When I install mysql, mysql-init-scripts fails to install with SELinux. It stops when it's supposed to set security labels. Here are the errors I get: Emerging (1 of 10) dev-db/mysql-init-scripts-1.2 to / * checking ebuild checksums ;-) ... [ ok ] * checking auxfile checksums ;-) ... [ ok ] * checking miscfile checksums ;-) ... [ ok ] >>> Unpacking source... >>> Source unpacked. >>> Compiling source in /var/tmp/portage/dev-db/mysql-init-scripts-1.2/work ... >>> Source compiled. >>> Test phase [not enabled]: dev-db/mysql-init-scripts-1.2 >>> Install mysql-init-scripts-1.2 into /var/tmp/portage/dev-db/mysql-init-scripts-1.2/image/ category dev-db >>> Completed installing mysql-init-scripts-1.2 into /var/tmp/portage/dev-db/mysql-init-scripts-1.2/image/ * checking 5 files for package collisions >>> Merging dev-db/mysql-init-scripts-1.2 to / >>> Setting SELinux security labels /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 21 has invalid context user_u:object_r:user_tmp_t /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 32 has invalid context root:object_r:user_tmp_t * * ERROR: dev-db/mysql-init-scripts-1.2 failed. * Call stack: * misc-functions.sh, line 609: Called preinst_selinux_labels * misc-functions.sh, line 517: Called die * The specific snippet of code: * ) || die "Failed to set SELinux security labels." * The die message: * Failed to set SELinux security labels. * * If you need support, post the topmost build error, and the call stack if relevant. * The ebuild environment file is located at '/var/tmp/portage/dev-db/mysql-init-scripts-1.2/temp/environment'. * !!! post preinst failed; exiting. !!! FAILED preinst: 1 zsh: exit 1 emerge --resume Does anybody knows a solution to this annoying probem ? Thanks for your help. Reproducible: Always Steps to Reproduce: 1.Emerge mysql under the SELinux profile 2. Notice that it fails when security labels are set for mysql-init-scripts 3.
output of emerge --info: Portage 2.1.4.4 (selinux/2007.0/amd64, gcc-4.1.2, glibc-2.6.1-r0, 2.6.26 x86_64) ================================================================= System uname: 2.6.26 x86_64 Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz Timestamp of tree: Tue, 05 Aug 2008 16:30:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.4 [enabled] app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.6 dev-lang/python: 2.4.4-r13 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r2 sys-devel/automake: 1.7.9-r1, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=nocona" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -pipe -march=nocona" DISTDIR="/usr/portage/distfiles" FEATURES="buildsyspkg ccache distcc distlocks loadpolicy metadata-transfer parallel-fetch sandbox selinux sesandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/" LANG="fr_BE.UTF-8" LC_ALL="fr_BE.UTF-8" LINGUAS="fr" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/ecatmur /usr/portage/local/layman/zugaina /usr/portage/local/layman/x11 /usr/portage/local/layman/desktop-effects /usr/portage/local/layman/mozilla /usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X acpi aiglx alsa amd64 arts berkdb cli cracklib crypt cups dbus dri dvd dvdr fam fortran gdbm gif gpm gtk hal iconv ipv6 isdnlog java jpeg kde midi mmx mp3 mpeg mudflap ncurses nls nptl nptlonly nsplugin opengl openmp pam pcre perl png pppd python readline reflection samba selinux session spl sse sse2 ssl tcpd tetex unicode vorbis xcb xorg xosd zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse evdev keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="fr" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
If I remove the file /etc/selinux/targeted/contexts/files/file_contexts.homedirs which doesn't belong to any package, mysql-init-scripts can be installed. It seems that with this file, no package can be installed !!!
Does hardened own /etc/selinux/targeted/contexts/files/file_contexts.homedirs ?
This is the intended behavior. The point is to require the policy to be in a good state otherwise your system will break in other ways due to SELinux denials since files will have incorrect labels. If you are getting invalid contexts from policies in portage you should open a separate bug.
I am not conviced by your explanation. I haven't written the file "file_contexts.homedirs" myself. It must have been provided by a package. But If I run "equery -i belongs file_contexts.homedirs", it doesn't list any package. I suppose that it has been provided by an older version of a policy package and it seems it hasn't been removed by the upgrade. As a consequence, no packages can be installed anymore ! I consider this as a bug.
file_contexts.homedirs is generated from SELinux policy packages (*.pp), which are installed from sec-policy ebuilds. Portage not being able to install packages is a side effect of a policy problem. This bug is about portage installing packages, not a policy problem, therefore IMO it is an invalid bug. A policy ebuild that has a problem should be filed as a bug against that ebuild.
So how can the problem be solved ? I can't imagine that portage not being able to install packages is a normal situation. And from which policy does this file come from ?
Created attachment 162380 [details] file_context.homedirs Here is this problematic file. Portage complains about lines 21 and 32. Do you see anything wrong there ?
Created attachment 162381 [details] homedir_template It seems that the files homedir_template and file_contexts.homedirs have more or less the same content. Could that also explain the problem ?
I have the same problem, but at lines 20 and 30. Calculating dependencies ... done! >>> Verifying ebuild Manifests... >>> Emerging (1 of 1) sec-policy/selinux-dbus-20070928 to / * refpolicy-20070928.tar.bz2 RMD160 SHA1 SHA256 size ;-) ... [ ok ] * checking ebuild checksums ;-) ... [ ok ] * checking auxfile checksums ;-) ... [ ok ] * checking miscfile checksums ;-) ... [ ok ] * checking refpolicy-20070928.tar.bz2 ;-) ... [ ok ] >>> Unpacking source... >>> Unpacking refpolicy-20070928.tar.bz2 to /var/tmp/portage/sec-policy/selinux-dbus-20070928/work >>> Source unpacked. >>> Compiling source in /var/tmp/portage/sec-policy/selinux-dbus-20070928/work/ ... make: Entering directory `/var/tmp/portage/sec-policy/selinux-dbus-20070928/work/strict' Compiling strict dbus module /usr/bin/checkmodule: loading policy configuration from tmp/dbus.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 6) to tmp/dbus.mod Creating strict dbus.pp policy package rm tmp/dbus.mod tmp/dbus.mod.fc make: Leaving directory `/var/tmp/portage/sec-policy/selinux-dbus-20070928/work/strict' make: Entering directory `/var/tmp/portage/sec-policy/selinux-dbus-20070928/work/targeted' Compiling targeted dbus module /usr/bin/checkmodule: loading policy configuration from tmp/dbus.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 6) to tmp/dbus.mod Creating targeted dbus.pp policy package rm tmp/dbus.mod tmp/dbus.mod.fc make: Leaving directory `/var/tmp/portage/sec-policy/selinux-dbus-20070928/work/targeted' >>> Source compiled. >>> Test phase [not enabled]: sec-policy/selinux-dbus-20070928 >>> Install selinux-dbus-20070928 into /var/tmp/portage/sec-policy/selinux-dbus-20070928/image/ category sec-policy Installing strict dbus policy package Installing targeted dbus policy package >>> Completed installing selinux-dbus-20070928 into /var/tmp/portage/sec-policy/selinux-dbus-20070928/image/ * checking 2 files for package collisions >>> Merging sec-policy/selinux-dbus-20070928 to / >>> Setting SELinux security labels /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 20 has invalid context user_u:object_r:user_tmp_t /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 30 has invalid context root:object_r:user_tmp_t * * ERROR: sec-policy/selinux-dbus-20070928 failed. * Call stack: * misc-functions.sh, line 609: Called preinst_selinux_labels * misc-functions.sh, line 517: Called die * The specific snippet of code: * ) || die "Failed to set SELinux security labels." * The die message: * Failed to set SELinux security labels. * * If you need support, post the topmost build error, and the call stack if relevant. * The ebuild environment file is located at '/var/tmp/portage/sec-policy/selinux-dbus-20070928/temp/environment'. * !!! post preinst failed; exiting. !!! FAILED preinst: 1 Here is the opened topics: http://forums.gentoo.org/viewtopic-p-5152190.html#5152190 http://forums.gentoo.org/viewtopic-t-632663-highlight-.html Temporary (possible?) solution is to comment problematic lines.
Chris, I ran into this today as well. My initial trouble shooting seems to indicate that something is wrong with the 'targetted' policy that is causing the issue. Specifically, it appears that user_tmp_t is not defined in the policy/policy.21 file for the targetted policy, only the strict policy. grep'ing for "user_tmp_t" under /etc/selinux/targetted/ only matches on the contexts/files/file_contexts.homedirs and homedir_template files. When I switch to the strict policy, I get: ./contexts/files/file_contexts.homedirs:/tmp/gconfd-.* -d user_u:object_r:user_tmp_t Binary file ./policy/policy.21 matches Binary file ./modules/active/modules/sudo.pp matches Binary file ./modules/active/base.pp matches Binary file ./modules/active/policy.kern matches For comparison, not sure if it helps, my Fedora box does get matches in both policy.21 and base.pp under /etc/selinux/targetted/ It's not really a workaround, but I did encounter success after I switched to the strict policy and remerged selinux-base-policy (I may have had to comment the offending lines out to get it to go initially, they were regenerated after anyways so no big deal)
I have fixed this for me by removing: /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) from refpolicy/policy/modules/system/userdomain.fc It looks like the file context is defined in userdomain but the rest of stuff (roles etc.) is defined in the gnome module. But I am no expert (yet ;) in selinux.
Looks like that line is not present in the current/latest refpolicy (20101213) anymore. Could you try switching over to the ~arch versions for sec-policy/* and see if you still have this issue?
I don't use SELinux now, so I can't test it. As far as I remember, this problemn didn't occurs any more when I stopped using it.
Can't blame you (after almost 3 years of having this bug report open) ;-)
This is no longer an issue.