From: Petr Lautrbach <plautrba@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>, selinux@tycho.nsa.gov
Subject: Re: [PATCH] libselinux: is_selinux_enabled(): drop no-policy-loaded test.
Date: Tue, 12 May 2015 16:27:03 +0200 [thread overview]
Message-ID: <55520DB7.3080605@redhat.com> (raw)
In-Reply-To: <55520757.8080509@tycho.nsa.gov>
[-- Attachment #1: Type: text/plain, Size: 2372 bytes --]
On 05/12/2015 03:59 PM, Stephen Smalley wrote:
> On 05/12/2015 09:51 AM, Petr Lautrbach wrote:
>> On 05/12/2015 02:56 PM, Stephen Smalley wrote:
>>> BTW, in trying to test these scenarios, I did a yum remove
>>> selinux-policy-targeted at one point and was surprised to find that I
>>> couldn't subsequently do a yum install selinux-policy-targeted. It
>>> would always fail. Ultimately I found that if I created an empty
>>> /etc/selinux/targeted/contexts/files/file_contexts file and then tried
>>> installing it, it would work. So I guess rpm -i fails if there is no
>>> file_contexts file? That doesn't seem right.
>>>
>>
>> That's correct. rpm does a verification of a transaction and one of the
>> steps is to check files labels. It uses selinux_file_context_path() to
>> get a file path and if it can't open this file, it fails as it can't
>> confirm whether contexts are ok or not. Empty file_contexts file means
>> that there's no conflict.
>>
>> If you want to skip this check, you can use:
>>
>> rpm -i --nocontexts ...
>> or
>> yum install --setopt=tsflags=nocontexts
>>
>> or just reboot and install selinux-policy-targeted with disabled SELinux.
>
> But it seems wrong that it fails silently, with no indication to the
> user what went wrong or how to fix it.
>
> # yum remove selinux-policy-targeted
> ...
> # yum install selinux-policy-targeted
> ...
> Running transaction check
> Running transaction test
> Transaction test succeeded
> Running transaction (shutdown inhibited)
> selinux-policy-targeted-3.13.1-105.13.fc21.noarch was supposed to be
> installed but is not!
> Verifying : selinux-policy-targeted-3.13.1-105.13.fc21.noarch
> 1/1
> Verifying : selinux-policy-targeted-3.13.1-105.13.fc21.noarch
> 2/1
>
> Failed:
> selinux-policy-targeted.noarch 0:3.13.1-105.13.fc21
>
>
> Complete!
>
> # yumdownloader selinux-policy-targeted
> # rpm -i selinux-policy-targeted-3.13.1-105.13.fc21.noarch.rpm
> # echo $?
> 1
> # rpm -q selinux-policy-targeted
> package selinux-policy-targeted is not installed
>
I've filed a bug about it -
https://bugzilla.redhat.com/show_bug.cgi?id=1220822
Thanks,
Petr
--
Petr Lautrbach
SELinux Solutions
Red Hat
Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
prev parent reply other threads:[~2015-05-12 14:27 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-17 13:42 [PATCH] libselinux: is_selinux_enabled(): drop no-policy-loaded test Stephen Smalley
2015-05-11 13:40 ` Petr Lautrbach
2015-05-11 13:43 ` Stephen Smalley
2015-05-11 13:49 ` Petr Lautrbach
2015-05-11 14:02 ` Stephen Smalley
2015-05-11 14:04 ` Stephen Smalley
2015-05-11 14:11 ` Petr Lautrbach
2015-05-11 14:52 ` Stephen Smalley
2015-05-11 15:27 ` Dominick Grift
2015-05-12 12:54 ` Petr Lautrbach
2015-05-12 12:56 ` Stephen Smalley
2015-05-12 13:51 ` Petr Lautrbach
2015-05-12 13:59 ` Stephen Smalley
2015-05-12 14:27 ` Petr Lautrbach [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55520DB7.3080605@redhat.com \
--to=plautrba@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.