During installation of Condor RPMs on RHEL5, there is a in the postinstall scriptlet which reads: semanage fcontext -a -t unconfined_execmem_exec_t /usr/sbin/condor_startd 2>&1| grep -v "already defined" This causes AVCs like following: ------------------------------------------------------------ type=SYSCALL msg=audit(1291719121.964:58): arch=c000003e syscall=59 success=yes exit=0 a0=89102a0 a1=b647f40 a2=0 a3=2b27ac67d220 items=0 ppid=25947 pid=25965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=4294967295 comm="setfiles" exe="/sbin/setfiles" subj=user_u:system_r:setfiles_t:s0 key=(null) type=AVC msg=audit(1291719121.964:58): avc: denied { write } for pid=25965 comm="setfiles" path="pipe:[149822]" dev=pipefs ino=149822 scontext=user_u:system_r:setfiles_t:s0 tcontext=user_u:system_r:rpm_script_t:s0 tclass=fifo_file type=AVC msg=audit(1291719121.964:58): avc: denied { write } for pid=25965 comm="setfiles" path="pipe:[149822]" dev=pipefs ino=149822 scontext=user_u:system_r:setfiles_t:s0 tcontext=user_u:system_r:rpm_script_t:s0 tclass=fifo_file ------------------------------------------------------------ Version-Release number of selected component (if applicable): condor-7.4.4-0.16.el5 (MRG 1.3.0) condor-7.4.4-0.17.el5 (MRG 1.3.0.1) How reproducible: 100% Steps to Reproduce: 1. Install condor RPM package (along with its dependencies: classads, gsoap) Actual results: AVCs get emitted. Expected results: No AVCs. Additional info: Put above AVC lines into a file and run "sealert -a file".
Just to make it clear: there is no such postinstall line in RHEL4 version of Condor's RPM.
This bug prevents me from successful test run in case I install condor during the test. E.g. see https://beaker.engineering.redhat.com/jobs/37019
Bug 490108 should have been CLOSED as WONTFIX instead of NOTABUG, which is the case now. This was evaluated, with consultation from SELinux experts, and was not viewed to be an issue worth fixing at the time. If this becomes an issue that impacts execution of the rpm installation/upgrade or the condor_startd after installation, we can re-evaluate.
But I am sure the "|grep" pipe is not vital there. Simple removal of it would make my Beaker tests pass. Please consider removing the pipe from postinstall script. Excuse me for putting this back to ASSIGNED, but I would like to get at least a reply. Thanks.
Bug 472084 is the source of this. EL5's current semanage (policycoreutils-1.33.12-14.8.el5) does not complain about duplicate fcontext -a's. # semanage fcontext -l | grep startd /usr/sbin/condor_startd all files system_u:object_r:unconfined_execmem_exec_t:s0 # semanage fcontext -a -t unconfined_execmem_exec_t /usr/sbin/condor_startd If the change to semanage is intentional then the |grep may be removed altogether.
I'm going to remove the |grep from the semanage line, should be available post 7.4.5-0.2, watch the Fixed In Version field.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: C: On EL5, the condor package's %post install script filtered out an innocuous message when redefining an already defined fcontext with semanage. C: The SELinux policy for EL5 would report errors from the pipe usage. Errors are bellow. The errors were non-fatal. F: semanage no longer produces the innocuous messages and the pipe use in %post has been removed. R: No more SELinux messages as part of a second install/upgrade.
Verified on condor-7.4.5-0.3.el5 on current RHN updated RHEL5.5 x86_64. Thank you for the fix!
There is still an other problem, even after removing the "|grep" pipe. I will get back with more info when it gets clearer.
If it is a different issue, please file another BZ.
The new one is bug 664684. This one is verified for condor-7.4.5-0.3.el5 according to the spec file. Also verified practically both on RHEL5 x86_64 and i386.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,4 +1 @@ -C: On EL5, the condor package's %post install script filtered out an innocuous message when redefining an already defined fcontext with semanage. +On Red Hat Enterprise Linux 5, the %post scriptlet in the RPM spec file used a pipeline to filter out certain unimportant messages. Consequent to this, various denial messages could be reported by SELinux during the installation of this package. With this update, the %post scriptlet has been adapted no to use pipelines, and such messages no longer appear.-C: The SELinux policy for EL5 would report errors from the pipe usage. Errors are bellow. The errors were non-fatal. -F: semanage no longer produces the innocuous messages and the pipe use in %post has been removed. -R: No more SELinux messages as part of a second install/upgrade.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0217.html