Re: selinux issue with containers
On 05/28/2014 05:26 PM, Zbigniew Jędrzejewski-Szmek wrote: On Wed, May 28, 2014 at 01:52:23PM -0400, Daniel J Walsh wrote: On 05/28/2014 01:40 PM, Richard W.M. Jones wrote: On Wed, May 28, 2014 at 06:32:04PM +0200, Zbigniew Jędrzejewski-Szmek wrote: On Wed, May 28, 2014 at 10:41:45AM -0400, Daniel J Walsh wrote: Yum -y update your entire computer and yum reinstall selinux-policy-targeted Should fix the problem. Nope. No effect afaict. Any pointers how to debug this? Does it list any AVCs if you run this command shortly after the failure? No. I only have some unrelated SERVICE_START/SERVICE_STOP messages from systemd-tmpfiles. # ausearch -ts recent -m avc no matches rpm -q selinux-policy-targeted selinux-policy-targeted-3.13.1-55.fc21.noarch I now tried with a new rawhide VM and I get identical results. This looks like the old bug we had with a bad selinux policy update. Yes. Zbyszek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: selinux issue with containers
Yum -y update your entire computer and yum reinstall selinux-policy-targeted Should fix the problem. On 05/27/2014 09:12 PM, Zbigniew Jędrzejewski-Szmek wrote: Hi, installing Fedora in containers fails strangely (see below). It seems to be selinux related, since booting with selinux=0 allows the installation to continue. Strangely, just 'setenforce 0' does not work by itself. I feel like I'm missing something obvious here. The host is rawhide with selinux-policy-3.13.1-54.fc21.noarch. # yum -y --releasever=20 --nogpg --installroot=$c --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal sudo .. Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : libgcc-4.9.0-5.fc21.x86_64 1/25 Installing : fedora-release-rawhide-21-0.6.noarch 2/25 Installing : fedora-release-21-0.6.noarch 3/25 Installing : setup-2.9.0-1.fc21.noarch 4/25 Installing : filesystem-3.2-24.fc21.x86_64 5/25 Installing : basesystem-10.0-9.fc20.noarch 6/25 Installing : ncurses-base-5.9-13.20140323.fc21.noarch 7/25 Installing : tzdata-2014c-1.fc21.noarch 8/25 Installing : nss-softokn-freebl-3.16.1-2.fc21.x86_64 9/25 Installing : glibc-common-2.19.90-18.fc21.x86_64 10/25 Installing : glibc-2.19.90-18.fc21.x86_64 11/25 warning: %post(glibc-2.19.90-18.fc21.x86_64) scriptlet failed, exit status 127 Non-fatal POSTIN scriptlet failure in rpm package glibc-2.19.90-18.fc21.x86_64 Installing : libstdc++-4.9.0-5.fc21.x86_64 12/25 warning: %post(libstdc++-4.9.0-5.fc21.x86_64) scriptlet failed, exit status 127 Non-fatal POSTIN scriptlet failure in rpm package libstdc++-4.9.0-5.fc21.x86_64 Installing : ncurses-libs-5.9-13.20140323.fc21.x86_64 13/25 warning: %post(ncurses-libs-5.9-13.20140323.fc21.x86_64) scriptlet failed, exit status 127 Non-fatal POSTIN scriptlet failure in rpm package ncurses-libs-5.9-13.20140323.fc21.x86_64 Installing : bash-4.3.18-1.fc21.x86_64 14/25 Installing : libsepol-2.3-1.fc21.x86_64 15/25 warning: %post(libsepol-2.3-1.fc21.x86_64) scriptlet failed, exit status 127 Non-fatal POSTIN scriptlet failure in rpm package libsepol-2.3-1.fc21.x86_64 .. error: %pre(ca-certificates-2013.1.94-18.fc20.noarch) scriptlet failed, exit status 127 Error in PREIN scriptlet in rpm package ca-certificates-2013.1.94-18.fc20.noarch... When I boot the host with selinux=0, things seems to work fine. Nothing useful in the logs as far as I can see. When I chroot into the container seems to work. Zbyszek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: selinux issue with containers
On Wed, May 28, 2014 at 10:41:45AM -0400, Daniel J Walsh wrote: Yum -y update your entire computer and yum reinstall selinux-policy-targeted Should fix the problem. Nope. No effect afaict. Any pointers how to debug this? Zbyszek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: selinux issue with containers
On Wed, May 28, 2014 at 06:32:04PM +0200, Zbigniew Jędrzejewski-Szmek wrote: On Wed, May 28, 2014 at 10:41:45AM -0400, Daniel J Walsh wrote: Yum -y update your entire computer and yum reinstall selinux-policy-targeted Should fix the problem. Nope. No effect afaict. Any pointers how to debug this? Does it list any AVCs if you run this command shortly after the failure? # ausearch -ts recent -m avc Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: selinux issue with containers
On 05/28/2014 01:40 PM, Richard W.M. Jones wrote: On Wed, May 28, 2014 at 06:32:04PM +0200, Zbigniew Jędrzejewski-Szmek wrote: On Wed, May 28, 2014 at 10:41:45AM -0400, Daniel J Walsh wrote: Yum -y update your entire computer and yum reinstall selinux-policy-targeted Should fix the problem. Nope. No effect afaict. Any pointers how to debug this? Does it list any AVCs if you run this command shortly after the failure? # ausearch -ts recent -m avc Rich. rpm -q selinux-policy-targeted This looks like the old bug we had with a bad selinux policy update. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: selinux issue with containers
On Wed, May 28, 2014 at 01:52:23PM -0400, Daniel J Walsh wrote: On 05/28/2014 01:40 PM, Richard W.M. Jones wrote: On Wed, May 28, 2014 at 06:32:04PM +0200, Zbigniew Jędrzejewski-Szmek wrote: On Wed, May 28, 2014 at 10:41:45AM -0400, Daniel J Walsh wrote: Yum -y update your entire computer and yum reinstall selinux-policy-targeted Should fix the problem. Nope. No effect afaict. Any pointers how to debug this? Does it list any AVCs if you run this command shortly after the failure? No. I only have some unrelated SERVICE_START/SERVICE_STOP messages from systemd-tmpfiles. # ausearch -ts recent -m avc no matches rpm -q selinux-policy-targeted selinux-policy-targeted-3.13.1-55.fc21.noarch I now tried with a new rawhide VM and I get identical results. This looks like the old bug we had with a bad selinux policy update. Yes. Zbyszek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
selinux issue with containers
Hi, installing Fedora in containers fails strangely (see below). It seems to be selinux related, since booting with selinux=0 allows the installation to continue. Strangely, just 'setenforce 0' does not work by itself. I feel like I'm missing something obvious here. The host is rawhide with selinux-policy-3.13.1-54.fc21.noarch. # yum -y --releasever=20 --nogpg --installroot=$c --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal sudo ... Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : libgcc-4.9.0-5.fc21.x86_64 1/25 Installing : fedora-release-rawhide-21-0.6.noarch 2/25 Installing : fedora-release-21-0.6.noarch 3/25 Installing : setup-2.9.0-1.fc21.noarch 4/25 Installing : filesystem-3.2-24.fc21.x86_64 5/25 Installing : basesystem-10.0-9.fc20.noarch 6/25 Installing : ncurses-base-5.9-13.20140323.fc21.noarch 7/25 Installing : tzdata-2014c-1.fc21.noarch 8/25 Installing : nss-softokn-freebl-3.16.1-2.fc21.x86_64 9/25 Installing : glibc-common-2.19.90-18.fc21.x86_64 10/25 Installing : glibc-2.19.90-18.fc21.x86_64 11/25 warning: %post(glibc-2.19.90-18.fc21.x86_64) scriptlet failed, exit status 127 Non-fatal POSTIN scriptlet failure in rpm package glibc-2.19.90-18.fc21.x86_64 Installing : libstdc++-4.9.0-5.fc21.x86_64 12/25 warning: %post(libstdc++-4.9.0-5.fc21.x86_64) scriptlet failed, exit status 127 Non-fatal POSTIN scriptlet failure in rpm package libstdc++-4.9.0-5.fc21.x86_64 Installing : ncurses-libs-5.9-13.20140323.fc21.x86_64 13/25 warning: %post(ncurses-libs-5.9-13.20140323.fc21.x86_64) scriptlet failed, exit status 127 Non-fatal POSTIN scriptlet failure in rpm package ncurses-libs-5.9-13.20140323.fc21.x86_64 Installing : bash-4.3.18-1.fc21.x86_64 14/25 Installing : libsepol-2.3-1.fc21.x86_64 15/25 warning: %post(libsepol-2.3-1.fc21.x86_64) scriptlet failed, exit status 127 Non-fatal POSTIN scriptlet failure in rpm package libsepol-2.3-1.fc21.x86_64 ... error: %pre(ca-certificates-2013.1.94-18.fc20.noarch) scriptlet failed, exit status 127 Error in PREIN scriptlet in rpm package ca-certificates-2013.1.94-18.fc20.noarch... When I boot the host with selinux=0, things seems to work fine. Nothing useful in the logs as far as I can see. When I chroot into the container seems to work. Zbyszek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct