Odd user/group identity lookup problem
Adam Williamson
awilliam at redhat.com
Tue Oct 9 19:17:26 UTC 2012
On Tue, 2012-10-09 at 14:51 -0400, Daniel J Walsh wrote:
> On 10/09/2012 12:46 PM, Adam Williamson wrote:
> > On Sat, 2012-10-06 at 06:45 -0400, Daniel J Walsh wrote:
> >> On 10/04/2012 10:12 PM, Adam Williamson wrote:
> >>> On Thu, 2012-10-04 at 16:32 -0400, John.Florian at dart.biz wrote:
> >>>
> >>>> I believe I've already found the problem. On the host running
> >>>> livecd-creator, I'm seeing AVCs like:
> >>>
> >>> Yeah, it's selinux. I've just been running setenforce Permissive when I
> >>> want to build live images. That used to be how it was for years
> >>> anyhow, it only started working in Enforcing mode a couple of releases
> >>> back, so I didn't figure it was a major issue.
> >>>
> >> What AVC's are you seeing?
> >
> > SELinux is preventing /usr/sbin/useradd from read access on the lnk_file
> > run.
> >
> > type=AVC msg=audit(1349476458.298:737): avc: denied { read } for
> > pid=10030 comm="useradd" name="run" dev="loop0" ino=1094
> > scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023
> > tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
> >
> > type=SYSCALL msg=audit(1349476458.298:737): arch=x86_64 syscall=connect
> > success=no exit=ENOENT a0=5 a1=7fff5acdbc10 a2=6e a3=100 items=0 ppid=10025
> > pid=10030 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > tty=pts2 ses=1 comm=useradd exe=/usr/sbin/useradd
> > subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
> >
> > ------------------------
> >
> > type=AVC msg=audit(1349476460.104:739): avc: denied { read } for
> > pid=10090 comm="groupadd" name="run" dev="loop0" ino=1094
> > scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023
> > tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
> >
> >
> > type=SYSCALL msg=audit(1349476460.104:739): arch=x86_64 syscall=connect
> > success=no exit=ENOENT a0=4 a1=7fffac61a650 a2=6e a3=400 items=0 ppid=10088
> > pid=10090 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > tty=pts2 ses=1 comm=groupadd exe=/usr/sbin/groupadd
> > subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
> >
> > Happens each time a package being installed into the live image environment
> > tries to create a user or group.
> >
>
> We have identified this as a livecd app problem. livecd has to tell rpm to not
> do SELinux stuff. We had the same problem with mock. Basically we want rpm
> to not transition to other domains when running in livecd, which will prevent
> livecd_t -> rpm_script_t -> useradd_t ...
Best let Brian know, then. CCing.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net
More information about the test
mailing list