Red Hat Bugzilla – Bug 848948
katello-selinux package fails to install selinux module; katello-configure fails with selinux enabled
Last modified: 2014-09-18 11:32:38 EDT
Created attachment 605036 [details] log of AVC denials from /var/log/audit/audit.og with selinux disabled during katello-configure Description of problem: katello-selinux error during install and katello-configure fails with selinux enabled. Version-Release number of selected component (if applicable): katello-1.0.4-1.fc16.noarch katello-all-1.0.4-1.fc16.noarch katello-cli-common-1.0.1-1.fc16.noarch katello-configure-1.0.1-1.fc16.noarch katello-common-1.0.4-1.fc16.noarch katello-selinux-1.0.1-1.fc16.noarch How reproducible: Everytime Steps to Reproduce: 1. Install F16 GA 2. yum install http://fedorapeople.org/groups/katello/releases/yum/1.0/Fedora/16/x86_64/katello-repos-latest.rpm 3. yum install katello-all 4. katello-configure Actual results: During package install, the following error occurs: Installing : katello-selinux-1.0.1-1.fc16.noarch 278/311 libsepol.policydb_read: policydb module version 14 does not match my version range 4-13 (No such file or directory). libsepol.sepol_module_package_read: invalid module in module package (at section 0) (No such file or directory). libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/katello.pp. (No such file or directory). During katello-configure if selinux is enabled the following error occurs: err: /Stage[main]/Candlepin::Service/Exec[cpinit]/returns: change from notrun to 0 failed: /usr/bin/wget --timeout=30 --tries=5 --retry-connrefused -qO- http://localhost:8080/candlepin/admin/init >/var/log/katello/katello-configure/cpinit.log 2>&1 && touch /var/lib/katello/cpinit_done returned 8 instead of one of [0] at /usr/share/katello/install/puppet/modules/candlepin/manifests/service.pp:20 The AVC denial from /var/log/audit/audit.log is: type=AVC msg=audit(1345171049.462:203): avc: denied { read } for pid=30271 comm="httpd" name="webservices.wsgi" dev=dm-0 ino=1053152 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1345171049.462:203): arch=c000003e syscall=2 success=no exit=-13 a0=7fa590719af8 a1=0 a2=1b6 a3=238 items=0 ppid=30270 pid=30271 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) Expected results: katello-selinux should load the correct module katello.pp, it seems to be looking in /etc/selinux/targeted/modules/tmp/modules/katello.pp Additional info: A log of AVC denials will be attached. katello-configure works if a policy module is generated with audit2allow -M katello and loaded.
It's a bug in Fedora 16 that has been already fixed. Update SELinux in Fedora 16 and you will be fine. Fedora 17 is already fixed (we are still not there yet). There is a note on the https://fedorahosted.org/katello/wiki/Install page. Please note this is a regression since we changed our build root and koji builds are now built on RHELs. We were using Fedoras for that. That is the reason why the bug was not showing.