Modify

Ticket #1095 (closed defect: fixed)

Opened 11 years ago

Last modified 11 years ago

YUMng not working properly when SELINUX is enforcing

Reported by: solj Owned by: solj
Priority: minor Milestone: Bcfg2 1.2.3 Release (Bugfix)
Component: bcfg2-client Version: 1.0
Keywords: Cc:

Description

Using the EPEL nginx from http://download.fedora.redhat.com/pub/epel/6/x86_64/nginx-0.8.54-1.el6.x86_64.rpm, Bcfg2 will not properly add the nginx user/group when it installs the package. The issue can be resolved by removing and installing (not reinstalling) the package via yum itself. 

--- snip
Attempting to install packages
Installing nginx
Building updates object
up:Obs Init time: 0.070
up:simple updates time: 0.004
up:obs time: 0.002
up:condense time: 0.000
updates time: 0.134
Depsolve time: 0.378
Initial Yum buildTransaction() run said:
   resultcode: 2, msgs: [u'Success - deps resolved']
Downloading Packages
Check Package Signatures
Running Test Transaction
Running rpm_check_debug
Running Transaction
Installing: nginx-0.8.54-1.el6.x86_64
Installed: nginx-0.8.54-1.el6.x86_64
nginx-0.8.54-1.el6.x86_64: warning: user nginx does not exist - using root
warning: group nginx does not exist - using root
warning: user nginx does not exist - using root
warning: group nginx does not exist - using root

VerifyTransaction time: 0.065
Single Pass for Install Succeeded
rpmdb time: 0.000
Reverifying Failed Package nginx
Verifying package instances for nginx
Verifying: nginx
Installing directory /var/lib/php/session
Found a pre-existing directory at /var/lib/php/session
GID normalization failed for /var/lib/php/session. Does group nginx exist?
--- snip

So, it appears that https://github.com/Bcfg2/bcfg2/blob/master/src/lib/Client/Tools/YUMng.py#L874 doesn't do the same thing that yum install is doing.

Attachments

Change History

comment:1 Changed 11 years ago by solj

  • Owner changed from desai to solj
  • Status changed from new to accepted

%pre script from the spec file. 

%pre
if [ $1 == 1 ]; then
    %{_sbindir}/useradd -c "Nginx user" -s /bin/false -r -d %{nginx_home} %{nginx_user} 2>/dev/null || :
fi

comment:2 Changed 11 years ago by solj

  • Summary changed from YUMng %pre script not working properly to YUMng not working properly when SELINUX is enforcing

This is a more general selinux problem: 

[[email protected] bcfg2]# getenforce 
Enforcing
[[email protected] bcfg2]# bcfg2 -vqI                                                                                                                                
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos-mirror.jchost.net
 * epel: fedora-epel.mirror.lstn.net
 * extras: centos.mirror.netriplex.com
 * updates: mirror-la.7x24web.net
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos-mirror.jchost.net
 * epel: fedora-epel.mirror.lstn.net
 * extras: centos.mirror.netriplex.com
 * updates: mirror-la.7x24web.net
Loaded tool drivers:
 Action     Chkconfig  POSIX      VCS        YUMng     

Phase: initial
Correct entries:        0
Incorrect entries:      1
Total managed entries:  1
Unmanaged entries:      381

Install Package: mysql-server? (y/N): y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos-mirror.jchost.net
 * epel: fedora-epel.mirror.lstn.net
 * extras: mirror.5ninesolutions.com
 * updates: mirror-la.7x24web.net
Attempting to install packages
Downloading Packages
Check Package Signatures
Running Test Transaction
Running rpm_check_debug
Running Transaction
Installing: perl-DBI-1.609-4.el6.x86_64
Installed: perl-DBI-1.609-4.el6.x86_64
Installing: perl-DBD-MySQL-4.013-3.el6.x86_64
Installed: perl-DBD-MySQL-4.013-3.el6.x86_64
Installing: mysql-5.1.61-1.el6_2.1.x86_64
Installed: mysql-5.1.61-1.el6_2.1.x86_64
Installing: mysql-server-5.1.61-1.el6_2.1.x86_64
Installed: mysql-server-5.1.61-1.el6_2.1.x86_64
Single Pass for Install Succeeded
The Following Bundles have been modified:
 test 


Phase: final
Correct entries:        1
Incorrect entries:      0
Total managed entries:  1
Unmanaged entries:      384

[[email protected] bcfg2]# id mysql
id: mysql: No such user
[[email protected] bcfg2]# 
[[email protected] bcfg2]# 
[[email protected] bcfg2]# 
[[email protected] bcfg2]# 
[[email protected] bcfg2]# 
[[email protected] bcfg2]# 
[[email protected] bcfg2]# 
[[email protected] bcfg2]# 
[[email protected] bcfg2]# 
[[email protected] bcfg2]# 
[[email protected] bcfg2]# /etc/init.d/mysqld start
chown: invalid user: `mysql:mysql'
chown: invalid user: `mysql:mysql'
Initializing MySQL database:  chown: invalid user: `mysql'
chown: invalid user: `mysql'
chown: invalid user: `mysql'
Installing MySQL system tables...
120315 11:03:49 [ERROR] Fatal error: Can't change to run as user 'mysql' ;  Please check that the user exists!

120315 11:03:49 [ERROR] Aborting

120315 11:03:49 [Note] /usr/libexec/mysqld: Shutdown complete


Installation of system tables failed!  Examine the logs in
/var/lib/mysql for more information.

You can try to start the mysqld daemon with:

    shell> /usr/libexec/mysqld --sk
[[email protected] bcfg2]# 
[[email protected] bcfg2]# 
[[email protected] bcfg2]# 
[[email protected] bcfg2]# 
[[email protected] bcfg2]# 
[[email protected] bcfg2]# 
[[email protected] bcfg2]# 
[[email protected] bcfg2]# grep SELINUX_ERR /var/log/audit/audit.log
type=SELINUX_ERR msg=audit(1331827368.278:1580): security_compute_sid:  invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1331827368.288:1581): security_compute_sid:  invalid context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process

comment:3 Changed 11 years ago by solj

Ugly workaround: 

[[email protected] ~]# cat mypol.te 

module mypol 1.0;

require {
        type unconfined_t;
        type useradd_t;
        type groupadd_t;
        role unconfined_r;
}

#============= ROLES ==============
role unconfined_r types groupadd_t;
role unconfined_r types useradd_t;
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# make -f /usr/share/selinux/devel/Makefile
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# semodule -i mypol.pp

comment:4 Changed 11 years ago by https://www.google.com/accounts/o8/id?id=AItOawn0s7RDAZJqmy8qhaS8PFtgoke6VxxZKSI

Probably a more appropriate solution is to run:

(temporary solution) 

# chcon -t rpm_exec_t /usr/sbin/bcfg2

OR

(saves to selinux policy so restorecond won't replace it) 

# semanage fcontext -a -t rpm_exec_t /usr/sbin/bcfg2
# restorecon -v /usr/sbin/bcfg2
restorecon reset /usr/sbin/bcfg2 context system_u:object_r:bin_t:s0->system_u:object_r:rpm_exec_t:s0

comment:5 Changed 11 years ago by solj

  • Milestone changed from Bcfg2 1.2.2 Release (Bugfix) to Bcfg2 1.2.3 Release (Bugfix)

Moving to 1.2.3

comment:6 Changed 11 years ago by https://www.google.com/accounts/o8/id?id=AItOawn0s7RDAZJqmy8qhaS8PFtgoke6VxxZKSI

According to the Bugzilla issue upstream https://bugzilla.redhat.com/show_bug.cgi?id=805742, the proper SELinux attributes have been incorporated into the selinux policy package in RHEL6.

comment:7 Changed 11 years ago by solj

  • Status changed from accepted to closed
  • Resolution set to fixed

fixed upstream.

WARNING! You need to establish a session before you can create or edit tickets. Otherwise the ticket will get treated as spam.

View

Add a comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
The resolution will be deleted. Next status will be 'reopened'
Author


E-mail address and user name can be saved in the Preferences.

Attachments
 
Note: See TracTickets for help on using tickets.