735598 – avc: livecd-creator/python/ldconfig script/program/process transition

Bug 735598 - avc: livecd-creator/python/ldconfig script/program/process transition

Summary: avc: livecd-creator/python/ldconfig script/program/process transition

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	15
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-09-03 21:43 UTC by Mr-4
Modified:	2012-08-07 19:58 UTC (History)
CC List:	1 user (show)
Fixed In Version:	selinux-policy-3.9.16-52.fc15
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-08-07 19:58:48 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Mr-4 2011-09-03 21:43:11 UTC

Description of problem:
during image creation using livecd-creator (livecd-tools) selinux is preventing execution of *any* rpm scripts which require process transition. 

A simple example would be the libgcc package - essential for any linux installation. In its %postun section there is a script which executes /usr/sbin/libgcc_post_upgrade. Selinux currently prevents that, thus building packages using livecd-tools is nigh impossible!

Version-Release number of selected component (if applicable):
FC15, 3.9.16-34 & 3.9.16-38 target policy versions

How reproducible:
always

Steps to Reproduce:
1. Create a simple kickstart file (assuming ks.cfg), containing just basic installation (say kernel & bash)
2. execute livecd-creator -v -c ks.cfg -f test.iso
3. 
  
Actual results:
An error like this one:

  Installing: libgcc                       ##################### [  8/2012] 
warning: %post(libgcc-4.6.1-4.fc15.x86_64) scriptlet failed, exit status 127

and the corresponding avc is:

type=AVC msg=audit(1315085201.951:31578): avc:  denied  { transition } for  pid=30207 comm="livecd-creator" path="/usr/sbin/libgcc_post_upgrade" dev=loop2 ino=49156 scontext=unconfined_u:unconfined_r:livecd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1315085201.951:31578): arch=c000003e syscall=59 success=no exit=-13 a0=28851b0 a1=2853490 a2=7fffa575cff0 a3=20 items=0 ppid=30170 pid=30207 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="livecd-creator" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:livecd_t:s0-s0:c0.c1023 key=(null)


Expected results:
None of the above errors

Additional info:
echo 0 > /selinuc/enforce (i.e. disable selinux) "cures" this, but the policy should be altered to prevent the above error from occurring

Comment 1 Miroslav Grepl 2011-09-06 10:58:09 UTC

Fixed in -39.fc15 release.

Comment 2 Fedora Update System 2011-09-08 08:11:23 UTC

selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15

Comment 3 Fedora Update System 2011-09-09 05:27:41 UTC

Package selinux-policy-3.9.16-39.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
then log in and leave karma (feedback).

Comment 4 Mr-4 2011-09-15 22:46:17 UTC

Although the initial problem as reported above has been fixed, I am now getting similar denials from different %post scripts trying to do different things (useradd, groupadd, depmod to name a few) - essential for the building process to succeed. 

Do you not test this before you go ahead and release a junk like this - do you just bump the policy version number for the sake of it? This all used to work with the fc14 policies!

Some very small selection of errors and avc denials I am getting:

/var/tmp/rpm-tmp.ECqGRs: line 2: /usr/sbin/groupadd: Permission denied
/var/tmp/rpm-tmp.ECqGRs: line 4: /usr/sbin/useradd: Permission denied
[...]
error: %pre(initscripts-9.12.1-1.fc15.i686) scriptlet failed, exit status 126
error:   install: %pre scriptlet failed (2), skipping initscripts-9.12.1-1.fc15
/var/tmp/rpm-tmp.iewLOP: line 5: /usr/sbin/groupadd: Permission denied
/var/tmp/rpm-tmp.iewLOP: line 6: /usr/sbin/groupadd: Permission denied
/var/tmp/rpm-tmp.iewLOP: line 7: /usr/sbin/groupadd: Permission denied
[...]
/var/tmp/rpm-tmp.8Rk20S: line 1: /usr/sbin/groupadd: Permission denied
/var/tmp/rpm-tmp.8Rk20S: line 3: /usr/sbin/useradd: Permission denied
error: %pre(openvpn-2.2.1-1.fc15.i686) scriptlet failed, exit status 126
error:   install: %pre scriptlet failed (2), skipping openvpn-2.2.1-1.fc15
  Installing: mysql-server                 ####################  [191/2012]warning: user mysql does not exist - using root
warning: group mysql does not exist - using root
warning: user mysql does not exist - using root
warning: group mysql does not exist - using root
warning: user mysql does not exist - using root
warning: group mysql does not exist - using root
[...]
/var/tmp/rpm-tmp.k5tfZ3: line 1: /usr/sbin/groupadd: Permission denied
/var/tmp/rpm-tmp.k5tfZ3: line 3: /usr/sbin/useradd: Permission denied
  Installing: transmission-daemon          ####################  [196/2012]warning: user transmission does not exist - using root
warning: group transmission does not exist - using root
[...]
  Installing: tor-core                                           [200/2012]warning: group _tor does not exist - using root
  Installing: tor-core                     ####################  [200/2012]warning: user _tor does not exist - using root
warning: group _tor does not exist - using root
warning: group _tor does not exist - using root
  Installing: tor-core                     ##################### [200/2012] 
  Installing: tor-lsb                      ##################    [201/2012]warning: user _tor does not exist - using root
warning: group _tor does not exist - using root
  Installing: tor-lsb                      ##################### [201/2012] 
warning: %post(tor-lsb-0.2.3.4-0.fc15.i686) scriptlet failed, exit status 1
[...]
/var/tmp/rpm-tmp.GYjAOQ: line 1: /sbin/depmod: Permission denied
/sbin/new-kernel-pkg: line 311: /sbin/depmod: Permission denied

avcs (from audit.log):
~~~~~~~~~~~~~~~~~~~~~~
type=AVC msg=audit(1316124248.223:30567): avc:  denied  { mounton } for  pid=15407 comm="mount" path="/var/tmp/imgcreate-unP5eL/install_root/selinux/load" dev=selinuxfs ino=3 scontext=unconfined_u:unconfined_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1316124248.223:30567): arch=c000003e syscall=165 per=8 success=no exit=-13 a0=7f0247b3e8a0 a1=7f0247b3e8c0 a2=7f0247936a69 a3=ffffffffc0ed1000 items=0 ppid=15382 pid=15407 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:unconfined_r:mount_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1316124248.224:30568): avc:  denied  { mounton } for  pid=15407 comm="mount" path="/var/tmp/imgcreate-unP5eL/install_root/selinux/load" dev=selinuxfs ino=3 scontext=unconfined_u:unconfined_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1316124248.224:30568): arch=c000003e syscall=165 per=8 success=no exit=-13 a0=7f0247b3ea40 a1=7f0247b3ea00 a2=7f0247936a69 a3=ffffffffc0ed1001 items=0 ppid=15382 pid=15407 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:unconfined_r:mount_t:s0-s0:c0.c1023 key=(null)

type=SELINUX_ERR msg=audit(1316124281.043:30569): security_compute_sid:  invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124281.043:30569): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127530 a1=8125878 a2=81258e0 a3=8125878 items=0 ppid=15515 pid=15517 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124281.046:30570): security_compute_sid:  invalid context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124281.046:30570): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8125d30 a1=81256f0 a2=81258e0 a3=81256f0 items=0 ppid=15515 pid=15519 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124305.537:30571): security_compute_sid:  invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124305.537:30571): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127518 a1=81255a0 a2=81258e0 a3=81255a0 items=0 ppid=15611 pid=15613 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124305.678:30572): security_compute_sid:  invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124305.678:30572): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127060 a1=8125878 a2=8125698 a3=8125878 items=0 ppid=15616 pid=15617 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124305.703:30573): security_compute_sid:  invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124305.703:30573): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=81259d0 a1=81279b8 a2=81258e0 a3=81279b8 items=0 ppid=15618 pid=15622 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124305.705:30574): security_compute_sid:  invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124305.705:30574): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127710 a1=81279f8 a2=81258e0 a3=81279f8 items=0 ppid=15618 pid=15624 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124305.707:30575): security_compute_sid:  invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124305.707:30575): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=81279b8 a1=8125e60 a2=81258e0 a3=8125e60 items=0 ppid=15618 pid=15626 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124307.572:30576): security_compute_sid:  invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124307.572:30576): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127680 a1=8125878 a2=81258e0 a3=8125878 items=0 ppid=15657 pid=15659 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124307.574:30577): security_compute_sid:  invalid context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124307.574:30577): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127680 a1=8126028 a2=81258e0 a3=8126028 items=0 ppid=15657 pid=15661 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124307.915:30578): security_compute_sid:  invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124307.915:30578): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127488 a1=81255b8 a2=81258e0 a3=81255b8 items=0 ppid=15665 pid=15667 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124307.917:30579): security_compute_sid:  invalid context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124307.917:30579): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8125e60 a1=8126028 a2=81258e0 a3=8126028 items=0 ppid=15665 pid=15669 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124307.942:30580): security_compute_sid:  invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124307.942:30580): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127250 a1=8125878 a2=8125698 a3=8125878 items=0 ppid=15670 pid=15671 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124307.943:30581): security_compute_sid:  invalid context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124307.943:30581): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127098 a1=8125580 a2=81258e0 a3=8125580 items=0 ppid=15670 pid=15672 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124309.851:30582): security_compute_sid:  invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124309.851:30582): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127530 a1=8125ed8 a2=81258e0 a3=8125ed8 items=0 ppid=15687 pid=15689 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124309.853:30583): security_compute_sid:  invalid context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124309.853:30583): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8125e60 a1=8126028 a2=81258e0 a3=8126028 items=0 ppid=15687 pid=15691 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124310.031:30584): security_compute_sid:  invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124310.031:30584): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127158 a1=8125e60 a2=8125698 a3=8125e60 items=0 ppid=15694 pid=15695 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124310.042:30585): security_compute_sid:  invalid context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124310.042:30585): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127710 a1=8127250 a2=81258e0 a3=8127250 items=0 ppid=15694 pid=15696 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124311.609:30586): security_compute_sid:  invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124311.609:30586): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127c68 a1=8125740 a2=81258e0 a3=8125740 items=0 ppid=15701 pid=15702 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124311.609:30587): security_compute_sid:  invalid context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124311.609:30587): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8128810 a1=8126028 a2=81258e0 a3=8126028 items=0 ppid=15701 pid=15703 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1316124313.174:30588): avc:  denied  { write } for  pid=15708 comm="restorecon" path="/dev/null" dev=loop0 ino=16388 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316124313.174:30588): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=8127f70 a1=81256e0 a2=81258e0 a3=81256e0 items=0 ppid=15706 pid=15708 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1316124359.847:30590): avc:  denied  { write } for  pid=15732 comm="restorecon" path="/dev/null" dev=loop0 ino=16388 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1316124359.847:30590): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=8129b38 a1=8125878 a2=81258e0 a3=8125878 items=0 ppid=15717 pid=15732 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)

type=SELINUX_ERR msg=audit(1316124363.082:30591): security_compute_sid:  invalid context unconfined_u:unconfined_r:depmod_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:depmod_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124363.082:30591): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127358 a1=8125e60 a2=8125698 a3=8125e60 items=0 ppid=15762 pid=15763 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124363.211:30592): security_compute_sid:  invalid context unconfined_u:unconfined_r:depmod_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:depmod_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124363.211:30592): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8135eb0 a1=81257c0 a2=8128710 a3=81257c0 items=0 ppid=15768 pid=15783 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="new-kernel-pkg" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124365.436:30593): security_compute_sid:  invalid context unconfined_u:unconfined_r:udev_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124365.436:30593): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8125e40 a1=812b1b8 a2=812b610 a3=812b1b8 items=0 ppid=17611 pid=17613 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ldd" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1316124365.448:30594): security_compute_sid:  invalid context unconfined_u:unconfined_r:udev_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1316124365.448:30594): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8126250 a1=812bcf0 a2=812b618 a3=812bcf0 items=0 ppid=17619 pid=17621 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ldd" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)

Comment 5 Miroslav Grepl 2011-09-16 10:26:44 UTC

Try to add this local policy

# cat mypol.te
policy_module(mypol, 1.0)

require{
 type rpm_script_t;
 role unconfined_r;
}

role unconfined_r types rpm_script_t;



# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypol.pp

Comment 6 Mr-4 2011-09-16 12:02:21 UTC

Two questions:

1. Is this a "temporary" solution until the above policy is incorporated in the future version of the target policy (in other words, do I have to add this local policy every time I (re)install Linux)?

2. What about the other two avcs I included above: restorecon (setfiles_t) and mounton (mount_t)?

Comment 7 Daniel Walsh 2011-09-16 15:43:14 UTC

Mgrepl it is probably best to get unconfined_t to transition to system_r when running livecd.

Comment 8 Fedora Update System 2011-10-06 00:01:38 UTC

selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Mr-4 2011-10-07 22:25:11 UTC

Has this been finally fixed, because the history log for -39 has a comment from Miroslav Grepl about "livecd fixes" dated 05-Sep-2011 - 10 days *after* I reported additional failures (See comment 4)?

Comment 10 Mr-4 2011-10-08 22:51:13 UTC

Nothing has been fixed from what I reported in Comment 4 above - I am getting exactly the same errors with the -39 version of the policy!

Comment 11 Miroslav Grepl 2011-10-10 11:43:34 UTC

Yes, the latest are not fixed because the bug status was not changed back to assigned.

Comment 12 Mr-4 2011-12-31 02:50:37 UTC

Any chance of fixing this up soon?

Comment 13 Miroslav Grepl 2012-01-02 13:56:14 UTC

What is your version of policy?

Comment 14 Mr-4 2012-01-03 12:07:06 UTC

The latest released for FC15 - 3.9.16-48.fc15

Comment 15 Mr-4 2012-02-25 00:59:56 UTC

Any news on this?

Comment 16 Miroslav Grepl 2012-03-12 10:23:16 UTC

I dropped ball on this. 

commit cd54940affd3c1fb2f6711f2df818cd7aeb9aec8
Author: Miroslav Grepl <mgrepl>
Date:   Mon Mar 12 12:21:52 2012 +0000

    Fix livecd_run() interface

Comment 17 Mr-4 2012-03-12 16:10:26 UTC

How do I get to see/test/use the above commit? Is there any chance that this will get pushed downstream to "older" versions of the policy (the error is pretty serious, so I think it is worth doing that)?

Comment 18 Fedora Update System 2012-03-13 09:17:46 UTC

selinux-policy-3.9.16-52.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-52.fc15

Comment 19 Mr-4 2012-03-16 00:29:40 UTC

Unfortunately, apart from some (minor) improvements the above version does not work!

I still get the following:

[from console]
mount: block device /dev/null is write-protected, mounting read-only
mount: cannot mount block device /dev/null read-only
[...]
libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied).
libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied).
/usr/sbin/semanage: Permission denied
libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied).
libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied).
/usr/sbin/semanage: Permission denied
libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied).
libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied).
/usr/sbin/semanage: Permission denied
/tmp/ks-script-xB3N98: line 23: /sbin/restorecon: Permission denied
ignoring %post failure (code 126)
umount: /var/tmp/imgcreate-dSVZlR/install_root/selinux/load: not mounted

After which livecd-creator bails out...

This is what I have in my audit.log:

type=AVC msg=audit(1331856836.746:30337): avc:  denied  { mounton } for  pid=2326 comm="mount" path="/var/tmp/imgcreate-dSVZlR/install_root/selinux/load" dev=selinuxfs ino=3 scontext=unconfined_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1331856836.746:30337): arch=c000003e syscall=165 per=8 success=no exit=-13 a0=7fe1db4e88a0 a1=7fe1db4e88c0 a2=7fe1db2e0a69 a3=ffffffffc0ed1000 items=0 ppid=2301 pid=2326 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1331856836.748:30338): avc:  denied  { mounton } for  pid=2326 comm="mount" path="/var/tmp/imgcreate-dSVZlR/install_root/selinux/load" dev=selinuxfs ino=3 scontext=unconfined_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1331856836.748:30338): arch=c000003e syscall=165 per=8 success=no exit=-13 a0=7fe1db4e8a40 a1=7fe1db4e8a00 a2=7fe1db2e0a69 a3=ffffffffc0ed1001 items=0 ppid=2301 pid=2326 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
[...]
type=AVC msg=audit(1331856987.415:30350): avc:  denied  { write } for  pid=2514 comm="groupadd" path="/dev/null" dev=loop0 ino=16388 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1331856987.415:30350): avc:  denied  { write } for  pid=2514 comm="groupadd" path="/dev/null" dev=loop0 ino=16388 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1331856987.415:30350): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=81275b8 a1=8125878 a2=81258e0 a3=8125878 items=0 ppid=2512 pid=2514 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
[...]
type=AVC msg=audit(1331857088.906:30387): avc:  denied  { write } for  pid=2712 comm="groupadd" path="/dev/null" dev=loop0 ino=16388 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1331857088.906:30387): avc:  denied  { write } for  pid=2712 comm="groupadd" path="/dev/null" dev=loop0 ino=16388 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1331857088.906:30387): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=8127250 a1=8125878 a2=8125698 a3=8125878 items=0 ppid=2711 pid=2712 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
[...]
type=AVC msg=audit(1331857098.974:30397): avc:  denied  { write } for  pid=2759 comm="groupadd" path="/dev/null" dev=loop0 ino=16388 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1331857098.974:30397): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=8127120 a1=8125e60 a2=8125698 a3=8125e60 items=0 ppid=2758 pid=2759 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
[...]
type=AVC msg=audit(1331857103.587:30402): avc:  denied  { write } for  pid=2772 comm="restorecon" path="/dev/null" dev=loop0 ino=16388 scontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1331857103.587:30402): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=8127f70 a1=81256e0 a2=81258e0 a3=81256e0 items=0 ppid=2770 pid=2772 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null)
[...]
type=AVC msg=audit(1331857153.276:30404): avc:  denied  { write } for  pid=2785 comm="restorecon" path="/dev/null" dev=loop0 ino=16388 scontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1331857153.276:30404): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=8129b08 a1=8125878 a2=81258e0 a3=8125878 items=0 ppid=2779 pid=2785 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null)

Comment 20 Miroslav Grepl 2012-03-16 08:41:54 UTC

Could you test it with these packages

http://koji.fedoraproject.org/koji/taskinfo?taskID=3900104

Comment 21 Mr-4 2012-03-17 00:25:41 UTC

The /dev/null avc is still there (this usually happens when %post script is executed, redirecting all output to /dev/null, i.e. "do_something &>/dev/null"):

time->Sat Mar 17 00:16:41 2012
type=SYSCALL msg=audit(1331943401.556:30516): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=8127818 a1=8125a60 a2=8125b08 a3=8125a60 items=0 ppid=12603 pid=12605 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1331943401.556:30516): avc:  denied  { write } for  pid=12605 comm="groupadd" path="/dev/null" dev=loop0 ino=8196 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1331943401.556:30516): avc:  denied  { write } for  pid=12605 comm="groupadd" path="/dev/null" dev=loop0 ino=8196 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Sat Mar 17 00:17:43 2012
type=SYSCALL msg=audit(1331943463.906:30553): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=81274b0 a1=8125a60 a2=8125878 a3=8125a60 items=0 ppid=12802 pid=12803 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1331943463.906:30553): avc:  denied  { write } for  pid=12803 comm="groupadd" path="/dev/null" dev=loop0 ino=8196 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1331943463.906:30553): avc:  denied  { write } for  pid=12803 comm="groupadd" path="/dev/null" dev=loop0 ino=8196 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Sat Mar 17 00:17:50 2012
type=SYSCALL msg=audit(1331943470.175:30558): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=81273b8 a1=81260b0 a2=8125878 a3=81260b0 items=0 ppid=12835 pid=12836 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1331943470.175:30558): avc:  denied  { write } for  pid=12836 comm="groupadd" path="/dev/null" dev=loop0 ino=8196 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Sat Mar 17 00:17:53 2012
type=SYSCALL msg=audit(1331943473.588:30563): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=8127380 a1=81260b0 a2=8125878 a3=81260b0 items=0 ppid=12849 pid=12850 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1331943473.588:30563): avc:  denied  { write } for  pid=12850 comm="groupadd" path="/dev/null" dev=loop0 ino=8196 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1331943473.588:30563): avc:  denied  { write } for  pid=12850 comm="groupadd" path="/dev/null" dev=loop0 ino=8196 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Sat Mar 17 00:17:57 2012
type=SYSCALL msg=audit(1331943477.976:30568): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=81281d0 a1=8126158 a2=8125b08 a3=8126158 items=0 ppid=12861 pid=12863 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1331943477.976:30568): avc:  denied  { write } for  pid=12863 comm="restorecon" path="/dev/null" dev=loop0 ino=8196 scontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Sat Mar 17 00:18:46 2012
type=SYSCALL msg=audit(1331943526.993:30569): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=8129d68 a1=8125a60 a2=8125b08 a3=8125a60 items=0 ppid=12870 pid=12876 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1331943526.993:30569): avc:  denied  { write } for  pid=12876 comm="restorecon" path="/dev/null" dev=loop0 ino=8196 scontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file

Comment 22 Fedora Update System 2012-03-21 02:30:46 UTC

Package selinux-policy-3.9.16-52.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-52.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-4286/selinux-policy-3.9.16-52.fc15
then log in and leave karma (feedback).

Comment 23 Mr-4 2012-03-21 13:29:58 UTC

(In reply to comment #22)
> Package selinux-policy-3.9.16-52.fc15:
> * should fix your issue,
> * was pushed to the Fedora 15 testing repository,
> * should be available at your local mirror within two days.
> Update it with:
> # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-52.fc15'
> as soon as you are able to.
> Please go to the following url:
> https://admin.fedoraproject.org/updates/FEDORA-2012-4286/selinux-policy-3.9.16-52.fc15
> then log in and leave karma (feedback).
Is this the same revision I tested (and given feedback on) as in Comment 19? because if it is I doubt the result would be any different.

Comment 24 Mr-4 2012-03-21 14:51:22 UTC

I have just tested this again against the above policy and I am getting the same avcs as I already reported in Comment 19, so nothing has actually been fixed. 

Over to you...

Comment 25 Miroslav Grepl 2012-03-22 07:57:15 UTC

Yes, I did not remove the bug from the update.

Comment 26 Fedora Update System 2012-03-31 03:07:23 UTC

selinux-policy-3.9.16-52.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Mr-4 2012-04-01 01:09:20 UTC

I don't know why this bug has been closed when the problem is still there...I also see this:

libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied).
libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied).
/usr/sbin/semanage: Permission denied
libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied).
libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied).
/usr/sbin/semanage: Permission denied
libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied).
libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied).
/usr/sbin/semanage: Permission denied
/tmp/ks-script-yBPXiS: line 23: /sbin/restorecon: Permission denied


Accompanied by:

type=AVC msg=audit(1333242369.763:29867): avc:  denied  { write } for  pid=8822 comm="restorecon" path="/dev/null" dev=loop0 ino=24580 scontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1333242369.763:29867): arch=i386 syscall=munmap per=8 success=yes exit=0 a0=8129b38 a1=8125878 a2=81258e0 a3=8125878 items=0 ppid=8815 pid=8822 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=restorecon exe=/sbin/setfiles subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null)

As well as the avcs I posted in Comment 21

Comment 28 Fedora End Of Life 2012-08-07 19:58:50 UTC

This message is a notice that Fedora 15 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 15. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 15 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.