Odd user/group identity lookup problem

Daniel J Walsh dwalsh at redhat.com
Tue Oct 9 18:51:34 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/09/2012 12:46 PM, Adam Williamson wrote:
> On Sat, 2012-10-06 at 06:45 -0400, Daniel J Walsh wrote:
>> On 10/04/2012 10:12 PM, Adam Williamson wrote:
>>> On Thu, 2012-10-04 at 16:32 -0400, John.Florian at dart.biz wrote:
>>> 
>>>> I believe I've already found the problem.  On the host running 
>>>> livecd-creator, I'm seeing AVCs like:
>>> 
>>> Yeah, it's selinux. I've just been running setenforce Permissive when I
>>>  want to build live images. That used to be how it was for years
>>> anyhow, it only started working in Enforcing mode a couple of releases
>>> back, so I didn't figure it was a major issue.
>>> 
>> What AVC's are you seeing?
> 
> SELinux is preventing /usr/sbin/useradd from read access on the lnk_file 
> run.
> 
> type=AVC msg=audit(1349476458.298:737): avc:  denied  { read } for 
> pid=10030 comm="useradd" name="run" dev="loop0" ino=1094 
> scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 
> tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
> 
> type=SYSCALL msg=audit(1349476458.298:737): arch=x86_64 syscall=connect 
> success=no exit=ENOENT a0=5 a1=7fff5acdbc10 a2=6e a3=100 items=0 ppid=10025
> pid=10030 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=pts2 ses=1 comm=useradd exe=/usr/sbin/useradd 
> subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
> 
> ------------------------
> 
> type=AVC msg=audit(1349476460.104:739): avc:  denied  { read } for 
> pid=10090 comm="groupadd" name="run" dev="loop0" ino=1094 
> scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 
> tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
> 
> 
> type=SYSCALL msg=audit(1349476460.104:739): arch=x86_64 syscall=connect 
> success=no exit=ENOENT a0=4 a1=7fffac61a650 a2=6e a3=400 items=0 ppid=10088
> pid=10090 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=pts2 ses=1 comm=groupadd exe=/usr/sbin/groupadd 
> subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
> 
> Happens each time a package being installed into the live image environment
> tries to create a user or group.
> 

We have identified this as a livecd app problem. livecd has to tell rpm to not
do SELinux stuff.  We had the same problem with mock.  Basically we want rpm
to not transition to other domains when running in livecd, which will prevent
livecd_t -> rpm_script_t -> useradd_t ...


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlB0cjYACgkQrlYvE4MpobNHMwCgrJZyWsUVG2O3SrdA8D/oyepP
vlYAnjlVGIZrQV7tj9l1nrN+sUr/QnNH
=aEdg
-----END PGP SIGNATURE-----

More information about the test mailing list