SELinux upgrade issue

Moray Henderson (ICT) Moray.Henderson at ict.om.org
Wed Sep 2 17:15:42 UTC 2009 

Some further notes on installing/upgrading selinux policy through kickstart.

By monitoring the install/upgrade log and Alt-F4 screens, I see the following sequence during a fresh install:

...
Installing selinux-policy
Installing selinux-policy-targeted
<7>security:  3 users, 6 roles, 1914 types, 234 bools, 1 sens, 1024 cats
<7>security:  61 classes, 69080 rules
<3>security:  invalidating context system_u:object_r:defang_spool_t:s0
Installing sls-selinux-policy
<7>security:  3 users, 6 roles , 1915 types, 234 bools, 1 sens, 1024 cats
<7>security:  61 classes, 69128 rules
...
remaining packages are installed

The second pair of security lines on Alt-F4 come up immediately after my policy module is loaded, and show the new rules and type.

During an upgrade, the sequence is different:

...
Upgrading selinux-policy
Upgrading selinux-policy-targeted
<7>security:  3 users, 6 roles, 1914 types, 234 bools, 1 sens, 1024 cats
<7>security:  61 classes, 69080 rules
<3>security:  invalidating context system_u:object:r:defang_spool_t:s0
<4>inode_doinit_with_dentry:  context_to_sid(system_u:object_r:defang_spool_t:s0) returned 22 for dev=dm-4 ino=49189
Upgrading sls-selinux-policy
libsemanage.semanage_make_sandbox: Could not copy files to sandbox /etc/selinux/targeted/modules/tmp.
/usr/sbin/semodule: Failed on /usr/share/selinux/targeted/sls.pp!
...
59 remaining packages are upgraded
...
warning: /etc/selinux/targeted/policy/policy.18 saved as /etc/selinux/targeded/policy/policy.18.rpmsave
<7>security:  3 users, 6 roles, 1914 types, 234 bools, 1 sens, 1024 cats
<7>security: 61 classes, 69080 rules

There is a long pause after the "invalidating context defang_spool_t" line, then the "inode_doinit_with_dentry" line comes up on Alt-F4 just before "Upgrading sls-selinux-policy" is added to /root/upgrade.log.  The "policy.18.rpmsave" and second pair of "<7>security" lines come up as the upgrade transaction is finishing.

I have tried:
 Putting "sleep 20" in the %pre script of sls-selinux-policy
 Removing /etc/selinux/targeted/policy/policy.18 before the upgrade
 Removing /etc/selinux entirely before the upgrade
 Uninstalling the selinux rpms before the upgrade (_really_ bad idea!)

None of those helped.  I have made the problem go away by loading sls.pp and running fixfiles in a firstboot script after the upgrade.  Still, it would be good to know why it broke during upgrade.


Moray.
"To err is human.  To purr, feline"

More information about the Kickstart-list mailing list