Description of problem: Tests are hitting AVCs like this one: ---- time->Mon Aug 20 03:36:49 2012 type=SYSCALL msg=audit(1345448209.141:278): arch=c000003e syscall=59 success=yes exit=0 a0=17a64d0 a1=17a65d0 a2=17a7030 a3=7fff89e18f50 items=0 ppid=2664 pid=2667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1345448209.141:278): avc: denied { append } for pid=2667 comm="restorecon" path="/mnt/testarea/TESTOUT.log" dev="dm-1" ino=2884337 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file type=AVC msg=audit(1345448209.141:278): avc: denied { append } for pid=2667 comm="restorecon" path="/mnt/testarea/TESTOUT.log" dev="dm-1" ino=2884337 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file ---- # semodule -l | grep rhts # semodule -i /usr/share/selinux/packages/rhts/rhts.pp libsepol.permission_copy_callback: Module rhts depends on permission epollwakeup in class capability2, not satisfied (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). Version-Release number of selected component (if applicable): RHEL-7.0-20120711.2 Server x86_64 kernel 3.5.0-0.24.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. provision host with above distro + kernel Actual results: rhts selinux module is not loaded Expected results: rhts selinux module is loaded, no AVCs for "/mnt/testarea/TESTOUT.log" Additional info:
My first idea was that we should rebuild policy from source after first boot, for example in /distribution/install. I spoke to Jeff Burke and he mentioned that this is how it used to be in past, but there were some issues with this approach as well. Since situation we are in right now is an exception (binary policy is built with newer packages than we have in latest distro after last mass rebuild), we concluded it would be best to wait for new distro to be available.
I think the best solution here is to ship two selinux policies for el7. One that we build outside of brew and one that is built via brew. We would attempt to load the brew built version first because that should work for the latest versions of rhel7, if that fails to load we would try and load an older version that was built for alpha2. This way we should stay current but also work on older installs. When alpha2 doesn't matter any more we can remove it.
http://gerrit.beaker-project.org/#/c/1331/
*** Bug 859083 has been marked as a duplicate of this bug. ***
Beaker 0.9.4 has been released.
*** Bug 810449 has been marked as a duplicate of this bug. ***