SELinux upgrade issue
Moray Henderson (ICT)
Moray.Henderson at ict.om.org
Wed Sep 2 17:15:42 UTC 2009
Some further notes on installing/upgrading selinux policy through kickstart.
By monitoring the install/upgrade log and Alt-F4 screens, I see the following sequence during a fresh install:
...
Installing selinux-policy
Installing selinux-policy-targeted
<7>security: 3 users, 6 roles, 1914 types, 234 bools, 1 sens, 1024 cats
<7>security: 61 classes, 69080 rules
<3>security: invalidating context system_u:object_r:defang_spool_t:s0
Installing sls-selinux-policy
<7>security: 3 users, 6 roles , 1915 types, 234 bools, 1 sens, 1024 cats
<7>security: 61 classes, 69128 rules
...
remaining packages are installed
The second pair of security lines on Alt-F4 come up immediately after my policy module is loaded, and show the new rules and type.
During an upgrade, the sequence is different:
...
Upgrading selinux-policy
Upgrading selinux-policy-targeted
<7>security: 3 users, 6 roles, 1914 types, 234 bools, 1 sens, 1024 cats
<7>security: 61 classes, 69080 rules
<3>security: invalidating context system_u:object:r:defang_spool_t:s0
<4>inode_doinit_with_dentry: context_to_sid(system_u:object_r:defang_spool_t:s0) returned 22 for dev=dm-4 ino=49189
Upgrading sls-selinux-policy
libsemanage.semanage_make_sandbox: Could not copy files to sandbox /etc/selinux/targeted/modules/tmp.
/usr/sbin/semodule: Failed on /usr/share/selinux/targeted/sls.pp!
...
59 remaining packages are upgraded
...
warning: /etc/selinux/targeted/policy/policy.18 saved as /etc/selinux/targeded/policy/policy.18.rpmsave
<7>security: 3 users, 6 roles, 1914 types, 234 bools, 1 sens, 1024 cats
<7>security: 61 classes, 69080 rules
There is a long pause after the "invalidating context defang_spool_t" line, then the "inode_doinit_with_dentry" line comes up on Alt-F4 just before "Upgrading sls-selinux-policy" is added to /root/upgrade.log. The "policy.18.rpmsave" and second pair of "<7>security" lines come up as the upgrade transaction is finishing.
I have tried:
Putting "sleep 20" in the %pre script of sls-selinux-policy
Removing /etc/selinux/targeted/policy/policy.18 before the upgrade
Removing /etc/selinux entirely before the upgrade
Uninstalling the selinux rpms before the upgrade (_really_ bad idea!)
None of those helped. I have made the problem go away by loading sls.pp and running fixfiles in a firstboot script after the upgrade. Still, it would be good to know why it broke during upgrade.
Moray.
"To err is human. To purr, feline"
More information about the Kickstart-list
mailing list