cloud-init blocked from installing rpm with scripts -- f19 issue still with us
Daniel J Walsh
dwalsh at redhat.com
Mon Dec 2 19:41:58 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/02/2013 01:51 PM, Dominick Grift wrote:
> On Mon, 2013-12-02 at 10:11 -0500, Daniel J Walsh wrote:
>> On 11/27/2013 05:05 PM, Matthew Miller wrote:
>>> Please see https://bugzilla.redhat.com/show_bug.cgi?id=990910
>>>
>>> This is a pretty serious problem -- people need to be able to install
>>> packages via cloud-init.
>>>
>>>
>> I just built selinux-policy-3.12.1-106.fc20 which should fix this issue
>> in F20, could you try it out and make sure it works for you? --
>
> i do not see how:
>
> + rpm_transition_script(cloud_init_t)
>
> fixes this issue:
>
> avc: denied { transition } for pid=583 comm="yum" path="/usr/bin/bash"
> dev="xvda1" ino=4597 scontext=system_u:system_r:cloud_init_t:s0
> tcontext=system_u:system_r:rpm_script_t:s0 tclass=process
>
> yum is labeled rpm_exec_t:
>
> -rwxr-xr-x. root root system_u:object_r:rpm_exec_t:s0 /usr/bin/yum
>
> there is a rule that makes processes with the cloud_init_t type transition
> from cloud_init_t to rpm_t on rpm_exec_t:
>
> rpm_domtrans(cloud_init_t)
>
> so if that rule was applied at the point of the test than this event
> shouldnt have occurred ... unless i am missing something
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
We already added a rpm_domtrans(cloud_init_t) rule. My understanding was they
were still getting the transition rule, which was causing problems. I was
thinking that the tool had sucked in rpm/yum rules rather then executing a
separate binary.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKc4oYACgkQrlYvE4MpobPV1QCfefFek/N6GkuJ0Qd1pNSOjHI7
N+0AnjKCMBKZoszKZ6beNbK0wXhZCx0d
=8YuC
-----END PGP SIGNATURE-----
More information about the selinux
mailing list