Bug 849568 - rhts selinux module fails to load on RHEL-7.0-20120711.2
rhts selinux module fails to load on RHEL-7.0-20120711.2
Status: CLOSED CURRENTRELEASE
Product: Beaker
Classification: Community
Component: beah (Show other bugs)
0.9
All Linux
high Severity high (vote)
: 0.9.4
: ---
Assigned To: Bill Peck
: TestBlocker
: 810449 859083 (view as bug list)
Depends On:
Blocks: 593663 782468
  Show dependency treegraph
 
Reported: 2012-08-20 04:31 EDT by Jan Stancek
Modified: 2013-06-13 03:42 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-11 19:50:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Stancek 2012-08-20 04:31:59 EDT
Description of problem:

Tests are hitting AVCs like this one:
----
time->Mon Aug 20 03:36:49 2012
type=SYSCALL msg=audit(1345448209.141:278): arch=c000003e syscall=59 success=yes exit=0 a0=17a64d0 a1=17a65d0 a2=17a7030 a3=7fff89e18f50 items=0 ppid=2664 pid=2667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1345448209.141:278): avc:  denied  { append } for  pid=2667 comm="restorecon" path="/mnt/testarea/TESTOUT.log" dev="dm-1" ino=2884337 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file
type=AVC msg=audit(1345448209.141:278): avc:  denied  { append } for  pid=2667 comm="restorecon" path="/mnt/testarea/TESTOUT.log" dev="dm-1" ino=2884337 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file
----

# semodule -l | grep rhts

# semodule -i /usr/share/selinux/packages/rhts/rhts.pp
libsepol.permission_copy_callback: Module rhts depends on permission epollwakeup in class capability2, not satisfied (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).

Version-Release number of selected component (if applicable):
RHEL-7.0-20120711.2 Server x86_64
kernel 3.5.0-0.24.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. provision host with above distro + kernel

Actual results:
rhts selinux module is not loaded

Expected results:
rhts selinux module is loaded, no AVCs for "/mnt/testarea/TESTOUT.log"

Additional info:
Comment 2 Jan Stancek 2012-09-05 11:52:04 EDT
My first idea was that we should rebuild policy from source after first boot, for example in /distribution/install. I spoke to Jeff Burke and he mentioned that this is how it used to be in past, but there were some issues with this approach as well.

Since situation we are in right now is an exception (binary policy is built with newer packages than we have in latest distro after last mass rebuild), we concluded it would be best to wait for new distro to be available.
Comment 3 Bill Peck 2012-09-05 11:58:35 EDT
I think the best solution here is to ship two selinux policies for el7.  One that we build outside of brew and one that is built via brew.  We would attempt to load the brew built version first because that should work for the latest versions of rhel7, if that fails to load we would try and load an older version that was built for alpha2.

This way we should stay current but also work on older installs.  When alpha2 doesn't matter any more we can remove it.
Comment 4 Bill Peck 2012-09-06 21:11:56 EDT
http://gerrit.beaker-project.org/#/c/1331/
Comment 7 Dan Callaghan 2012-10-03 18:38:11 EDT
*** Bug 859083 has been marked as a duplicate of this bug. ***
Comment 8 Dan Callaghan 2012-10-11 19:50:15 EDT
Beaker 0.9.4 has been released.
Comment 9 Nick Coghlan 2013-06-13 03:42:12 EDT
*** Bug 810449 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.