foo to make install.img as small as possible.
Second, and I'm not sure this is even relevant, Revisor allows cross-composing; all current Fedora releases including rawhide can be composed on a system with a current Fedora release, including rawhide.
Which is also fine.
You can build Rawhide, RHEL5 or any other SELinux distribution within livecd now in F10 and Rawhide. So we should be able to get this to all work within revisor,
THe running of the anaconda should all be possible now, not saying this would not be some work, but it would be usefull to eventually get the build systems to not be able to attack the network or attack other machines using SELinux for protection.
OK, this is something I would need to test then.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
*** Bug 476210 has been marked as a duplicate of this bug. ***
This is also a problem with revisor-2.1.1-7.fc9.noarch. I was trying to compose a Rawhide ISO using Fedora 9.
I have Revisor running with SELinux in enforcing now, but I'm afraid I'm going to create a world of pain when releasing this in a final product.
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '10'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 10's end of life.
Bug Reporter: Thank you for reporting this issue and we are sorry that
we may not be able to fix it before Fedora 10 is end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora please change the 'version' of this
bug to the applicable version. If you are unable to change the version,
please add a comment here and someone will do it for you.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
The process we are following is described here:
revisor-2.1.7-1.fc11.noarch (Fedora 11) is at least launching without errors.
I've built (not yet released) a version that does not check for SELinux's status anymore.