Bug 852681 - Error in PREIN scriplet in rpm package ecryptfs-utils-100-1.fc17.x86_64
Error in PREIN scriplet in rpm package ecryptfs-utils-100-1.fc17.x86_64
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
x86_64 Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-29 05:47 EDT by Milan Bouchet-Valat
Modified: 2012-12-20 10:37 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-20 10:37:22 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milan Bouchet-Valat 2012-08-29 05:47:27 EDT
I cannot install ecryptfs-utils. I keep getting the error:
Error in PREIN scriptlet in rpm package ecryptfs-utils-100-1.fc17.x86_64
error: %pre(ecryptfs-utils-100-1.fc17.x86_64) scriptlet failed, exit status 10


/var/log/messages contains:
Aug 29 11:34:56 milan kernel: [137306.589412] type=1400 audit(1346232896.509:2565): avc:  denied  { write } for  pid=25416 comm="groupadd" name="group-" dev="sda7" ino=138792 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
Aug 29 11:34:56 milan yum[25412]: ecryptfs-utils-100-1.fc17.x86_64: 100

restorecon /etc/group* did not fix the problem.

Disabling selinux was enough, though.
Comment 1 Miroslav Grepl 2012-09-03 05:16:46 EDT
What does

# ls -lZ /etc/group*
Comment 2 Milan Bouchet-Valat 2012-09-03 07:49:06 EDT
Now I get:
$ ls -lZ /etc/group*
-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/group
-rw-r--r--. root root system_u:object_r:unlabeled_t:s0 /etc/group-

But before I tried as many hacks as I could to find out what was the problem, I had the same for both files: system_u:object_r:passwd_file_t:s0.


BTW, I also tried removing /etc/group- compeletely, but the problem remained.
Comment 3 Miroslav Grepl 2012-09-03 13:01:18 EDT
Ok, try to execute

# chcon -t passwd_file_t /etc/group-
# setenforce 0

re-create it and

# ausearch -m avc -ts recent


Thank you.
Comment 4 Milan Bouchet-Valat 2012-09-03 16:16:09 EDT
Sorry, I'm not sure what you mean by "recreate it". Recreate the bug, the file? I tried both, but the command never returns anything:
# ausearch -m avc -ts recent
<no matches>

# ls -Z /etc/group*
-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/group
-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/group-
Comment 5 Miroslav Grepl 2012-09-04 04:22:57 EDT
And now are you able to install the package?
Comment 6 Milan Bouchet-Valat 2012-09-04 04:31:59 EDT
No, at least not with setenforce 1. Actually, the chcon command restored my /etc/group- file to the context it had in the first place, when I experienced the bug. So it cannot have fixed it. ;-)
Comment 7 Milan Bouchet-Valat 2012-09-04 04:44:17 EDT
BTW, the bug only happens if the "ecryptfs" group does not exist when trying to install the package. If I create it manually, the install goes fine even with setenforce 1.
Comment 8 Miroslav Grepl 2012-09-04 05:00:37 EDT
Ok, we have another bug with this issue. I added some fixes but obviously it does not work.

Could you execute

# semodule -DB

remove the group and try to install it again and 

# ausearch -m avc -ts recent


Thank you.
Comment 9 Milan Bouchet-Valat 2012-09-04 05:18:40 EDT
Sorry, still no luck:
# ausearch -m avc -ts recent
<no matches>
Comment 10 Miroslav Grepl 2012-09-05 04:16:25 EDT
Ah, did you switch to permissive mode?

# setenforce 0
Comment 11 Milan Bouchet-Valat 2012-09-05 04:27:13 EDT
I had tried with 0 and 1, and no luck. I just checked again, and I still get no matches.
Comment 12 Miroslav Grepl 2012-09-05 05:51:19 EDT
So it is not working also in permissive mode for you?

I mean if you are able to install the package in permissive mode.
Comment 13 Milan Bouchet-Valat 2012-09-05 06:45:23 EDT
Yes, as I said above, with 'setenforce 0' I can install the package properly. What does not work is the command you asked me to run, which never finds matches, with 'setenforce 0' or 'seteforce 1'.

# ausearch -m avc -ts recent
<no matches>
Comment 14 Miroslav Grepl 2012-09-25 09:52:09 EDT
Milan,
could you re-execute it in permissive mode and add your output of

# grep invalid /var/log/messages

Thank you.
Comment 15 Milan Bouchet-Valat 2012-09-27 08:25:59 EDT
Sorry, no matches. /var/log/messages contains this:

## This message marks the removal of the package, which is the last know point
## before I reinstalled it a few seconds later
Sep 27 14:21:15 milan yum[17982]: Erased: ecryptfs-utils-100-1.fc17.x86_64
Sep 27 14:21:18 milan systemd[1]: Reloading.
Sep 27 14:21:21 milan dbus-daemon[814]: dbus[814]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
Sep 27 14:21:21 milan dbus[814]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
Sep 27 14:21:21 milan kernel: [594721.960365] type=1400 audit(1348748481.343:10313): avc:  denied  { rlimitinh } for  pid=18027 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=process
Sep 27 14:21:21 milan kernel: [594721.960419] type=1400 audit(1348748481.343:10314): avc:  denied  { siginh } for  pid=18027 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=process
Sep 27 14:21:21 milan kernel: [594721.960484] type=1400 audit(1348748481.343:10315): avc:  denied  { noatsecure } for  pid=18027 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=process
Sep 27 14:21:21 milan dbus-daemon[814]: dbus[814]: [system] Successfully activated service 'org.freedesktop.PackageKit'
Sep 27 14:21:21 milan dbus[814]: [system] Successfully activated service 'org.freedesktop.PackageKit'
Sep 27 14:21:49 milan kernel: [594750.316230] type=1400 audit(1348748509.749:10316): avc:  denied  { read } for  pid=18045 comm="groupadd" path="/tmp/tmpdeRSq1" dev="sda7" ino=7480 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
Sep 27 14:21:49 milan kernel: [594750.344031] type=1400 audit(1348748509.777:10317): avc:  denied  { search } for  pid=18045 comm="groupadd" name="files" dev="sda7" ino=64576 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=dir
Sep 27 14:21:49 milan kernel: [594750.344082] type=1400 audit(1348748509.777:10318): avc:  denied  { read } for  pid=18045 comm="groupadd" name="file_contexts.subs_dist" dev="sda7" ino=16163 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file
Sep 27 14:21:49 milan kernel: [594750.344107] type=1400 audit(1348748509.777:10319): avc:  denied  { open } for  pid=18045 comm="groupadd" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="sda7" ino=16163 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file
Sep 27 14:21:49 milan kernel: [594750.344132] type=1400 audit(1348748509.777:10320): avc:  denied  { getattr } for  pid=18045 comm="groupadd" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="sda7" ino=16163 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file
Sep 27 14:21:49 milan kernel: [594750.344194] type=1400 audit(1348748509.777:10321): avc:  denied  { read } for  pid=18045 comm="groupadd" name="file_contexts" dev="sda7" ino=4376 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
Sep 27 14:21:49 milan kernel: [594750.344217] type=1400 audit(1348748509.777:10322): avc:  denied  { open } for  pid=18045 comm="groupadd" path="/etc/selinux/targeted/contexts/files/file_contexts" dev="sda7" ino=4376 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
Sep 27 14:21:49 milan kernel: [594750.344242] type=1400 audit(1348748509.777:10323): avc:  denied  { getattr } for  pid=18045 comm="groupadd" path="/etc/selinux/targeted/contexts/files/file_contexts" dev="sda7" ino=4376 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
Sep 27 14:21:49 milan kernel: [594750.430855] type=1400 audit(1348748509.864:10324): avc:  denied  { ioctl } for  pid=18045 comm="groupadd" path="/tmp/tmpdeRSq1" dev="sda7" ino=7480 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
Sep 27 14:21:51 milan systemd[1]: Reloading.
Sep 27 14:21:51 milan yum[18036]: Installed: ecryptfs-utils-100-1.fc17.x86_64
Comment 16 Miroslav Grepl 2012-09-27 13:28:42 EDT
Any chance you could test it with the latest policy build from koji?

http://koji.fedoraproject.org/koji/buildinfo?buildID=356858
Comment 17 Milan Bouchet-Valat 2012-09-29 09:19:17 EDT
No luck with the new package either...
Comment 18 Daniel Walsh 2012-10-09 13:20:25 EDT
What AVCs are you seeing now?
Comment 19 Miroslav Grepl 2012-10-09 13:42:17 EDT
I am just building

selinux-policy-3.10.0-154.fc17

for testing from koji. If it does not work, could you attach AVC msgs. Thank you.
Comment 21 Milan Bouchet-Valat 2012-10-10 03:07:32 EDT
Yes, it works now. Thanks!
Comment 22 Miroslav Grepl 2012-10-10 04:03:58 EDT
Thank you for testing.
Comment 23 Fedora Update System 2012-10-17 08:34:10 EDT
selinux-policy-3.10.0-156.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-156.fc17
Comment 24 Fedora Update System 2012-10-17 20:25:15 EDT
Package selinux-policy-3.10.0-156.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-156.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16347/selinux-policy-3.10.0-156.fc17
then log in and leave karma (feedback).
Comment 25 Fedora Update System 2012-12-20 10:37:24 EST
selinux-policy-3.10.0-156.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.