SCIENTIFIC-LINUX-DEVEL Archives

December 2011

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: selinux-policy updates - 3.7.19-126.el6
From:
Pat Riehecky <[log in to unmask]>
Reply To:
Pat Riehecky <[log in to unmask]>
Date:
Thu, 22 Dec 2011 09:09:38 -0600
Content-Type:
text/plain
Parts/Attachments:
text/plain (100 lines) 
This appears to be an upstream issue.

The post install trigger for the particular policy rpms (targeted, mls, 
etc) is running the following

[ "${SELINUXTYPE}" == "%1" ] && [ selinuxenabled ] && load_policy;

However, it should be

[ "${SELINUXTYPE}" == "%1" ] && selinuxenabled && load_policy;

The extra [ ] are causing the test to always return true, and therefore 
attempt to load a policy when selinux is not enabled.

If 'getenforce' reports 'Disabled' the error is safe to ignore as it is 
merely load_policy being unable to actually load the policy.  If selinux 
is enabled and you see this error, there is something else very wrong 
with the system.

Upstream bug #769859

Pat


I've still no idea why my random test VMs didn't show the error, but 
they've since been re-purposed for 6.2 stuff so I'm going to assume 
there was something funny in them.

On 12/19/2011 03:37 PM, Nelson Marques wrote:
> Have you already any solid evidence that it is an upstream bug or you
> were just tossing around a lucky guess ?
>
> 2011/12/19 Morten Stevens<[log in to unmask]>:
>> On 19.12.2011 21:07, Pat Riehecky wrote:
>>> On 12/19/2011 09:07 AM, Stephan Wiesand wrote:
>>>> On Dec 17, 2011, at 14:40 , Morten Stevens wrote:
>>>>
>>>>> On 17.12.2011 03:30, Steven Haigh wrote:
>>>>>> I noticed that all my SL6x systems have updated to the following
>>>>>> selinux packages overnight:
>>>>>> selinux-policy           noarch  3.7.19-126.el6 sl6x-security  771 k
>>>>>> selinux-policy-targeted  noarch  3.7.19-126.el6 sl6x-security  2.5 M
>>>>>>
>>>>>> In the email logs on every system I notice:
>>>>>> SELinux:  Could not downgrade policy file
>>>>>> /etc/selinux/targeted/policy/policy.24, searching for an older
>>>>>> version.
>>>>>> SELinux:  Could not open policy file<=
>>>>>> /etc/selinux/targeted/policy/policy.24:  No such file or directory
>>>>>> load_policy:  Can't load policy:  No such file or directory
>>>>>>
>>>>>> As I usually disable SELinux on all my systems, I'm not sure if this
>>>>>> will have any effect for those who still run with SELinux enabled -
>>>>>> but it seems strange so I thought I'd report it...
>>>>> This is an upstream bug... I see this error message on all my systems.
>>>> Hmm... I don't observe this on my systems, whether or not SELinux is
>>>> disabled.
>>>>
>>>>         Stephan
>>>>
>>> I will echo Stephan's observations on this.  I checked 4 systems (2 -
>>> i386, 2 - x86_64; one enforcing one disabled for each arch) and I was
>>> unable to generate the error listed.
>>>
>>> Pat
>>
>> Hi,
>>
>> That's strange ... I see this error message on every el6 based system.
>>
>> For example:
>>
>> [root@x86-014 ~]# cat /etc/redhat-release
>> Red Hat Enterprise Linux Server release 6.1 (Santiago)
>>
>> [root@x86-014 ~]# sestatus
>> SELinux status:                 disabled
>>
>> [root@x86-014 ~]# yum update
>>
>> ...
>>
>>   Updating   : selinux-policy-targeted-3.7.19-126.el6_2.3.noarch      99/247
>>
>> SELinux:  Could not downgrade policy file
>> /etc/selinux/targeted/policy/policy.24, searching for an older version.
>> SELinux:  Could not open policy file<=
>> /etc/selinux/targeted/policy/policy.24:  No such file or directory
>>
>> Best regards,
>>
>> Morten
>
>


-- 
Pat Riehecky
Scientific Linux Developer

ATOM RSS1 RSS2