Description of problem: during image creation using livecd-creator (livecd-tools) selinux is preventing execution of *any* rpm scripts which require process transition. A simple example would be the libgcc package - essential for any linux installation. In its %postun section there is a script which executes /usr/sbin/libgcc_post_upgrade. Selinux currently prevents that, thus building packages using livecd-tools is nigh impossible! Version-Release number of selected component (if applicable): FC15, 3.9.16-34 & 3.9.16-38 target policy versions How reproducible: always Steps to Reproduce: 1. Create a simple kickstart file (assuming ks.cfg), containing just basic installation (say kernel & bash) 2. execute livecd-creator -v -c ks.cfg -f test.iso 3. Actual results: An error like this one: Installing: libgcc ##################### [ 8/2012] warning: %post(libgcc-4.6.1-4.fc15.x86_64) scriptlet failed, exit status 127 and the corresponding avc is: type=AVC msg=audit(1315085201.951:31578): avc: denied { transition } for pid=30207 comm="livecd-creator" path="/usr/sbin/libgcc_post_upgrade" dev=loop2 ino=49156 scontext=unconfined_u:unconfined_r:livecd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1315085201.951:31578): arch=c000003e syscall=59 success=no exit=-13 a0=28851b0 a1=2853490 a2=7fffa575cff0 a3=20 items=0 ppid=30170 pid=30207 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="livecd-creator" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:livecd_t:s0-s0:c0.c1023 key=(null) Expected results: None of the above errors Additional info: echo 0 > /selinuc/enforce (i.e. disable selinux) "cures" this, but the policy should be altered to prevent the above error from occurring
Fixed in -39.fc15 release.
selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
Package selinux-policy-3.9.16-39.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15 then log in and leave karma (feedback).
Although the initial problem as reported above has been fixed, I am now getting similar denials from different %post scripts trying to do different things (useradd, groupadd, depmod to name a few) - essential for the building process to succeed. Do you not test this before you go ahead and release a junk like this - do you just bump the policy version number for the sake of it? This all used to work with the fc14 policies! Some very small selection of errors and avc denials I am getting: /var/tmp/rpm-tmp.ECqGRs: line 2: /usr/sbin/groupadd: Permission denied /var/tmp/rpm-tmp.ECqGRs: line 4: /usr/sbin/useradd: Permission denied [...] error: %pre(initscripts-9.12.1-1.fc15.i686) scriptlet failed, exit status 126 error: install: %pre scriptlet failed (2), skipping initscripts-9.12.1-1.fc15 /var/tmp/rpm-tmp.iewLOP: line 5: /usr/sbin/groupadd: Permission denied /var/tmp/rpm-tmp.iewLOP: line 6: /usr/sbin/groupadd: Permission denied /var/tmp/rpm-tmp.iewLOP: line 7: /usr/sbin/groupadd: Permission denied [...] /var/tmp/rpm-tmp.8Rk20S: line 1: /usr/sbin/groupadd: Permission denied /var/tmp/rpm-tmp.8Rk20S: line 3: /usr/sbin/useradd: Permission denied error: %pre(openvpn-2.2.1-1.fc15.i686) scriptlet failed, exit status 126 error: install: %pre scriptlet failed (2), skipping openvpn-2.2.1-1.fc15 Installing: mysql-server #################### [191/2012]warning: user mysql does not exist - using root warning: group mysql does not exist - using root warning: user mysql does not exist - using root warning: group mysql does not exist - using root warning: user mysql does not exist - using root warning: group mysql does not exist - using root [...] /var/tmp/rpm-tmp.k5tfZ3: line 1: /usr/sbin/groupadd: Permission denied /var/tmp/rpm-tmp.k5tfZ3: line 3: /usr/sbin/useradd: Permission denied Installing: transmission-daemon #################### [196/2012]warning: user transmission does not exist - using root warning: group transmission does not exist - using root [...] Installing: tor-core [200/2012]warning: group _tor does not exist - using root Installing: tor-core #################### [200/2012]warning: user _tor does not exist - using root warning: group _tor does not exist - using root warning: group _tor does not exist - using root Installing: tor-core ##################### [200/2012] Installing: tor-lsb ################## [201/2012]warning: user _tor does not exist - using root warning: group _tor does not exist - using root Installing: tor-lsb ##################### [201/2012] warning: %post(tor-lsb-0.2.3.4-0.fc15.i686) scriptlet failed, exit status 1 [...] /var/tmp/rpm-tmp.GYjAOQ: line 1: /sbin/depmod: Permission denied /sbin/new-kernel-pkg: line 311: /sbin/depmod: Permission denied avcs (from audit.log): ~~~~~~~~~~~~~~~~~~~~~~ type=AVC msg=audit(1316124248.223:30567): avc: denied { mounton } for pid=15407 comm="mount" path="/var/tmp/imgcreate-unP5eL/install_root/selinux/load" dev=selinuxfs ino=3 scontext=unconfined_u:unconfined_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL msg=audit(1316124248.223:30567): arch=c000003e syscall=165 per=8 success=no exit=-13 a0=7f0247b3e8a0 a1=7f0247b3e8c0 a2=7f0247936a69 a3=ffffffffc0ed1000 items=0 ppid=15382 pid=15407 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:unconfined_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316124248.224:30568): avc: denied { mounton } for pid=15407 comm="mount" path="/var/tmp/imgcreate-unP5eL/install_root/selinux/load" dev=selinuxfs ino=3 scontext=unconfined_u:unconfined_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL msg=audit(1316124248.224:30568): arch=c000003e syscall=165 per=8 success=no exit=-13 a0=7f0247b3ea40 a1=7f0247b3ea00 a2=7f0247936a69 a3=ffffffffc0ed1001 items=0 ppid=15382 pid=15407 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:unconfined_r:mount_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124281.043:30569): security_compute_sid: invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124281.043:30569): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127530 a1=8125878 a2=81258e0 a3=8125878 items=0 ppid=15515 pid=15517 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124281.046:30570): security_compute_sid: invalid context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124281.046:30570): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8125d30 a1=81256f0 a2=81258e0 a3=81256f0 items=0 ppid=15515 pid=15519 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124305.537:30571): security_compute_sid: invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124305.537:30571): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127518 a1=81255a0 a2=81258e0 a3=81255a0 items=0 ppid=15611 pid=15613 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124305.678:30572): security_compute_sid: invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124305.678:30572): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127060 a1=8125878 a2=8125698 a3=8125878 items=0 ppid=15616 pid=15617 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124305.703:30573): security_compute_sid: invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124305.703:30573): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=81259d0 a1=81279b8 a2=81258e0 a3=81279b8 items=0 ppid=15618 pid=15622 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124305.705:30574): security_compute_sid: invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124305.705:30574): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127710 a1=81279f8 a2=81258e0 a3=81279f8 items=0 ppid=15618 pid=15624 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124305.707:30575): security_compute_sid: invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124305.707:30575): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=81279b8 a1=8125e60 a2=81258e0 a3=8125e60 items=0 ppid=15618 pid=15626 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124307.572:30576): security_compute_sid: invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124307.572:30576): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127680 a1=8125878 a2=81258e0 a3=8125878 items=0 ppid=15657 pid=15659 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124307.574:30577): security_compute_sid: invalid context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124307.574:30577): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127680 a1=8126028 a2=81258e0 a3=8126028 items=0 ppid=15657 pid=15661 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124307.915:30578): security_compute_sid: invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124307.915:30578): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127488 a1=81255b8 a2=81258e0 a3=81255b8 items=0 ppid=15665 pid=15667 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124307.917:30579): security_compute_sid: invalid context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124307.917:30579): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8125e60 a1=8126028 a2=81258e0 a3=8126028 items=0 ppid=15665 pid=15669 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124307.942:30580): security_compute_sid: invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124307.942:30580): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127250 a1=8125878 a2=8125698 a3=8125878 items=0 ppid=15670 pid=15671 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124307.943:30581): security_compute_sid: invalid context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124307.943:30581): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127098 a1=8125580 a2=81258e0 a3=8125580 items=0 ppid=15670 pid=15672 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124309.851:30582): security_compute_sid: invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124309.851:30582): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127530 a1=8125ed8 a2=81258e0 a3=8125ed8 items=0 ppid=15687 pid=15689 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124309.853:30583): security_compute_sid: invalid context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124309.853:30583): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8125e60 a1=8126028 a2=81258e0 a3=8126028 items=0 ppid=15687 pid=15691 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124310.031:30584): security_compute_sid: invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124310.031:30584): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127158 a1=8125e60 a2=8125698 a3=8125e60 items=0 ppid=15694 pid=15695 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124310.042:30585): security_compute_sid: invalid context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124310.042:30585): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127710 a1=8127250 a2=81258e0 a3=8127250 items=0 ppid=15694 pid=15696 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124311.609:30586): security_compute_sid: invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124311.609:30586): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127c68 a1=8125740 a2=81258e0 a3=8125740 items=0 ppid=15701 pid=15702 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124311.609:30587): security_compute_sid: invalid context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124311.609:30587): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8128810 a1=8126028 a2=81258e0 a3=8126028 items=0 ppid=15701 pid=15703 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316124313.174:30588): avc: denied { write } for pid=15708 comm="restorecon" path="/dev/null" dev=loop0 ino=16388 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316124313.174:30588): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=8127f70 a1=81256e0 a2=81258e0 a3=81256e0 items=0 ppid=15706 pid=15708 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316124359.847:30590): avc: denied { write } for pid=15732 comm="restorecon" path="/dev/null" dev=loop0 ino=16388 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316124359.847:30590): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=8129b38 a1=8125878 a2=81258e0 a3=8125878 items=0 ppid=15717 pid=15732 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124363.082:30591): security_compute_sid: invalid context unconfined_u:unconfined_r:depmod_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:depmod_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124363.082:30591): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8127358 a1=8125e60 a2=8125698 a3=8125e60 items=0 ppid=15762 pid=15763 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124363.211:30592): security_compute_sid: invalid context unconfined_u:unconfined_r:depmod_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:depmod_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124363.211:30592): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8135eb0 a1=81257c0 a2=8128710 a3=81257c0 items=0 ppid=15768 pid=15783 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="new-kernel-pkg" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124365.436:30593): security_compute_sid: invalid context unconfined_u:unconfined_r:udev_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124365.436:30593): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8125e40 a1=812b1b8 a2=812b610 a3=812b1b8 items=0 ppid=17611 pid=17613 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ldd" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1316124365.448:30594): security_compute_sid: invalid context unconfined_u:unconfined_r:udev_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_exec_t:s0 tclass=process type=SYSCALL msg=audit(1316124365.448:30594): arch=40000003 syscall=11 per=8 success=no exit=-13 a0=8126250 a1=812bcf0 a2=812b618 a3=812bcf0 items=0 ppid=17619 pid=17621 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ldd" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
Try to add this local policy # cat mypol.te policy_module(mypol, 1.0) require{ type rpm_script_t; role unconfined_r; } role unconfined_r types rpm_script_t; # make -f /usr/share/selinux/devel/Makefile # semodule -i mypol.pp
Two questions: 1. Is this a "temporary" solution until the above policy is incorporated in the future version of the target policy (in other words, do I have to add this local policy every time I (re)install Linux)? 2. What about the other two avcs I included above: restorecon (setfiles_t) and mounton (mount_t)?
Mgrepl it is probably best to get unconfined_t to transition to system_r when running livecd.
selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
Has this been finally fixed, because the history log for -39 has a comment from Miroslav Grepl about "livecd fixes" dated 05-Sep-2011 - 10 days *after* I reported additional failures (See comment 4)?
Nothing has been fixed from what I reported in Comment 4 above - I am getting exactly the same errors with the -39 version of the policy!
Yes, the latest are not fixed because the bug status was not changed back to assigned.
Any chance of fixing this up soon?
What is your version of policy?
The latest released for FC15 - 3.9.16-48.fc15
Any news on this?
I dropped ball on this. commit cd54940affd3c1fb2f6711f2df818cd7aeb9aec8 Author: Miroslav Grepl <mgrepl> Date: Mon Mar 12 12:21:52 2012 +0000 Fix livecd_run() interface
How do I get to see/test/use the above commit? Is there any chance that this will get pushed downstream to "older" versions of the policy (the error is pretty serious, so I think it is worth doing that)?
selinux-policy-3.9.16-52.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-52.fc15
Unfortunately, apart from some (minor) improvements the above version does not work! I still get the following: [from console] mount: block device /dev/null is write-protected, mounting read-only mount: cannot mount block device /dev/null read-only [...] libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied). libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied). /usr/sbin/semanage: Permission denied libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied). libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied). /usr/sbin/semanage: Permission denied libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied). libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied). /usr/sbin/semanage: Permission denied /tmp/ks-script-xB3N98: line 23: /sbin/restorecon: Permission denied ignoring %post failure (code 126) umount: /var/tmp/imgcreate-dSVZlR/install_root/selinux/load: not mounted After which livecd-creator bails out... This is what I have in my audit.log: type=AVC msg=audit(1331856836.746:30337): avc: denied { mounton } for pid=2326 comm="mount" path="/var/tmp/imgcreate-dSVZlR/install_root/selinux/load" dev=selinuxfs ino=3 scontext=unconfined_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL msg=audit(1331856836.746:30337): arch=c000003e syscall=165 per=8 success=no exit=-13 a0=7fe1db4e88a0 a1=7fe1db4e88c0 a2=7fe1db2e0a69 a3=ffffffffc0ed1000 items=0 ppid=2301 pid=2326 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1331856836.748:30338): avc: denied { mounton } for pid=2326 comm="mount" path="/var/tmp/imgcreate-dSVZlR/install_root/selinux/load" dev=selinuxfs ino=3 scontext=unconfined_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL msg=audit(1331856836.748:30338): arch=c000003e syscall=165 per=8 success=no exit=-13 a0=7fe1db4e8a40 a1=7fe1db4e8a00 a2=7fe1db2e0a69 a3=ffffffffc0ed1001 items=0 ppid=2301 pid=2326 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) [...] type=AVC msg=audit(1331856987.415:30350): avc: denied { write } for pid=2514 comm="groupadd" path="/dev/null" dev=loop0 ino=16388 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1331856987.415:30350): avc: denied { write } for pid=2514 comm="groupadd" path="/dev/null" dev=loop0 ino=16388 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1331856987.415:30350): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=81275b8 a1=8125878 a2=81258e0 a3=8125878 items=0 ppid=2512 pid=2514 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null) [...] type=AVC msg=audit(1331857088.906:30387): avc: denied { write } for pid=2712 comm="groupadd" path="/dev/null" dev=loop0 ino=16388 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1331857088.906:30387): avc: denied { write } for pid=2712 comm="groupadd" path="/dev/null" dev=loop0 ino=16388 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1331857088.906:30387): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=8127250 a1=8125878 a2=8125698 a3=8125878 items=0 ppid=2711 pid=2712 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null) [...] type=AVC msg=audit(1331857098.974:30397): avc: denied { write } for pid=2759 comm="groupadd" path="/dev/null" dev=loop0 ino=16388 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1331857098.974:30397): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=8127120 a1=8125e60 a2=8125698 a3=8125e60 items=0 ppid=2758 pid=2759 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null) [...] type=AVC msg=audit(1331857103.587:30402): avc: denied { write } for pid=2772 comm="restorecon" path="/dev/null" dev=loop0 ino=16388 scontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1331857103.587:30402): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=8127f70 a1=81256e0 a2=81258e0 a3=81256e0 items=0 ppid=2770 pid=2772 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null) [...] type=AVC msg=audit(1331857153.276:30404): avc: denied { write } for pid=2785 comm="restorecon" path="/dev/null" dev=loop0 ino=16388 scontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1331857153.276:30404): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=8129b08 a1=8125878 a2=81258e0 a3=8125878 items=0 ppid=2779 pid=2785 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null)
Could you test it with these packages http://koji.fedoraproject.org/koji/taskinfo?taskID=3900104
The /dev/null avc is still there (this usually happens when %post script is executed, redirecting all output to /dev/null, i.e. "do_something &>/dev/null"): time->Sat Mar 17 00:16:41 2012 type=SYSCALL msg=audit(1331943401.556:30516): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=8127818 a1=8125a60 a2=8125b08 a3=8125a60 items=0 ppid=12603 pid=12605 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1331943401.556:30516): avc: denied { write } for pid=12605 comm="groupadd" path="/dev/null" dev=loop0 ino=8196 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1331943401.556:30516): avc: denied { write } for pid=12605 comm="groupadd" path="/dev/null" dev=loop0 ino=8196 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file ---- time->Sat Mar 17 00:17:43 2012 type=SYSCALL msg=audit(1331943463.906:30553): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=81274b0 a1=8125a60 a2=8125878 a3=8125a60 items=0 ppid=12802 pid=12803 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1331943463.906:30553): avc: denied { write } for pid=12803 comm="groupadd" path="/dev/null" dev=loop0 ino=8196 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1331943463.906:30553): avc: denied { write } for pid=12803 comm="groupadd" path="/dev/null" dev=loop0 ino=8196 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file ---- time->Sat Mar 17 00:17:50 2012 type=SYSCALL msg=audit(1331943470.175:30558): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=81273b8 a1=81260b0 a2=8125878 a3=81260b0 items=0 ppid=12835 pid=12836 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1331943470.175:30558): avc: denied { write } for pid=12836 comm="groupadd" path="/dev/null" dev=loop0 ino=8196 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file ---- time->Sat Mar 17 00:17:53 2012 type=SYSCALL msg=audit(1331943473.588:30563): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=8127380 a1=81260b0 a2=8125878 a3=81260b0 items=0 ppid=12849 pid=12850 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1331943473.588:30563): avc: denied { write } for pid=12850 comm="groupadd" path="/dev/null" dev=loop0 ino=8196 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1331943473.588:30563): avc: denied { write } for pid=12850 comm="groupadd" path="/dev/null" dev=loop0 ino=8196 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file ---- time->Sat Mar 17 00:17:57 2012 type=SYSCALL msg=audit(1331943477.976:30568): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=81281d0 a1=8126158 a2=8125b08 a3=8126158 items=0 ppid=12861 pid=12863 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1331943477.976:30568): avc: denied { write } for pid=12863 comm="restorecon" path="/dev/null" dev=loop0 ino=8196 scontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file ---- time->Sat Mar 17 00:18:46 2012 type=SYSCALL msg=audit(1331943526.993:30569): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=8129d68 a1=8125a60 a2=8125b08 a3=8125a60 items=0 ppid=12870 pid=12876 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1331943526.993:30569): avc: denied { write } for pid=12876 comm="restorecon" path="/dev/null" dev=loop0 ino=8196 scontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
Package selinux-policy-3.9.16-52.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-52.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-4286/selinux-policy-3.9.16-52.fc15 then log in and leave karma (feedback).
(In reply to comment #22) > Package selinux-policy-3.9.16-52.fc15: > * should fix your issue, > * was pushed to the Fedora 15 testing repository, > * should be available at your local mirror within two days. > Update it with: > # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-52.fc15' > as soon as you are able to. > Please go to the following url: > https://admin.fedoraproject.org/updates/FEDORA-2012-4286/selinux-policy-3.9.16-52.fc15 > then log in and leave karma (feedback). Is this the same revision I tested (and given feedback on) as in Comment 19? because if it is I doubt the result would be any different.
I have just tested this again against the above policy and I am getting the same avcs as I already reported in Comment 19, so nothing has actually been fixed. Over to you...
Yes, I did not remove the bug from the update.
selinux-policy-3.9.16-52.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
I don't know why this bug has been closed when the problem is still there...I also see this: libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied). libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied). /usr/sbin/semanage: Permission denied libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied). libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied). /usr/sbin/semanage: Permission denied libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied). libsemanage.semanage_install_active: setfiles returned error code 1. (Permission denied). /usr/sbin/semanage: Permission denied /tmp/ks-script-yBPXiS: line 23: /sbin/restorecon: Permission denied Accompanied by: type=AVC msg=audit(1333242369.763:29867): avc: denied { write } for pid=8822 comm="restorecon" path="/dev/null" dev=loop0 ino=24580 scontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1333242369.763:29867): arch=i386 syscall=munmap per=8 success=yes exit=0 a0=8129b38 a1=8125878 a2=81258e0 a3=8125878 items=0 ppid=8815 pid=8822 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=restorecon exe=/sbin/setfiles subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null) As well as the avcs I posted in Comment 21
This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping