Re: yum update / SELinux problem?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 3/1/07, Jim Cornette <fc-cornette@xxxxxxxxxxxxxx> wrote:
Jonathan Rawle wrote:
> I have a problem installing updates via yum. I usually type
> sudo yum update
> and have sudoers set up to allow this. However, I've recently started to see
> messages of the form:
> error: %pre(packagename) scriptlet failed, exit status 255
> It seems to install the new package, but does not remove the old one, which
> has taken some sorting out!
>
> It also doesn't work if I su to root and type yum update. But it DOES work
> if I disable SELinux with setenforce 0
>
> I'm seeing the following AVC messages in dmesg:
>
> audit(1172787681.632:38): avc:  denied  { transition } for  pid=7147
> comm="yum" name="bash" dev=sda1 ino=2154415
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process
>
> Seeing as we don't have everyone complaining that yum is broken, I assume my
> filesystem is wrongly labelled or something. I did fixfiles check and
> couldn't see anything that looked significant...
>
> Why is it xdm_t? Is it something to do with me using kdm as my login manager
> (most people use gdm)?
>
> So I wondered if anyone has any ideas of how to fix this? I don't want to
> have to switch off enforcing every time I do an update!
>
> Thanks in advance,
>
>
> Jonathan
>
>

I'd drop to runlevel 1 and then run 'fixfiles relabel' and answer yes to
remove files in /tmp. Of course if you store files there, you ought to
pick a different location.

After relabeling a reboot is needed especially if you cleared the /tmp
files.

I used to run 'setenforce 0' quite a bit before running yum because of
the Exit Status 255 error with the scriptlets that were related to
SELinux. Either by pure luck or because of the security content being
corrected, I no longer needed to setenforce to 0 before updating after
the relabeling.

It is a bug and has been because of system policy in some cases and at
the package level in other cases.

Jim


Any chance that you have some obsolete scripts left over by performing
update instead of upgrade?

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux