Odd user/group identity lookup problem

Daniel J Walsh dwalsh at redhat.com
Wed Oct 10 13:11:28 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/09/2012 03:17 PM, Adam Williamson wrote:
> On Tue, 2012-10-09 at 14:51 -0400, Daniel J Walsh wrote:
>> On 10/09/2012 12:46 PM, Adam Williamson wrote:
>>> On Sat, 2012-10-06 at 06:45 -0400, Daniel J Walsh wrote:
>>>> On 10/04/2012 10:12 PM, Adam Williamson wrote:
>>>>> On Thu, 2012-10-04 at 16:32 -0400, John.Florian at dart.biz wrote:
>>>>> 
>>>>>> I believe I've already found the problem.  On the host running 
>>>>>> livecd-creator, I'm seeing AVCs like:
>>>>> 
>>>>> Yeah, it's selinux. I've just been running setenforce Permissive
>>>>> when I want to build live images. That used to be how it was for
>>>>> years anyhow, it only started working in Enforcing mode a couple of
>>>>> releases back, so I didn't figure it was a major issue.
>>>>> 
>>>> What AVC's are you seeing?
>>> 
>>> SELinux is preventing /usr/sbin/useradd from read access on the
>>> lnk_file run.
>>> 
>>> type=AVC msg=audit(1349476458.298:737): avc:  denied  { read } for 
>>> pid=10030 comm="useradd" name="run" dev="loop0" ino=1094 
>>> scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 
>>> tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
>>> 
>>> type=SYSCALL msg=audit(1349476458.298:737): arch=x86_64 syscall=connect
>>>  success=no exit=ENOENT a0=5 a1=7fff5acdbc10 a2=6e a3=100 items=0
>>> ppid=10025 pid=10030 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>> sgid=0 fsgid=0 tty=pts2 ses=1 comm=useradd exe=/usr/sbin/useradd 
>>> subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
>>> 
>>> ------------------------
>>> 
>>> type=AVC msg=audit(1349476460.104:739): avc:  denied  { read } for 
>>> pid=10090 comm="groupadd" name="run" dev="loop0" ino=1094 
>>> scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 
>>> tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
>>> 
>>> 
>>> type=SYSCALL msg=audit(1349476460.104:739): arch=x86_64 syscall=connect
>>>  success=no exit=ENOENT a0=4 a1=7fffac61a650 a2=6e a3=400 items=0
>>> ppid=10088 pid=10090 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>> sgid=0 fsgid=0 tty=pts2 ses=1 comm=groupadd exe=/usr/sbin/groupadd 
>>> subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
>>> 
>>> Happens each time a package being installed into the live image
>>> environment tries to create a user or group.
>>> 
>> 
>> We have identified this as a livecd app problem. livecd has to tell rpm
>> to not do SELinux stuff.  We had the same problem with mock.  Basically
>> we want rpm to not transition to other domains when running in livecd,
>> which will prevent livecd_t -> rpm_script_t -> useradd_t ...
> 
> Best let Brian know, then. CCing.
> 
I updated the bugzilla, but I have no problem working with Brian to fix the
problem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlB1dAAACgkQrlYvE4MpobPxKgCgvAyj6w8syLaBBYehT/2dcZp8
nv4Ani7tyEyyTNfK3CE/rLg9oII5FAWg
=3pip
-----END PGP SIGNATURE-----

More information about the test mailing list