Description of problem: Created a live image with enforcing enabled on an F18 host, using selinux-policy -60 for guest and host (current stable). Using livecd-tools 18.13. Tried to boot the live image; boots to a black screen. Booting with enforcing=0 boots fine and gives me this single AVC. SELinux is preventing /usr/libexec/colord from 'write' accesses on the directory colord. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow colord to have write access on the colord directory Then you need to change the label on colord Do # semanage fcontext -a -t FILE_TYPE 'colord' where FILE_TYPE is one of the following: tmpfs_t, tmp_t, colord_tmpfs_t, colord_var_lib_t, var_lib_t, colord_tmp_t. Then execute: restorecon -v 'colord' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that colord should be allowed write access on the colord directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep colord /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:colord_t:s0 Target Context unconfined_u:object_r:var_t:s0 Target Objects colord [ dir ] Source colord Source Path /usr/libexec/colord Port <Unknown> Host (removed) Source RPM Packages colord-0.1.25-1.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-60.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 14:12:51 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen 2012-12-12 21:23:07 EST Last Seen 2012-12-12 21:23:07 EST Local ID 4ac14a97-4749-4b5e-8c8a-dc81ff78a7c6 Raw Audit Messages type=AVC msg=audit(1355365387.703:397): avc: denied { write } for pid=1646 comm="colord" name="colord" dev="dm-0" ino=9172 scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir type=AVC msg=audit(1355365387.703:397): avc: denied { add_name } for pid=1646 comm="colord" name="mapping.db" scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir type=AVC msg=audit(1355365387.703:397): avc: denied { create } for pid=1646 comm="colord" name="mapping.db" scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file type=AVC msg=audit(1355365387.703:397): avc: denied { read write open } for pid=1646 comm="colord" path="/var/lib/colord/mapping.db" dev="dm-0" ino=42686 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1355365387.703:397): arch=x86_64 syscall=open success=yes exit=ENXIO a0=17e9720 a1=80042 a2=1a4 a3=7fff5e6aae20 items=0 ppid=1 pid=1646 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0 key=(null) Hash: colord,colord_t,var_t,dir,write audit2allow audit2allow -R Additional info: hashmarkername: setroubleshoot kernel: 3.6.9-4.fc18.x86_64 type: libreport
CCing bcl as this is likely livecd-creator not selinux-policy...
If I build an image with -62 on the host and -62 in the package set for the live image, the resulting image boots, but only to gdm: if I click on 'live user' it cycles right back to gdm. If I boot with enforcing=0 and login I see a whole *pile* of AVCs, 52+ from pulseaudio, gnome-settings-daemon, gnome-keyring-daemon, gnome-session, pactl, dconf-service...it's obviously borked. And more AVCs show up just leaving the VM sitting there. This seems to happen whether I set Enforcing or Permissive on the host. Re-assigning to livecd-creator as I'm fairly sure that's where the problem is.
system installed from a 62/62 image has the same problem - gdm loops if booted with selinux in enforcing. works if booted with enforcing=off . giant pile of AVCs. If I do 'restorecon -nvr /' , it seems like the system is completely mislabelled - everything seems to be unconfined_u:object_r:root_t:s0 .
I see these errors/warnings during live image generation: /etc/selinux/targeted/contexts/files/file_contexts: line 3259 has invalid context system_u:object_r:consoletype_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 3835 has invalid context system_u:object_r:consoletype_exec_t:s0 1.0%/etc/selinux/targeted/contexts/files/file_contexts: has invalid context system_u:object_r:consoletype_exec_t:s0 not sure if that's related.
I think this is a selinux-policy problem. I built multiple successful livecds using -50 on the host and -60 and -62 on the image. When I upgraded my system (various package upgrades including selinux-policy-3.11.1-62) and built a new livecd it will no longer boot. checking the audit.log on the host doesn't show any unusual denials during the build. I *do* see the output from comment 4, but I also so it on all of the successful builds so I think that is unrelated.
what does # grep consoletype_exec_t /etc/selinux/targeted I need to test it on my machine.
[root@adam tmp]# grep -r consoletype_exec_t /etc/selinux/targeted [root@adam tmp]#
[root@adam tmp]# rpm -V selinux-policy-targeted missing /etc/selinux/targeted/modules/active/modules/consoletype.pp
On my desktop I was able to build bootable livecd's using policy -50 (and -62 on the image). When I upgraded to -62 the would not boot. I am missing the same file as comment 8 on the desktop. On my laptop I can build bootable images. It isn't missing the file, and the upgrade path for selinux-policy has been: -46 to -50 to -60 (on 12/8) to -62 today.
Note, running yum reinstall selinux-policy-targeted doesn't reinstall the missing file.
I am fixing it. Fixed in selinux-policy-3.11.1-63.fc18.noarch
Proposing as at least NTH because we may be pulling a newer selinux so we should ensure we get one that fixes this, if we do.
mgrepl: can you please submit -63 as an update so we can pull it into builds? thanks.
I am going to submit a newer build today. There were more issues to fix.
selinux-policy-3.11.1-66.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-66.fc18
Discussed at 2012-12-17 NTH review meeting: http://meetbot.fedoraproject.org/fedora-bugzappers/2012-12-17/f18final-blocker-review-5.2012-12-17-16.40.log.txt . Accepted as NTH - selinux-policy -60 went stable, so we could possibly run into issues building live images with it, we should ensure that doesn't happen.
Looks fixed with -66. Thanks.
selinux-policy-3.11.1-66.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.