Bug 810383 - Error with entropyd when upgrading selinux-policy
Summary: Error with entropyd when upgrading selinux-policy
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 17
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-05 19:49 UTC by Göran Uddeborg
Modified: 2012-11-01 12:08 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-11-01 12:08:43 UTC
Type: Bug


Attachments (Terms of Use)

Description Göran Uddeborg 2012-04-05 19:49:26 UTC
Description of problem:
I'm not sure how serious it is, but when doing a yum update of selinux-policy and a couple of related packages from F16 to F17 I got this error message when yum was running the postinstall scripts:

libsepol.scope_copy_callback: entropyd: Duplicate declaration in module: type/attribute entropyd_var_run_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
/usr/sbin/semodule:  Failed!
****... (many more asterisks)

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-110.fc17.noarch


How reproducible:
I upgraded two systems, and it happened on both.

Comment 1 Miroslav Grepl 2012-04-06 06:29:46 UTC
Strange issue. What does

$ ls -1 /etc/selinux/targeted/modules/active/modules/ | grep audio

Comment 2 Göran Uddeborg 2012-04-06 21:03:00 UTC
It returns a single match: pulseaudio.pp

Comment 3 Göran Uddeborg 2012-04-08 17:25:38 UTC
I'm not sure if this could be the same problem or not, but I got messages from setroubleshoot that entropyd_use_audio is needed if I want to use audio-entropyd.  So I tried set it, and got an error message like this:

mimmi$ sudo setsebool -P entropyd_use_audio 1
libsepol.context_from_record: type unconfined_execmem_exec_t is not defined (No 
such file or directory).
libsepol.context_from_record: could not create context structure (Invalid argument).
libsemanage.validate_handler: invalid context system_u:object_r:unconfined_execmem_exec_t:s0 specified for /usr/lib64/ghc-6.10.4/ghc [all files] (Invalid argument).
libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument).
Could not change policy booleans

I had ghc defined to have the unconfined_execmem_exec_t type in a local fcontext.  I don't remember when I set that, but I tried to run without allow_execmem set before it was replaced with deny_execmem, so it's probably related to that.

After removing that particular fcontext I could set the boolean, so that problem is fixed.  I don't have an environment where I can easily test if the yum upgrade of selinux would also succeed if I removed that fcontext first.  But I thought I could mention it here in case you would think it might have caused the other issue too.

Comment 4 Miroslav Grepl 2012-04-09 18:34:01 UTC
Could you try to execute

$ /usr/sbin/semodule -n -s targeted -r xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd

Comment 5 Göran Uddeborg 2012-04-09 19:05:00 UTC
I did, and it complained that it didn't find most of them.  In most but not all cases with the additional comment "No such file or directory".

But the two modules hotplug and howl were indeed removed.

Comment 6 Göran Uddeborg 2012-04-09 19:09:52 UTC
Inspired by your suggestion I also did "rpm -qf *" in /etc/selinux/targeted/modules/active/modules.  It found six modules which didn't belong to any package.  Three are local additions I've made, but three are probably remnants from older packages that for some reason haven't been removed.

evolution.pp
pki.pp
thunderbird.pp

I guess I should clean up those too, but I'll wait a little in case you want me to test something before I do.

Comment 7 Daniel Walsh 2012-04-09 19:17:15 UTC
I would remove those packages.

Comment 8 Kai Arne 2012-11-01 08:51:04 UTC
try to execute: su -c "setsebool -P samba_export_all_rw 1"

su -c "setsebool -P samba_export_all_rw 1"
libsepol.scope_copy_callback: entropyd: Duplicate declaration in module: type/attribute entropyd_var_run_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
Could not change policy booleans

Comment 9 Miroslav Grepl 2012-11-01 12:08:43 UTC
Kai do this

# setenforce 0
# rm -rf /etc/selinux/targeted
# yum reinstall selinux-policy-targeted
# restorecon -R -v /etc/selinux/targeted
# setenforce 1

Then it should work. Thank you.


Note You need to log in before you can comment on or make changes to this bug.