Description of problem: SELinux prevents ricci from installing RPMs. Version-Release number of selected component (if applicable): ricci-0.12.2-32.el5 How reproducible: Always. Steps to Reproduce: 1. Setup luci. 2. Install ricci and start it. 3. Add system to luci and tell it to install packages. Actual results: Luci gets stuck with "Node still being created" on the install step. Expected results: RPMs are installed. Additional info: Summary: SELinux is preventing ricci-modrpm (ricci_modrpm_t) "create" to <Unknown> (ricci_modrpm_t). Detailed Description: SELinux denied access requested by ricci-modrpm. It is not expected that this access is required by ricci-modrpm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:ricci_modrpm_t Target Context system_u:system_r:ricci_modrpm_t Target Objects None [ unix_dgram_socket ] Source ricci-modrpm Source Path /usr/libexec/ricci-modrpm Port <Unknown> Host rhel5pool-01.dhcp151-178.mpc.lab.eng.bos.redhat.co m Source RPM Packages ricci-0.12.2-32.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-316.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name rhel5pool-01.dhcp151-178.mpc.lab.eng.bos.redhat.co m Platform Linux rhel5pool-01.dhcp151-178.mpc.lab.eng.bos.red hat.com 2.6.18-274.el5 #1 SMP Fri Jul 8 17:36:59 EDT 2011 x86_64 x86_64 Alert Count 4 First Seen Fri Jul 15 12:57:52 2011 Last Seen Fri Jul 15 12:57:53 2011 Local ID b4848e92-8759-4886-aae8-5871c4ddafb8 Line Numbers Raw Audit Messages host=rhel5pool-01.dhcp151-178.mpc.lab.eng.bos.redhat.com type=AVC msg=audit(1310749073.49:144): avc: denied { create } for pid=5490 comm="ricci-modrpm" scontext=system_u:system_r:ricci_modrpm_t:s0 tcontext=system_u:system_r:ricci_modrpm_t:s0 tclass=unix_dgram_socket host=rhel5pool-01.dhcp151-178.mpc.lab.eng.bos.redhat.com type=SYSCALL msg=audit(1310749073.49:144): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=2 a2=0 a3=7db items=0 ppid=5488 pid=5490 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ricci-modrpm" exe="/usr/libexec/ricci-modrpm" subj=system_u:system_r:ricci_modrpm_t:s0 key=(null)
Fixed in selinux-policy-2.4.6-317.el5
The issue described in the original description appears to be fixed (using selinux-policy-2.4.6-317.el5 and ricci-0.12.2-33.el5). However, that then exposes the next issue. While not related to the original installation of RPMs, which is in fact working now, it appears ricci is unable to start the daemons for a similar reason. I am happy to open this as a new bug if that's preferred. Summary: SELinux is preventing ricci-modservic (ricci_modservice_t) "create" to <Unknown> (ricci_modservice_t). Detailed Description: SELinux denied access requested by ricci-modservic. It is not expected that this access is required by ricci-modservic and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:ricci_modservice_t Target Context system_u:system_r:ricci_modservice_t Target Objects None [ unix_dgram_socket ] Source ricci-modservic Source Path /usr/libexec/ricci-modservice Port <Unknown> Host bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com Source RPM Packages ricci-0.12.2-33.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-317.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com Platform Linux bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com 2.6.18-274.3.1.el5 #1 SMP Fri Aug 26 18:49:02 EDT 2011 x86_64 x86_64 Alert Count 4 First Seen Tue Oct 4 13:26:46 2011 Last Seen Tue Oct 4 13:26:46 2011 Local ID 932f9ada-a4cc-4ca7-8149-02ce9f8b91ce Line Numbers Raw Audit Messages host=bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com type=AVC msg=audit(1317749206.35:39): avc: denied { create } for pid=19400 comm="ricci-modservic" scontext=system_u:system_r:ricci_modservice_t:s0 tcontext=system_u:system_r:ricci_modservice_t:s0 tclass=unix_dgram_socket host=bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com type=SYSCALL msg=audit(1317749206.35:39): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=2 a2=0 a3=7db items=0 ppid=19398 pid=19400 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ricci-modservic" exe="/usr/libexec/ricci-modservice" subj=system_u:system_r:ricci_modservice_t:s0 key=(null)
Ok, this is a different AVC msg.
SELinux prevents ricci from starting/stopping services -> cloned bug 746351
Fixed in selinux-policy-2.4.6-318.el5
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0158.html