I cannot install ecryptfs-utils. I keep getting the error: Error in PREIN scriptlet in rpm package ecryptfs-utils-100-1.fc17.x86_64 error: %pre(ecryptfs-utils-100-1.fc17.x86_64) scriptlet failed, exit status 10 /var/log/messages contains: Aug 29 11:34:56 milan kernel: [137306.589412] type=1400 audit(1346232896.509:2565): avc: denied { write } for pid=25416 comm="groupadd" name="group-" dev="sda7" ino=138792 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file Aug 29 11:34:56 milan yum[25412]: ecryptfs-utils-100-1.fc17.x86_64: 100 restorecon /etc/group* did not fix the problem. Disabling selinux was enough, though.
What does # ls -lZ /etc/group*
Now I get: $ ls -lZ /etc/group* -rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/group -rw-r--r--. root root system_u:object_r:unlabeled_t:s0 /etc/group- But before I tried as many hacks as I could to find out what was the problem, I had the same for both files: system_u:object_r:passwd_file_t:s0. BTW, I also tried removing /etc/group- compeletely, but the problem remained.
Ok, try to execute # chcon -t passwd_file_t /etc/group- # setenforce 0 re-create it and # ausearch -m avc -ts recent Thank you.
Sorry, I'm not sure what you mean by "recreate it". Recreate the bug, the file? I tried both, but the command never returns anything: # ausearch -m avc -ts recent <no matches> # ls -Z /etc/group* -rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/group -rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/group-
And now are you able to install the package?
No, at least not with setenforce 1. Actually, the chcon command restored my /etc/group- file to the context it had in the first place, when I experienced the bug. So it cannot have fixed it. ;-)
BTW, the bug only happens if the "ecryptfs" group does not exist when trying to install the package. If I create it manually, the install goes fine even with setenforce 1.
Ok, we have another bug with this issue. I added some fixes but obviously it does not work. Could you execute # semodule -DB remove the group and try to install it again and # ausearch -m avc -ts recent Thank you.
Sorry, still no luck: # ausearch -m avc -ts recent <no matches>
Ah, did you switch to permissive mode? # setenforce 0
I had tried with 0 and 1, and no luck. I just checked again, and I still get no matches.
So it is not working also in permissive mode for you? I mean if you are able to install the package in permissive mode.
Yes, as I said above, with 'setenforce 0' I can install the package properly. What does not work is the command you asked me to run, which never finds matches, with 'setenforce 0' or 'seteforce 1'. # ausearch -m avc -ts recent <no matches>
Milan, could you re-execute it in permissive mode and add your output of # grep invalid /var/log/messages Thank you.
Sorry, no matches. /var/log/messages contains this: ## This message marks the removal of the package, which is the last know point ## before I reinstalled it a few seconds later Sep 27 14:21:15 milan yum[17982]: Erased: ecryptfs-utils-100-1.fc17.x86_64 Sep 27 14:21:18 milan systemd[1]: Reloading. Sep 27 14:21:21 milan dbus-daemon[814]: dbus[814]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper) Sep 27 14:21:21 milan dbus[814]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper) Sep 27 14:21:21 milan kernel: [594721.960365] type=1400 audit(1348748481.343:10313): avc: denied { rlimitinh } for pid=18027 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=process Sep 27 14:21:21 milan kernel: [594721.960419] type=1400 audit(1348748481.343:10314): avc: denied { siginh } for pid=18027 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=process Sep 27 14:21:21 milan kernel: [594721.960484] type=1400 audit(1348748481.343:10315): avc: denied { noatsecure } for pid=18027 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=process Sep 27 14:21:21 milan dbus-daemon[814]: dbus[814]: [system] Successfully activated service 'org.freedesktop.PackageKit' Sep 27 14:21:21 milan dbus[814]: [system] Successfully activated service 'org.freedesktop.PackageKit' Sep 27 14:21:49 milan kernel: [594750.316230] type=1400 audit(1348748509.749:10316): avc: denied { read } for pid=18045 comm="groupadd" path="/tmp/tmpdeRSq1" dev="sda7" ino=7480 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file Sep 27 14:21:49 milan kernel: [594750.344031] type=1400 audit(1348748509.777:10317): avc: denied { search } for pid=18045 comm="groupadd" name="files" dev="sda7" ino=64576 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=dir Sep 27 14:21:49 milan kernel: [594750.344082] type=1400 audit(1348748509.777:10318): avc: denied { read } for pid=18045 comm="groupadd" name="file_contexts.subs_dist" dev="sda7" ino=16163 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file Sep 27 14:21:49 milan kernel: [594750.344107] type=1400 audit(1348748509.777:10319): avc: denied { open } for pid=18045 comm="groupadd" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="sda7" ino=16163 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file Sep 27 14:21:49 milan kernel: [594750.344132] type=1400 audit(1348748509.777:10320): avc: denied { getattr } for pid=18045 comm="groupadd" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="sda7" ino=16163 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file Sep 27 14:21:49 milan kernel: [594750.344194] type=1400 audit(1348748509.777:10321): avc: denied { read } for pid=18045 comm="groupadd" name="file_contexts" dev="sda7" ino=4376 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file Sep 27 14:21:49 milan kernel: [594750.344217] type=1400 audit(1348748509.777:10322): avc: denied { open } for pid=18045 comm="groupadd" path="/etc/selinux/targeted/contexts/files/file_contexts" dev="sda7" ino=4376 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file Sep 27 14:21:49 milan kernel: [594750.344242] type=1400 audit(1348748509.777:10323): avc: denied { getattr } for pid=18045 comm="groupadd" path="/etc/selinux/targeted/contexts/files/file_contexts" dev="sda7" ino=4376 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file Sep 27 14:21:49 milan kernel: [594750.430855] type=1400 audit(1348748509.864:10324): avc: denied { ioctl } for pid=18045 comm="groupadd" path="/tmp/tmpdeRSq1" dev="sda7" ino=7480 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file Sep 27 14:21:51 milan systemd[1]: Reloading. Sep 27 14:21:51 milan yum[18036]: Installed: ecryptfs-utils-100-1.fc17.x86_64
Any chance you could test it with the latest policy build from koji? http://koji.fedoraproject.org/koji/buildinfo?buildID=356858
No luck with the new package either...
What AVCs are you seeing now?
I am just building selinux-policy-3.10.0-154.fc17 for testing from koji. If it does not work, could you attach AVC msgs. Thank you.
http://koji.fedoraproject.org/koji/buildinfo?buildID=359072
Yes, it works now. Thanks!
Thank you for testing.
selinux-policy-3.10.0-156.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-156.fc17
Package selinux-policy-3.10.0-156.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-156.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-16347/selinux-policy-3.10.0-156.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-156.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.