[Spacewalk-list] Kickstart configuration file deployment SELinux issue
Matt Carey
cvstealth2000 at yahoo.com
Mon Jul 19 18:29:35 UTC 2010
While trying to deploy configuration files in a given channel via activation
keys in a kickstart profile that has SELinux in either Permissive or Enforcing
mode the config deployment task is showing as failed. If SELinux is set to
Disabled in the kickstart profile and the SELinux context is wiped from the
given file in the configuration channel then it gets deployed with no issues.
In the simple example below I have /etc/httpd/conf/httpd.conf with the context
system_u:object_r:httpd_config_t being pushed in a Web Servers profile that has
SELinux set to Permissive. I'm wondering if at the point that it is doing the
config deployment task, which is pre system reboot, if the SELinux context exist
on the files within the install chroot or if the contexts get initialized
post-reboot by maybe restorecond. If anyone has some insight into this issue it
would be greatly appreciated.
selinux --permissive)
History:
Deploy config files to system scheduled by userX 07/19/10 1:47:39 PM EDT
Package Install scheduled by (none) 07/19/10 1:47:39 PM EDT
Schedule a package sync for kickstarts scheduled by userX 07/19/10 1:47:31 PM
EDT
(n/a) Subscription via Token 07/19/10 1:47:29 PM EDT
(n/a) subscribed to channel centos5-i386-rhntools 07/19/10 1:47:28 PM EDT
(n/a) subscribed to channel centos5-i386-base 07/19/10 1:47:28 PM EDT
(n/a) unsubscribed from channel centos5-i386-base 07/19/10 1:47:28 PM EDT
(n/a) unsubscribed from channel centos5-i386-rhntools 07/19/10 1:47:28 PM EDT
Deploy config files to system task detail:
This action will be executed after 07/19/10 1:47:39 PM EDT.
This action's status is: Failed.
The client picked up this action on 07/19/10 1:47:39 PM EDT.
The client completed this action on 07/19/10 1:47:40 PM EDT.
Client execution returned "Failed deployment, rolled back: failed to set selinux
context on /etc/httpd/conf/httpd.conf" (code 49)
Config Files:/etc/httpd/conf/httpd.conf (rev. 6)
/etc/sys_info (rev. 1)
/root/.ssh (rev. 1)
/root/.ssh/authorized_keys (rev. 1)
# cat /var/log/audit/audit.log
type=DAEMON_START msg=audit(1279561728.944:281): auditd start, ver=1.7.13
format=raw kernel=2.6.18-164.el5 auid=4294967295 pid=2398
subj=system_u:system_r:auditd_t:s0 res=success
type=CONFIG_CHANGE msg=audit(1279561729.052:3): audit_enabled=1 old=0 by
auid=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
type=CONFIG_CHANGE msg=audit(1279561729.075:4): audit_backlog_limit=320 old=64
by auid=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1
type=USER_START msg=audit(1279561741.968:5): user pid=3014 uid=0 auid=4294967295
subj=system_u:system_r:initrc_t:s0 msg='PAM: session open acct="nocpulse" :
exe="/sbin/runuser" (hostname=?, addr=?, terminal=console res=success)'
type=CRED_ACQ msg=audit(1279561741.969:6): user pid=3014 uid=0 auid=4294967295
subj=system_u:system_r:initrc_t:s0 msg='PAM: setcred acct="nocpulse" :
exe="/sbin/runuser" (hostname=?, addr=?, terminal=console res=success)'
type=CRED_DISP msg=audit(1279561742.130:7): user pid=3014 uid=0 auid=4294967295
subj=system_u:system_r:initrc_t:s0 msg='PAM: setcred acct="nocpulse" :
exe="/sbin/runuser" (hostname=?, addr=?, terminal=console res=success)'
type=USER_END msg=audit(1279561742.130:8): user pid=3014 uid=0 auid=4294967295
subj=system_u:system_r:initrc_t:s0 msg='PAM: session cl acct="nocpulse" :
exe="/sbin/runuser" (hostname=?, addr=?, terminal=console res=success)'
type=USER_ACCT msg=audit(1279561801.526:9): user pid=3115 uid=0 auid=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" :
exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1279561801.527:10): user pid=3115 uid=0 auid=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" :
exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=LOGIN msg=audit(1279561801.527:11): login pid=3115 uid=0 old
auid=4294967295 new auid=0 old ses=4294967295 new ses=1
type=USER_START msg=audit(1279561801.531:12): user pid=3115 uid=0 auid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="root"
: exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_DISP msg=audit(1279561801.554:13): user pid=3115 uid=0 auid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" :
exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=USER_END msg=audit(1279561801.554:14): user pid=3115 uid=0 auid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session cl acct="root" :
exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=USER_AUTH msg=audit(1279561829.203:15): user pid=3055 uid=0 auid=4294967295
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: authentication
acct="root" : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
type=USER_ACCT msg=audit(1279561829.203:16): user pid=3055 uid=0 auid=4294967295
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: accounting
acct="root" : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
type=LOGIN msg=audit(1279561829.208:17): login pid=3055 uid=0 old
auid=4294967295 new auid=0 old ses=4294967295 new ses=2
type=USER_ROLE_CHANGE msg=audit(1279561829.255:18): user pid=3055 uid=0 auid=0
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam:
default-context=root:system_r:unconfined_t:s0-s0:c0.c1023
selected-context=root:system_r:unconfined_t:s0-s0:c0.c1023: exe="/bin/login"
(hostname=?, addr=?, terminal=tty1 res=success)'
type=USER_START msg=audit(1279561829.255:19): user pid=3055 uid=0 auid=0
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: session open
acct="root" : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
type=CRED_ACQ msg=audit(1279561829.255:20): user pid=3055 uid=0 auid=0
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: setcred
acct="root" : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
type=USER_LOGIN msg=audit(1279561829.256:21): user pid=3055 uid=0 auid=0
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=0
exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
type=USER_LOGIN msg=audit(1279562124.146:22): user pid=3174 uid=0
auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023
msg='acct="root": exe="/usr/sbin/sshd" (hostname=?, addr=10.100.0.40,
terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1279562125.551:23): user pid=3174 uid=0 auid=4294967295
subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication
acct="root" : exe="/usr/sbin/sshd" (hostname=spacewalk.lab.example.com,
addr=10.100.0.40, terminal=ssh res=success)'
type=USER_ACCT msg=audit(1279562125.579:24): user pid=3174 uid=0 auid=4294967295
subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: accounting
acct="root" : exe="/usr/sbin/sshd" (hostname=spacewalk.lab.example.com,
addr=10.100.0.40, terminal=ssh res=success)'
type=CRED_ACQ msg=audit(1279562125.656:25): user pid=3174 uid=0 auid=4294967295
subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root"
: exe="/usr/sbin/sshd" (hostname=spacewalk.lab.example.com, addr=10.100.0.40,
terminal=ssh res=success)'
type=LOGIN msg=audit(1279562125.657:26): login pid=3174 uid=0 old
auid=4294967295 new auid=0 old ses=4294967295 new ses=3
type=USER_START msg=audit(1279562125.685:27): user pid=3174 uid=0 auid=0
subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: session open
acct="root" : exe="/usr/sbin/sshd" (hostname=spacewalk.lab.example.com,
addr=10.100.0.40, terminal=ssh res=success)'
type=USER_LOGIN msg=audit(1279562125.716:28): user pid=3176 uid=0 auid=0
subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='uid=0:
exe="/usr/sbin/sshd" (hostname=spacewalk.lab.example.com, addr=10.100.0.40,
terminal=/dev/pts/0 res=success)'
type=CRED_REFR msg=audit(1279562125.745:29): user pid=3176 uid=0 auid=0
subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root"
: exe="/usr/sbin/sshd" (hostname=spacewalk.lab.example.com, addr=10.100.0.40,
terminal=ssh res=success)'
Click the Reschedule button on the failed task:
This action will be executed after 07/19/10 1:47:39 PM EDT.
This action's status is: Completed.
The client picked up this action on 07/19/10 1:56:02 PM EDT.
The client completed this action on 07/19/10 1:56:02 PM EDT.
Client execution returned "Files successfully deployed" (code 0)
Config Files:/etc/httpd/conf/httpd.conf (rev. 6)
/etc/sys_info (rev. 1)
/root/.ssh (rev. 1)
/root/.ssh/authorized_keys (rev. 1)
selinux --disabled)
History:
Schedule a config deploy for activation key scheduled by (none) 07/19/10
2:18:09 PM EDT
Deploy config files to system scheduled by (none) 07/19/10 2:18:09 PM EDT
Deploy config files to system scheduled by userX 07/19/10 2:18:09 PM EDT
Package Install scheduled by (none) 07/19/10 2:18:08 PM EDT
Schedule a package sync for kickstarts scheduled by userX 07/19/10 2:18:00 PM
EDT
(n/a) Subscription via Token 07/19/10 2:17:58 PM EDT
(n/a) subscribed to channel centos5-i386-rhntools 07/19/10 2:17:58 PM EDT
(n/a) subscribed to channel centos5-i386-base 07/19/10 2:17:58 PM EDT
(n/a) unsubscribed from channel centos5-i386-base 07/19/10 2:17:58 PM EDT
(n/a) unsubscribed from channel centos5-i386-rhntools 07/19/10 2:17:58 PM EDT
Deploy config files to system task detail:
This action will be executed after 07/19/10 2:18:00 PM EDT.
This action's status is: Completed.
The client picked up this action on 07/19/10 2:18:09 PM EDT.
The client completed this action on 07/19/10 2:18:09 PM EDT.
Client execution returned "Files successfully deployed" (code 0)
Config Files:/etc/httpd/conf/httpd.conf (rev. 7)
/etc/sys_info (rev. 1)
/root/.ssh (rev. 1)
/root/.ssh/authorized_keys (rev. 1)
Note: The difference in rev 6 vs rev 7 of httpd.conf was the SELinux context was
removed within Spacewalk.
--Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20100719/19c89dc3/attachment.htm>
More information about the Spacewalk-list
mailing list