Some further notes on installing/upgrading selinux policy through kickstart. By monitoring the install/upgrade log and Alt-F4 screens, I see the following sequence during a fresh install: ... Installing selinux-policy Installing selinux-policy-targeted <7>security: 3 users, 6 roles, 1914 types, 234 bools, 1 sens, 1024 cats <7>security: 61 classes, 69080 rules <3>security: invalidating context system_u:object_r:defang_spool_t:s0 Installing sls-selinux-policy <7>security: 3 users, 6 roles , 1915 types, 234 bools, 1 sens, 1024 cats <7>security: 61 classes, 69128 rules ... remaining packages are installed The second pair of security lines on Alt-F4 come up immediately after my policy module is loaded, and show the new rules and type. During an upgrade, the sequence is different: ... Upgrading selinux-policy Upgrading selinux-policy-targeted <7>security: 3 users, 6 roles, 1914 types, 234 bools, 1 sens, 1024 cats <7>security: 61 classes, 69080 rules <3>security: invalidating context system_u:object:r:defang_spool_t:s0 <4>inode_doinit_with_dentry: context_to_sid(system_u:object_r:defang_spool_t:s0) returned 22 for dev=dm-4 ino=49189 Upgrading sls-selinux-policy libsemanage.semanage_make_sandbox: Could not copy files to sandbox /etc/selinux/targeted/modules/tmp. /usr/sbin/semodule: Failed on /usr/share/selinux/targeted/sls.pp! ... 59 remaining packages are upgraded ... warning: /etc/selinux/targeted/policy/policy.18 saved as /etc/selinux/targeded/policy/policy.18.rpmsave <7>security: 3 users, 6 roles, 1914 types, 234 bools, 1 sens, 1024 cats <7>security: 61 classes, 69080 rules There is a long pause after the "invalidating context defang_spool_t" line, then the "inode_doinit_with_dentry" line comes up on Alt-F4 just before "Upgrading sls-selinux-policy" is added to /root/upgrade.log. The "policy.18.rpmsave" and second pair of "<7>security" lines come up as the upgrade transaction is finishing. I have tried: Putting "sleep 20" in the %pre script of sls-selinux-policy Removing /etc/selinux/targeted/policy/policy.18 before the upgrade Removing /etc/selinux entirely before the upgrade Uninstalling the selinux rpms before the upgrade (_really_ bad idea!) None of those helped. I have made the problem go away by loading sls.pp and running fixfiles in a firstboot script after the upgrade. Still, it would be good to know why it broke during upgrade. Moray. "To err is human. To purr, feline" _______________________________________________ Kickstart-list mailing list Kickstart-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/kickstart-list
