Description of problem: During livecd builds (here: http://jenkins.ovirt.org/view/ovirt_node/job/ovirt-node-iso-devel/2016/console) we are seeing this kind of problems: ERROR: policydb magic number 0x000008 does not match expected magic number 0xf97cff8c or 0xf97cff8d ERROR: Unable to open policy /sys/fs/selinux/policy. Traceback (most recent call last): File "/sbin/semanage", line 25, in <module> import seobject File "/usr/lib64/python2.7/site-packages/seobject.py", line 27, in <module> import sepolicy File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 65, in <module> raise e ValueError: Failed to read /sys/fs/selinux/policy policy file Saved 1 file(s) sed: can't read /etc/sysconfig/auditd: No such file or directory First we tried to match up the selinux-policy versions between host an livecd, but that didn't help, additionally I found bug #817485 and we also updated/installed the necessary selinux-console and python libs. Version-Release number of selected component (if applicable): rpm -q selinux-policy selinux-policy-targeted setools-libs-python setools-console selinux-policy-3.11.1-87.fc18.noarch selinux-policy-targeted-3.11.1-87.fc18.noarch setools-libs-python-3.3.7-34.fc18.x86_64 setools-console-3.3.7-34.fc18.x86_64 How reproducible: always Steps to Reproduce: 1. Look at ovirts ovirt-node-iso jenkins job 2. 3. Actual results: The errors during the livecd build and later problems inside the livecd image. Expected results: No errros during build and no policy problems within the image. Additional info:
ML thread for reference: http://lists.ovirt.org/pipermail/infra/2013-April/002577.html
Later on during the livecd run we see this additionall errors (which I guess are follow up errors): Listing /usr/share/virt-manager/virtManagerTui/importblacklist ... Configuring SELinux Compiling targeted ovirt module ovirt.te":58:ERROR 'unknown type passwd_file_t' at token ';' on line 1036: allow collectd_t passwd_file_t:file read; #============= collectd_t ============== /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from tmp/ovirt.tmp make: *** [tmp/ovirt.mod] Error 1 semodule: Failed on ovirt.pp! Attempting to install module 'ovirt.pp':
Created attachment 736038 [details] selinux policy
Is there anything else we can provide to solve this problem?
Looks like it might be a problem with policycoreutils/sepolicy.
rpm -q policycoreutils
rpm -q policycoreutils policycoreutils-2.1.13-59.fc18.x86_64
I'm happy to rpovide any informations needed, as this blocks our whole automation.
I should also note that we can reliably reproduce this in a jenkins job running on a Fedora 18 host.
The module we use can be found here: http://gerrit.ovirt.org/gitweb?p=ovirt-node.git;a=blob;f=recipe/ovirt17-post.ks;hb=HEAD
<dwalsh> Why are you generating this rather then just installing a pp file. <dwalsh> Looks like a lot of cruft in it … <fabiand> dwalsh, yep - can be that there is cruft in it ... the whole relevant part of the error iand creation can be foun dhere: http://www.fpaste.org/vuwk/ <fabiand> dwalsh, what do you mean by installing a pp file? <dwalsh> You should compile your pp file during the build and just install it no, no need to compile and install during installation.
semanage boolean -m -S targeted -F /dev/stdin << \EOF_semanage allow_execstack=0 virt_use_nfs=1 virt_use_sanlock=1 sanlock_use_nfs=1 EOF_semanage leads to: ERROR: policydb magic number 0x000008 does not match expected magic number 0xf97cff8c or 0xf97cff8d ERROR: Unable to open policy /sys/fs/selinux/policy. Traceback (most recent call last): File "/usr/sbin/semanage", line 25, in <module> import seobject File "/usr/lib64/python2.7/site-packages/seobject.py", line 27, in <module> import sepolicy File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 65, in <module> raise e ValueError: Failed to read /sys/fs/selinux/policy policy file warning: %post(ovirt-node-selinux-2.6.999-999.20130418161252gita49caae.fc18.noarch) scriptlet failed, exit status 1 -- snip -- /usr/sbin/setsebool -P allow_execstack=0 \ virt_use_nfs=1 \ virt_use_sanlock=1 \ sanlock_use_nfs=1 works withou errors
I would go with that for now. they are equivalent. Although I have no idea why you are getting that error on policy read.
Just a feedback. We migrated our whole policy into a subpackage and that seems to solve many of the problems we saw. I'd say this can be closed, and we'll reopen it as needed.