[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

SELinux policy error introduced between versions selinux-policy-3.12.1-48.fc19 and selinux-policy-3.12.1-49.fc19 is causing Origin on F19 to fail



Hi Miroslav, Dan,

When running with a context of system_u:system_r:openshift_initrc_t:s0-s0:c0.c1023 (m-collective), the following command fails with selinux-policy-3.12.1-49.fc19 and newer packages:

useradd -u 500  -d /var/lib/openshift/1c3a5f7a92e111e188d800262df50034 -s /usr/bin/oo-trap-user  -c 'OpenShift guest'  -m  -k /etc/openshift/skel 1c3a5f7a92e111e188d800262df50034

The command works fine with selinux-policy-3.12.1-48.fc19

The error printed is:
useradd: cannot create directory /var/lib/openshift/1c3a5f7a92e111e188d800262df50034

When running with setenforce 0, the following is in the audit logs:

type=AVC msg=audit(1371517748.907:10201): avc:  denied  { write } for  pid=19844 comm="useradd" name="openshift" dev="dm-1" ino=134282 scontext=system_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1371517748.907:10201): avc:  denied  { add_name } for  pid=19844 comm="useradd" name="1c3a5f7a92e111e188d800262df50034" scontext=system_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1371517748.907:10201): avc:  denied  { create } for  pid=19844 comm="useradd" name="1c3a5f7a92e111e188d800262df50034" scontext=system_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1371517748.907:10201): arch=c000003e syscall=83 success=yes exit=0 a0=7fffb7c1a67f a1=0 a2=7f6d2f5fc798 a3=5f7261765f746669 items=0 ppid=30484 pid=19844 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=220 tty=pts3 comm="useradd" exe="/usr/sbin/useradd" subj=system_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1371517748.907:10202): avc:  denied  { setattr } for  pid=19844 comm="useradd" name="1c3a5f7a92e111e188d800262df50034" dev="dm-1" ino=135674 scontext=system_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_var_lib_t:s0 tclass=dir

I have temporarily had to revert to selinux-policy-3.12.1-48.fc19 to get things working. Please let me know when an updated package is available.

For others encountering this issue, running the following will fix it:

yum downgrade http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/48.fc19/noarch/selinux-policy-3.12.1-48.fc19.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/48.fc19/noarch/selinux-policy-devel-3.12.1-48.fc19.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/48.fc19/noarch/selinux-policy-doc-3.12.1-48.fc19.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/48.fc19/noarch/selinux-policy-targeted-3.12.1-48.fc19.noarch.rpm

Thanks
Krishna

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]