Bug 849568 - rhts selinux module fails to load on RHEL-7.0-20120711.2
Summary: rhts selinux module fails to load on RHEL-7.0-20120711.2
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Beaker
Classification: Retired
Component: beah
Version: 0.9
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Bill Peck
QA Contact:
URL:
Whiteboard:
: 810449 859083 (view as bug list)
Depends On:
Blocks: 593663 782468
TreeView+ depends on / blocked
 
Reported: 2012-08-20 08:31 UTC by Jan Stancek
Modified: 2019-05-22 13:43 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-10-11 23:50:15 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Stancek 2012-08-20 08:31:59 UTC 
Description of problem:

Tests are hitting AVCs like this one:
----
time->Mon Aug 20 03:36:49 2012
type=SYSCALL msg=audit(1345448209.141:278): arch=c000003e syscall=59 success=yes exit=0 a0=17a64d0 a1=17a65d0 a2=17a7030 a3=7fff89e18f50 items=0 ppid=2664 pid=2667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1345448209.141:278): avc:  denied  { append } for  pid=2667 comm="restorecon" path="/mnt/testarea/TESTOUT.log" dev="dm-1" ino=2884337 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file
type=AVC msg=audit(1345448209.141:278): avc:  denied  { append } for  pid=2667 comm="restorecon" path="/mnt/testarea/TESTOUT.log" dev="dm-1" ino=2884337 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file
----

# semodule -l | grep rhts

# semodule -i /usr/share/selinux/packages/rhts/rhts.pp
libsepol.permission_copy_callback: Module rhts depends on permission epollwakeup in class capability2, not satisfied (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).

Version-Release number of selected component (if applicable):
RHEL-7.0-20120711.2 Server x86_64
kernel 3.5.0-0.24.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. provision host with above distro + kernel

Actual results:
rhts selinux module is not loaded

Expected results:
rhts selinux module is loaded, no AVCs for "/mnt/testarea/TESTOUT.log"

Additional info:
Comment 2 Jan Stancek 2012-09-05 15:52:04 UTC 
My first idea was that we should rebuild policy from source after first boot, for example in /distribution/install. I spoke to Jeff Burke and he mentioned that this is how it used to be in past, but there were some issues with this approach as well.

Since situation we are in right now is an exception (binary policy is built with newer packages than we have in latest distro after last mass rebuild), we concluded it would be best to wait for new distro to be available.
Comment 3 Bill Peck 2012-09-05 15:58:35 UTC 
I think the best solution here is to ship two selinux policies for el7.  One that we build outside of brew and one that is built via brew.  We would attempt to load the brew built version first because that should work for the latest versions of rhel7, if that fails to load we would try and load an older version that was built for alpha2.

This way we should stay current but also work on older installs.  When alpha2 doesn't matter any more we can remove it.
Comment 4 Bill Peck 2012-09-07 01:11:56 UTC 
http://gerrit.beaker-project.org/#/c/1331/
Comment 7 Dan Callaghan 2012-10-03 22:38:11 UTC 
*** Bug 859083 has been marked as a duplicate of this bug. ***
Comment 8 Dan Callaghan 2012-10-11 23:50:15 UTC 
Beaker 0.9.4 has been released.
Comment 9 Nick Coghlan 2013-06-13 07:42:12 UTC 
*** Bug 810449 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.