Please see https://bugzilla.redhat.com/show_bug.cgi?id=990910 This is a pretty serious problem -- people need to be able to install packages via cloud-init.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKcoxIACgkQrlYvE4MpobNvrwCfR+z5aZWtD9wHrUU+lUK4jh6J 9M0An3iczTCtceRNLLNOdoV7LDaOSBvm =seRL -----END PGP SIGNATURE-----

> I just built selinux-policy-3.12.1-106.fc20 which should fix this issue in > F20, could you try it out and make sure it works for you? Thanks -- building a new image to test it out now.

On Mon, 2013-12-02 at 10:11 -0500, Daniel J Walsh wrote: > On 11/27/2013 05:05 PM, Matthew Miller wrote: >> Please see https://bugzilla.redhat.com/show_bug.cgi?id=990910 >> >> This is a pretty serious problem -- people need to be able to install >> packages via cloud-init. >> >> > I just built selinux-policy-3.12.1-106.fc20 which should fix this issue > in F20, could you try it out and make sure it works for you? -- i do not see how: + rpm_transition_script(cloud_init_t) fixes this issue: avc: denied { transition } for pid=583 comm="yum" path="/usr/bin/bash" dev="xvda1" ino=4597 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process yum is labeled rpm_exec_t: -rwxr-xr-x. root root system_u:object_r:rpm_exec_t:s0 /usr/bin/yum there is a rule that makes processes with the cloud_init_t type transition from cloud_init_t to rpm_t on rpm_exec_t: rpm_domtrans(cloud_init_t) so if that rule was applied at the point of the test than this event shouldnt have occurred ... unless i am missing something -- selinux mailing list selinux(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKc4oYACgkQrlYvE4MpobPV1QCfefFek/N6GkuJ0Qd1pNSOjHI7 N+0AnjKCMBKZoszKZ6beNbK0wXhZCx0d =8YuC -----END PGP SIGNATURE-----

On Mon, 2013-12-02 at 14:41 -0500, Daniel J Walsh wrote: >> avc: denied { transition } for pid=583 comm="yum" >> path="/usr/bin/bash" dev="xvda1" ino=4597 >> scontext=system_u:system_r:cloud_init_t:s0 >> tcontext=system_u:system_r:rpm_script_t:s0 tclass=process >> >> > We already added a rpm_domtrans(cloud_init_t) rule. My understanding was > they were still getting the transition rule, which was causing problems. > I was thinking that the tool had sucked in rpm/yum rules rather then > executing a separate binary. I see your point but if that is the case then why is "yum" in comm=? The way i see it, yum command was executed, and so the transition should have taken place. That is assuming that the transition rule was in place when the test was done. Maybe the avc denial above was't accurate for the latest issue I am just saying that with the info i have at my disposal, things do not add up. -- selinux mailing list selinux(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKdBSoACgkQrlYvE4MpobPFJwCdGr+tmdylRoYgP/eodUlnqtLZ 3V8AoJ7e0iw40RyJ7Mda6gWZfZgtO/ZN =Uoen -----END PGP SIGNATURE-----