RE: SELinux upgrade issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

>-----Original Message-----
>From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx]
>Sent: 28 August 2009 18:07
>To: Discussion list about Kickstart
>Subject: Re: SELinux upgrade issue
>On 08/28/2009 12:22 PM, Moray Henderson (ICT) wrote:
>> Just encountered an interesting issue, and wondered if anyone had seen
>anything like it before.  One of the packages I add to my CentOS-based
>build is a custom SELinux policy (FX: screaming, running away).  During a
>fresh install, it works perfectly:
>> # grep selinux install.log
>> Installing libselinux-1.33.4-5.1.el5.i386
>> Installing libselinux-python-1.33.4-5.1.el5.i386
>> Installing libselinux-utils-1.33.4-5.1.el5.i386
>> Installing selinux-policy-2.4.6-203.el5.noarch
>> Installing selinux-policy-targeted-2.4.6-203.el5.noarch
>> Installing sls-selinux-policy-1.0-3.sls17.noarch
>> Installing selinux-policy-devel-2.4.6-203.el5.noarch
>> But during an upgrade from CentOS 4, this happens:
>> # grep selinux /root/upgrade.log
>> Upgrading libselinux-1.33.4-5.1.el5.i386
>> Upgrading libselinux-python-1.33.4-5.1.el5.i386
>> Upgrading libselinux-utils-1.33.4-5.1.el5.i386
>> Upgrading selinux-policy-2.4.6-203.el5.noarch
>> Upgrading selinux-policy-targeted-2.4.6-203.el5.noarch
>> Upgrading sls-selinux-policy-1.0-3.sls17.noarch
>> libsemanage.semanage_make_sandbox: Could not copy files to sandbox
>> /usr/sbin/semodule:  Failed on /usr/share/selinux/targeted/sls.pp!
>> Upgrading selinux-policy-devel-2.4.6-203.el5.noarch
>> warning: /etc/selinux/targeted/policy/policy.18 saved as
>> Once anaconda has finished and is on the "installation complete" screen,
>I can switch to Alt-F2 and say
>> chroot /mnt/sysimage
>> /usr/sbin/semodule -i /usr/share/selinux/targeted/sls.pp -s targeted
>> and now the module installs and loads at the next boot.  Any ideas how
>to get it to install properly the first time?
>> Moray.
>> "To err is human.  To purr, feline"
>I think you want to make sure selinux-policy-targeted post install is
>finished before you run your post.
>Something like
>Requires(post): selinux-policy-targeted

I tried that, but it didn't make any difference.  There is some kind of timing or transaction issue, because if I leave my sls-selinux-policy module out of the automated upgrade, and install it manually from the Alt-F2 screen before rebooting, I don't see the libsemanage.semanage_make_sandbox error.  On the other hand, the file contexts that are supposed to be updated when the policy is loaded are left with their old values.

Actually, it's more complicated than that: the anaconda environment has my policy loaded already, so that the files are installed with their correct contexts.  During a fresh install, this policy seems to be unloaded when selinux-policy-targeted is installed in the chroot, then reloaded when its rpm is installed.  During an upgrade, it fails to load when its rpm is installed.

At this point in the load there must be a discrepancy in the chroot between the control files in /etc/selinux and the actual modules that are loaded, and it feels as if this is what is causing the problem.  I'll keep experimenting here, too.

Kickstart-list mailing list

[Home]     [Fedora Users]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]

Powered by Linux