Re: Odd user/group identity lookup problem
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/09/2012 12:46 PM, Adam Williamson wrote:
On Sat, 2012-10-06 at 06:45 -0400, Daniel J Walsh wrote:
> On 10/04/2012 10:12 PM, Adam Williamson wrote:
>> On Thu, 2012-10-04 at 16:32 -0400, John.Florian(a)dart.biz wrote:
>>
>>> I believe I've already found the problem. On the host running
>>> livecd-creator, I'm seeing AVCs like:
>>
>> Yeah, it's selinux. I've just been running setenforce Permissive when I
>> want to build live images. That used to be how it was for years
>> anyhow, it only started working in Enforcing mode a couple of releases
>> back, so I didn't figure it was a major issue.
>>
> What AVC's are you seeing?
SELinux is preventing /usr/sbin/useradd from read access on the lnk_file
run.
type=AVC msg=audit(1349476458.298:737): avc: denied { read } for
pid=10030 comm="useradd" name="run" dev="loop0" ino=1094
scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1349476458.298:737): arch=x86_64 syscall=connect
success=no exit=ENOENT a0=5 a1=7fff5acdbc10 a2=6e a3=100 items=0 ppid=10025
pid=10030 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts2 ses=1 comm=useradd exe=/usr/sbin/useradd
subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
------------------------
type=AVC msg=audit(1349476460.104:739): avc: denied { read } for
pid=10090 comm="groupadd" name="run" dev="loop0" ino=1094
scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1349476460.104:739): arch=x86_64 syscall=connect
success=no exit=ENOENT a0=4 a1=7fffac61a650 a2=6e a3=400 items=0 ppid=10088
pid=10090 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts2 ses=1 comm=groupadd exe=/usr/sbin/groupadd
subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
Happens each time a package being installed into the live image environment
tries to create a user or group.
We have identified this as a livecd app problem. livecd has to tell rpm to not
do SELinux stuff. We had the same problem with mock. Basically we want rpm
to not transition to other domains when running in livecd, which will prevent
livecd_t -> rpm_script_t -> useradd_t ...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlB0cjYACgkQrlYvE4MpobNHMwCgrJZyWsUVG2O3SrdA8D/oyepP
vlYAnjlVGIZrQV7tj9l1nrN+sUr/QnNH
=aEdg
-----END PGP SIGNATURE-----