Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 815478 - setsebool -P httpd_enable_homedirs 1 fails
Summary: setsebool -P httpd_enable_homedirs 1 fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: policycoreutils
Version: 17
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-23 16:55 UTC by Grant Goodyear
Modified: 2012-12-20 15:21 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-20 15:21:53 UTC
Type: Bug


Attachments (Terms of Use)

Description Grant Goodyear 2012-04-23 16:55:07 UTC
Description of problem:

# setsebool -P httpd_enable_homedirs 1
libsepol.context_from_record: type unconfined_execmem_exec_t is not defined (No such file or directory).
libsepol.context_from_record: could not create context structure (Invalid argument).
libsemanage.validate_handler: invalid context system_u:object_r:unconfined_execmem_exec_t:s0 specified for /usr/sbin/condor_startd [all files] (Invalid argument).
libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument).
Could not change policy booleans


Version-Release number of selected component (if applicable):

policycoreutils-2.1.11-5.fc17.x86_64


How reproducible:

perfectly, on my one F17 system.

Steps to Reproduce:
1.
2.
3.
  
Actual results:

Boolean is unchanged.


Expected results:

Boolean should be updated.


Additional info:

Comment 1 Daniel Walsh 2012-04-23 17:42:50 UTC
DO you have a local label for /usr/sbin/condor_startd

semanage fcontext -d /usr/sbin/condor_startd

Should remove the definition and then you should be able to enable the boolean.

Comment 2 Daniel Walsh 2012-04-23 17:44:58 UTC
Added unconfined_execmem_exec_t as an alias to bin_t in selinux-policy-3.10.0-118.fc17

Comment 3 Grant Goodyear 2012-04-23 18:05:05 UTC
(In reply to comment #1)
> DO you have a local label for /usr/sbin/condor_startd
> 
> semanage fcontext -d /usr/sbin/condor_startd
> 
> Should remove the definition and then you should be able to enable the boolean.

It wouldn't surprise me if I did.

It seems that /usr/bin/dropbox also has type unconfined_execmem_exec_t, so trying to delete the contexts for /usr/sbin/condor_startd fails because of /usr/bin/dropbox (and vice versa):

[root@feynman condor]# semanage fcontext -d /usr/sbin/condor_startd
libsepol.context_from_record: type unconfined_execmem_exec_t is not defined (No such file or directory).
libsepol.context_from_record: could not create context structure (Invalid argument).
libsemanage.validate_handler: invalid context system_u:object_r:unconfined_execmem_exec_t:s0 specified for /usr/bin/dropbox [all files] (Invalid argument).
libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument).
/sbin/semanage: Could not commit semanage transaction
[root@feynman condor]# semanage fcontext -d /usr/bin/dropbox
libsepol.context_from_record: type unconfined_execmem_exec_t is not defined (No such file or directory).
libsepol.context_from_record: could not create context structure (Invalid argument).
libsemanage.validate_handler: invalid context system_u:object_r:unconfined_execmem_exec_t:s0 specified for /usr/sbin/condor_startd [all files] (Invalid argument).
libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument).
/sbin/semanage: Could not commit semanage transaction

That said, I'll just wait for the new selinux-policy package w/ the alias.

Thanks!

Comment 4 Daniel Walsh 2012-04-23 18:11:06 UTC
Strange that we got to this state.  But Yes, you will need to wait until 118 is released.  Or you could remove the labels from /etc/selinux/targeted/modules/active/file_contexts.local 

Then you should be able to rebuild.

Comment 5 Fedora Update System 2012-10-24 13:04:05 UTC
policycoreutils-2.1.12-4.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/policycoreutils-2.1.12-4.fc17

Comment 6 Fedora Update System 2012-10-24 23:55:55 UTC
Package policycoreutils-2.1.12-4.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing policycoreutils-2.1.12-4.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16848/policycoreutils-2.1.12-4.fc17
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2012-11-01 01:24:48 UTC
Package policycoreutils-2.1.12-5.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing policycoreutils-2.1.12-5.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16848/policycoreutils-2.1.12-5.fc17
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2012-12-20 15:21:58 UTC
policycoreutils-2.1.12-5.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.