Odd user/group identity lookup problem

Adam Williamson awilliam at redhat.com
Tue Oct 9 19:17:26 UTC 2012 

On Tue, 2012-10-09 at 14:51 -0400, Daniel J Walsh wrote:
> On 10/09/2012 12:46 PM, Adam Williamson wrote:
> > On Sat, 2012-10-06 at 06:45 -0400, Daniel J Walsh wrote:
> >> On 10/04/2012 10:12 PM, Adam Williamson wrote:
> >>> On Thu, 2012-10-04 at 16:32 -0400, John.Florian at dart.biz wrote:
> >>> 
> >>>> I believe I've already found the problem.  On the host running 
> >>>> livecd-creator, I'm seeing AVCs like:
> >>> 
> >>> Yeah, it's selinux. I've just been running setenforce Permissive when I
> >>>  want to build live images. That used to be how it was for years
> >>> anyhow, it only started working in Enforcing mode a couple of releases
> >>> back, so I didn't figure it was a major issue.
> >>> 
> >> What AVC's are you seeing?
> > 
> > SELinux is preventing /usr/sbin/useradd from read access on the lnk_file 
> > run.
> > 
> > type=AVC msg=audit(1349476458.298:737): avc:  denied  { read } for 
> > pid=10030 comm="useradd" name="run" dev="loop0" ino=1094 
> > scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 
> > tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
> > 
> > type=SYSCALL msg=audit(1349476458.298:737): arch=x86_64 syscall=connect 
> > success=no exit=ENOENT a0=5 a1=7fff5acdbc10 a2=6e a3=100 items=0 ppid=10025
> > pid=10030 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > tty=pts2 ses=1 comm=useradd exe=/usr/sbin/useradd 
> > subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
> > 
> > ------------------------
> > 
> > type=AVC msg=audit(1349476460.104:739): avc:  denied  { read } for 
> > pid=10090 comm="groupadd" name="run" dev="loop0" ino=1094 
> > scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 
> > tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
> > 
> > 
> > type=SYSCALL msg=audit(1349476460.104:739): arch=x86_64 syscall=connect 
> > success=no exit=ENOENT a0=4 a1=7fffac61a650 a2=6e a3=400 items=0 ppid=10088
> > pid=10090 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > tty=pts2 ses=1 comm=groupadd exe=/usr/sbin/groupadd 
> > subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
> > 
> > Happens each time a package being installed into the live image environment
> > tries to create a user or group.
> > 
> 
> We have identified this as a livecd app problem. livecd has to tell rpm to not
> do SELinux stuff.  We had the same problem with mock.  Basically we want rpm
> to not transition to other domains when running in livecd, which will prevent
> livecd_t -> rpm_script_t -> useradd_t ...

Best let Brian know, then. CCing.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

More information about the test mailing list