plus3it / ash-linux-formula

Automated System Hardening (ash-linux) is a Salt formula to apply SCAP benchmarks to Linux systems
Other
18 stars 14 forks source link

SELinux policy causes system to fail to start after reboot #84

Closed lorengordon closed 9 years ago

lorengordon commented 9 years ago

After applying the ash-linux.stig policy and rebooting, the system fails to start.

From the AWS System Log:

dracut: Loading SELinux policy
type=1404 audit(1429122099.471:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
type=1300 audit(1429122099.471:2): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fff7a9df2e0 a2=1 a3=7fff7a9de060 items=0 ppid=1 pid=259 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="load_policy" exe="/sbin/load_policy" subj=kernel key=(null)
dracut: SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.24: No such file or directory /sbin/load_policy: Can't load policy and enforcing mode requested: No such file or directory
dracut Warning: Initial SELinux policy load failed.
dracut FATAL: Initial SELinux policy load failed. Machine in enforcing mode. To disable selinux, add selinux=0 to the kernel command line.
dracut Warning: 
lorengordon commented 9 years ago

I don't know why, but the policy directory is empty. Research indicates that the policy.24 file should be present if the selinux-policy-targeted package is installed.

# yum info selinux-policy-targeted
Loaded plugins: downloadonly, fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.umd.edu
 * extras: mirror.ash.fastserv.com
 * updates: mirror.umd.edu
Installed Packages
Name        : selinux-policy-targeted
Arch        : noarch
Version     : 3.7.19
Release     : 260.el6_6.2
Size        : 3.4 M
Repo        : installed
Summary     : SELinux targeted base policy
URL         : http://oss.tresys.com/repos/refpolicy/
License     : GPLv2+
Description : SELinux Reference policy targeted base module.

# ls -al /etc/selinux/targeted/policy/
total 8
drwxr-xr-x 2 root root 4096 Jan 20 08:54 .
drwxr-xr-x 6 root root 4096 Apr 14 20:35 ..

Reinstalling the package gets the file back.

# yum reinstall selinux-policy-targeted
Loaded plugins: downloadonly, fastestmirror
Setting up Reinstall Process
Loading mirror speeds from cached hostfile
 * base: mirror.umd.edu
 * extras: mirror.ash.fastserv.com
 * updates: mirror.umd.edu
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy-targeted.noarch 0:3.7.19-260.el6_6.2 will be reinstalled
--> Finished Dependency Resolution

... </snip> ...

Running Transaction
  Installing : selinux-policy-targeted-3.7.19-260.el6_6.2.noarch                                                                                                                                                   1/1

  Verifying  : selinux-policy-targeted-3.7.19-260.el6_6.2.noarch                                                                                                                                                   1/1

Installed:
  selinux-policy-targeted.noarch 0:3.7.19-260.el6_6.2

Complete!

# ls -al /etc/selinux/targeted/policy/
total 7908
drwxr-xr-x 2 root root    4096 Apr 15 19:42 .
drwxr-xr-x 6 root root    4096 Apr 15 19:42 ..
-rw-r--r-- 1 root root 8085537 Apr 15 19:42 policy.24
lorengordon commented 9 years ago

And the system boots fine after reinstalling selinux-policy-targeted.

dracut: Loading SELinux policy
type=1404 audit(1429128313.486:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
type=1300 audit(1429128313.486:2): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fff8a5e67f0 a2=1 a3=7fff8a5e5570 items=0 ppid=1 pid=259 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="load_policy" exe="/sbin/load_policy" subj=kernel key=(null)
type=1403 audit(1429128313.504:3): policy loaded auid=4294967295 ses=4294967295
type=1300 audit(1429128313.504:3): arch=c000003e syscall=1 success=yes exit=8085537 a0=4 a1=7f1b152bc000 a2=7b6021 a3=0 items=0 ppid=1 pid=259 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="load_policy" exe="/sbin/load_policy" subj=system_u:system_r:kernel_t:s0 key=(null)

Still trying to figure out where that file goes missing...

lorengordon commented 9 years ago

Hrrm, the file is missing even in the plain vanilla ACB-CentOS ami...

lorengordon commented 9 years ago

But it's present in the ami from centos.org, CentOS 6 with updates HVM (ami-c2a818aa)...

ferricoxide commented 9 years ago

Fun fact: the HVM and PVM images are created from the same EBS snapshot. File should either be universally present or absent across AMI instantiations.

From HVM image:

$ rpm -qa | grep selinux
selinux-policy-targeted-3.7.19-260.el6_6.2.noarch
libselinux-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64
libselinux-python-2.0.94-5.8.el6.x86_64
selinux-policy-3.7.19-260.el6_6.2.noarch
[centos@ip-172-31-34-111 ~]$  curl http://169.254.169.254/latest/dynamic/instance-identity/document/ ; echo
{
  "devpayProductCodes" : null,
  "privateIp" : "172.31.34.111",
  "availabilityZone" : "us-west-2a",
  "accountId" : "701759196663",
  "instanceId" : "i-d05bb327",
  "billingProducts" : null,
  "version" : "2010-08-31",
  "imageId" : "ami-0982ab39",
  "instanceType" : "t2.micro",
  "kernelId" : null,
  "ramdiskId" : null,
  "pendingTime" : "2015-04-15T22:26:04Z",
  "architecture" : "x86_64",
  "region" : "us-west-2"
}

From PVM instance:

$ rpm -qa | grep selinux
selinux-policy-targeted-3.7.19-260.el6_6.2.noarch
libselinux-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64
libselinux-python-2.0.94-5.8.el6.x86_64
selinux-policy-3.7.19-260.el6_6.2.noarch
[centos@ip-172-31-25-188 ~]$ curl http://169.254.169.254/latest/dynamic/instance-identity/document/ ; echo
{
  "devpayProductCodes" : null,
  "availabilityZone" : "us-west-2b",
  "privateIp" : "172.31.25.188",
  "version" : "2010-08-31",
  "region" : "us-west-2",
  "instanceId" : "i-0d0d8ffb",
  "billingProducts" : null,
  "accountId" : "701759196663",
  "imageId" : "ami-0582ab35",
  "instanceType" : "t1.micro",
  "kernelId" : "aki-e68f11d6",
  "ramdiskId" : null,
  "pendingTime" : "2015-04-15T22:25:28Z",
  "architecture" : "x86_64"
}

Granted, the above is "us-west-2" region, but, the same ChrootBuild.sh is used to lay down the AMI packages in each region.

lorengordon commented 9 years ago

I haven't tested the PVM ami at all. The necessary rpm is present, certainly, but for some reason the required policy file is missing.

ferricoxide commented 9 years ago

Nova Region: HVM

$ rpm -qa | grep selinux-
selinux-policy-3.7.19-260.el6_6.2.noarch
libselinux-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64
libselinux-python-2.0.94-5.8.el6.x86_64
selinux-policy-targeted-3.7.19-260.el6_6.2.noarch
[centos@ip-172-31-5-63 ~]$  curl http://169.254.169.254/latest/dynamic/instance-identity/document/ ; echo
{
  "instanceId" : "i-32cf8ece",
  "billingProducts" : null,
  "accountId" : "701759196663",
  "imageId" : "ami-927c47fa",
  "instanceType" : "t2.micro",
  "kernelId" : null,
  "ramdiskId" : null,
  "pendingTime" : "2015-04-15T22:37:17Z",
  "architecture" : "x86_64",
  "region" : "us-east-1",
  "version" : "2010-08-31",
  "availabilityZone" : "us-east-1c",
  "devpayProductCodes" : null,
  "privateIp" : "172.31.5.63"
}

PVM

$ rpm -qa | grep selinux-
selinux-policy-3.7.19-260.el6_6.2.noarch
libselinux-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64
libselinux-python-2.0.94-5.8.el6.x86_64
selinux-policy-targeted-3.7.19-260.el6_6.2.noarch
[centos@ip-172-31-46-16 ~]$  curl http://169.254.169.254/latest/dynamic/instance-identity/document/ ; echo
{
  "privateIp" : "172.31.46.16",
  "devpayProductCodes" : null,
  "availabilityZone" : "us-east-1a",
  "version" : "2010-08-31",
  "accountId" : "701759196663",
  "instanceId" : "i-895b675e",
  "billingProducts" : null,
  "imageId" : "ami-907c47f8",
  "instanceType" : "t1.micro",
  "kernelId" : "aki-919dcaf8",
  "ramdiskId" : null,
  "pendingTime" : "2015-04-15T22:38:08Z",
  "architecture" : "x86_64",
  "region" : "us-east-1"
}
lorengordon commented 9 years ago

But what does this show: ls -al /etc/selinux/targeted/policy/policy.24?

ferricoxide commented 9 years ago

Weird: the RPM's installed, but not the files???

$ rpm -ql selinux-policy-targeted-3.7.19-260.el6_6.2.noarch | grep policy.24
/etc/selinux/targeted/policy/policy.24
[centos@ip-172-31-46-16 ~]$ ls /etc/selinux/targeted/policy/policy.24
ls: cannot access /etc/selinux/targeted/policy/policy.24: No such file or directory

But rpm -qV selinux-policy-targeted comes back clean (meaning the files should be present)??

lorengordon commented 9 years ago

Right! That's what I'm saying! The file is in the ami provided by centos.org, so I think something might have gone sideways in our ami creation.

ferricoxide commented 9 years ago

Which is really weird, because when I first laid down the prior AMIs, running the state didn't kill the system when I run-tested it (i.e., the file was there).

ferricoxide commented 9 years ago

Hmm... I'm gonna have to tear apart the RPM to see if IT'S doing something funky when installed via chroot-method, because:

# yum reinstall selinux-policy-targeted-3.7.19-260.el6_6.2.noarch.rpm
Loaded plugins: downloadonly, fastestmirror
Setting up Reinstall Process
Examining selinux-policy-targeted-3.7.19-260.el6_6.2.noarch.rpm: selinux-policy-targeted-3.7.19-260.el6_6.2.noarch
base                                                     | 3.7 kB     00:00
base/primary_db                                          | 4.6 MB     00:02
extras                                                   | 3.4 kB     00:00
extras/primary_db                                        |  30 kB     00:00
updates                                                  | 3.4 kB     00:00
updates/primary_db                                       | 2.7 MB     00:00
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy-targeted.noarch 0:3.7.19-260.el6_6.2 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package
        Arch   Version Repository                                          Size
================================================================================
Reinstalling:
 selinux-policy-targeted
        noarch 3.7.19-260.el6_6.2
                       /selinux-policy-targeted-3.7.19-260.el6_6.2.noarch 3.4 M

Transaction Summary
================================================================================
Reinstall     1 Package(s)

Total size: 3.4 M
Installed size: 3.4 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : selinux-policy-targeted-3.7.19-260.el6_6.2.noarch            1/1
  Verifying  : selinux-policy-targeted-3.7.19-260.el6_6.2.noarch            1/1

Installed:
  selinux-policy-targeted.noarch 0:3.7.19-260.el6_6.2

Complete!
# ls /etc/selinux/targeted/policy/
policy.24

Really ought not have fixed it.

lorengordon commented 9 years ago

Yep, that's what fixed it for me, too. The issue only cropped up after a reboot (the states applied fine and the system was operational otherwise), and this was the first time I tested the reboot after applying the full stig baseline, so /me shrugs, I don't have a valid point of comparison.

ferricoxide commented 9 years ago

Very interesting...

# rpm2cpio selinux-policy-targeted-3.7.19-260.el6_6.2.noarch.rpm | cpio -idv
./etc/selinux/targeted
./etc/selinux/targeted/contexts
./etc/selinux/targeted/contexts/customizable_types
./etc/selinux/targeted/contexts/dbus_contexts
./etc/selinux/targeted/contexts/default_contexts
./etc/selinux/targeted/contexts/default_type
./etc/selinux/targeted/contexts/failsafe_context
./etc/selinux/targeted/contexts/files
./etc/selinux/targeted/contexts/files/media
./etc/selinux/targeted/contexts/initrc_context
./etc/selinux/targeted/contexts/removable_context
./etc/selinux/targeted/contexts/securetty_types
./etc/selinux/targeted/contexts/sepgsql_contexts
./etc/selinux/targeted/contexts/userhelper_context
./etc/selinux/targeted/contexts/users
./etc/selinux/targeted/contexts/users/guest_u
./etc/selinux/targeted/contexts/users/root
./etc/selinux/targeted/contexts/users/staff_u
./etc/selinux/targeted/contexts/users/unconfined_u
./etc/selinux/targeted/contexts/users/user_u
./etc/selinux/targeted/contexts/users/xguest_u
./etc/selinux/targeted/contexts/virtual_domain_context
./etc/selinux/targeted/contexts/virtual_image_context
./etc/selinux/targeted/contexts/x_contexts
./etc/selinux/targeted/logins
./etc/selinux/targeted/modules
./etc/selinux/targeted/modules/active
./etc/selinux/targeted/modules/semanage.read.LOCK
./etc/selinux/targeted/modules/semanage.trans.LOCK
./etc/selinux/targeted/policy
./etc/selinux/targeted/setrans.conf
./usr/share/selinux/targeted
./usr/share/selinux/targeted/abrt.pp.bz2
./usr/share/selinux/targeted/accountsd.pp.bz2
./usr/share/selinux/targeted/ada.pp.bz2
./usr/share/selinux/targeted/afs.pp.bz2
./usr/share/selinux/targeted/aiccu.pp.bz2
./usr/share/selinux/targeted/aide.pp.bz2
./usr/share/selinux/targeted/amanda.pp.bz2
./usr/share/selinux/targeted/amtu.pp.bz2
./usr/share/selinux/targeted/antivirus.pp.bz2
./usr/share/selinux/targeted/apache.pp.bz2
./usr/share/selinux/targeted/apcupsd.pp.bz2
./usr/share/selinux/targeted/arpwatch.pp.bz2
./usr/share/selinux/targeted/asterisk.pp.bz2
./usr/share/selinux/targeted/audioentropy.pp.bz2
./usr/share/selinux/targeted/automount.pp.bz2
./usr/share/selinux/targeted/avahi.pp.bz2
./usr/share/selinux/targeted/awstats.pp.bz2
./usr/share/selinux/targeted/bacula.pp.bz2
./usr/share/selinux/targeted/base.pp.bz2
./usr/share/selinux/targeted/bcfg2.pp.bz2
./usr/share/selinux/targeted/bind.pp.bz2
./usr/share/selinux/targeted/bitlbee.pp.bz2
./usr/share/selinux/targeted/bluetooth.pp.bz2
./usr/share/selinux/targeted/boinc.pp.bz2
./usr/share/selinux/targeted/bugzilla.pp.bz2
./usr/share/selinux/targeted/cachefilesd.pp.bz2
./usr/share/selinux/targeted/calamaris.pp.bz2
./usr/share/selinux/targeted/canna.pp.bz2
./usr/share/selinux/targeted/ccs.pp.bz2
./usr/share/selinux/targeted/cdrecord.pp.bz2
./usr/share/selinux/targeted/certmaster.pp.bz2
./usr/share/selinux/targeted/certmonger.pp.bz2
./usr/share/selinux/targeted/certwatch.pp.bz2
./usr/share/selinux/targeted/cfengine.pp.bz2
./usr/share/selinux/targeted/cgroup.pp.bz2
./usr/share/selinux/targeted/chrome.pp.bz2
./usr/share/selinux/targeted/chronyd.pp.bz2
./usr/share/selinux/targeted/cipe.pp.bz2
./usr/share/selinux/targeted/clogd.pp.bz2
./usr/share/selinux/targeted/cloudform.pp.bz2
./usr/share/selinux/targeted/cmirrord.pp.bz2
./usr/share/selinux/targeted/cobbler.pp.bz2
./usr/share/selinux/targeted/collectd.pp.bz2
./usr/share/selinux/targeted/comsat.pp.bz2
./usr/share/selinux/targeted/condor.pp.bz2
./usr/share/selinux/targeted/conman.pp.bz2
./usr/share/selinux/targeted/consolekit.pp.bz2
./usr/share/selinux/targeted/courier.pp.bz2
./usr/share/selinux/targeted/cpufreqselector.pp.bz2
./usr/share/selinux/targeted/ctdbd.pp.bz2
./usr/share/selinux/targeted/cups.pp.bz2
./usr/share/selinux/targeted/cvs.pp.bz2
./usr/share/selinux/targeted/cyphesis.pp.bz2
./usr/share/selinux/targeted/cyrus.pp.bz2
./usr/share/selinux/targeted/daemontools.pp.bz2
./usr/share/selinux/targeted/dbskk.pp.bz2
./usr/share/selinux/targeted/dcc.pp.bz2
./usr/share/selinux/targeted/ddclient.pp.bz2
./usr/share/selinux/targeted/denyhosts.pp.bz2
./usr/share/selinux/targeted/devicekit.pp.bz2
./usr/share/selinux/targeted/dhcp.pp.bz2
./usr/share/selinux/targeted/dictd.pp.bz2
./usr/share/selinux/targeted/dirsrv-admin.pp.bz2
./usr/share/selinux/targeted/dirsrv.pp.bz2
./usr/share/selinux/targeted/dnsmasq.pp.bz2
./usr/share/selinux/targeted/dovecot.pp.bz2
./usr/share/selinux/targeted/drbd.pp.bz2
./usr/share/selinux/targeted/dspam.pp.bz2
./usr/share/selinux/targeted/ethereal.pp.bz2
./usr/share/selinux/targeted/execmem.pp.bz2
./usr/share/selinux/targeted/exim.pp.bz2
./usr/share/selinux/targeted/fail2ban.pp.bz2
./usr/share/selinux/targeted/fcoemon.pp.bz2
./usr/share/selinux/targeted/fetchmail.pp.bz2
./usr/share/selinux/targeted/finger.pp.bz2
./usr/share/selinux/targeted/firewallgui.pp.bz2
./usr/share/selinux/targeted/fprintd.pp.bz2
./usr/share/selinux/targeted/freeipmi.pp.bz2
./usr/share/selinux/targeted/ftp.pp.bz2
./usr/share/selinux/targeted/games.pp.bz2
./usr/share/selinux/targeted/git.pp.bz2
./usr/share/selinux/targeted/gitosis.pp.bz2
./usr/share/selinux/targeted/glance.pp.bz2
./usr/share/selinux/targeted/glusterd.pp.bz2
./usr/share/selinux/targeted/gnome.pp.bz2
./usr/share/selinux/targeted/gnomeclock.pp.bz2
./usr/share/selinux/targeted/gpg.pp.bz2
./usr/share/selinux/targeted/gpm.pp.bz2
./usr/share/selinux/targeted/gpsd.pp.bz2
./usr/share/selinux/targeted/guest.pp.bz2
./usr/share/selinux/targeted/hal.pp.bz2
./usr/share/selinux/targeted/hddtemp.pp.bz2
./usr/share/selinux/targeted/howl.pp.bz2
./usr/share/selinux/targeted/hypervkvp.pp.bz2
./usr/share/selinux/targeted/icecast.pp.bz2
./usr/share/selinux/targeted/inn.pp.bz2
./usr/share/selinux/targeted/ipsec.pp.bz2
./usr/share/selinux/targeted/irc.pp.bz2
./usr/share/selinux/targeted/iscsi.pp.bz2
./usr/share/selinux/targeted/isns.pp.bz2
./usr/share/selinux/targeted/jabber.pp.bz2
./usr/share/selinux/targeted/java.pp.bz2
./usr/share/selinux/targeted/kdump.pp.bz2
./usr/share/selinux/targeted/kdumpgui.pp.bz2
./usr/share/selinux/targeted/keepalived.pp.bz2
./usr/share/selinux/targeted/kerberos.pp.bz2
./usr/share/selinux/targeted/kerneloops.pp.bz2
./usr/share/selinux/targeted/keystone.pp.bz2
./usr/share/selinux/targeted/kismet.pp.bz2
./usr/share/selinux/targeted/ksmtuned.pp.bz2
./usr/share/selinux/targeted/ktalk.pp.bz2
./usr/share/selinux/targeted/l2tpd.pp.bz2
./usr/share/selinux/targeted/ldap.pp.bz2
./usr/share/selinux/targeted/likewise.pp.bz2
./usr/share/selinux/targeted/lircd.pp.bz2
./usr/share/selinux/targeted/livecd.pp.bz2
./usr/share/selinux/targeted/lldpad.pp.bz2
./usr/share/selinux/targeted/lockdev.pp.bz2
./usr/share/selinux/targeted/logadm.pp.bz2
./usr/share/selinux/targeted/lpd.pp.bz2
./usr/share/selinux/targeted/lsm.pp.bz2
./usr/share/selinux/targeted/mailman.pp.bz2
./usr/share/selinux/targeted/matahari.pp.bz2
./usr/share/selinux/targeted/mediawiki.pp.bz2
./usr/share/selinux/targeted/memcached.pp.bz2
./usr/share/selinux/targeted/milter.pp.bz2
./usr/share/selinux/targeted/mip6d.pp.bz2
./usr/share/selinux/targeted/mirrormanager.pp.bz2
./usr/share/selinux/targeted/modemmanager.pp.bz2
./usr/share/selinux/targeted/modules.lst
./usr/share/selinux/targeted/mono.pp.bz2
./usr/share/selinux/targeted/mozilla.pp.bz2
./usr/share/selinux/targeted/mpd.pp.bz2
./usr/share/selinux/targeted/mplayer.pp.bz2
./usr/share/selinux/targeted/mrtg.pp.bz2
./usr/share/selinux/targeted/munin.pp.bz2
./usr/share/selinux/targeted/mysql.pp.bz2
./usr/share/selinux/targeted/nagios.pp.bz2
./usr/share/selinux/targeted/namespace.pp.bz2
./usr/share/selinux/targeted/ncftool.pp.bz2
./usr/share/selinux/targeted/netlabel.pp.bz2
./usr/share/selinux/targeted/nis.pp.bz2
./usr/share/selinux/targeted/nova.pp.bz2
./usr/share/selinux/targeted/nslcd.pp.bz2
./usr/share/selinux/targeted/nsplugin.pp.bz2
./usr/share/selinux/targeted/ntop.pp.bz2
./usr/share/selinux/targeted/ntp.pp.bz2
./usr/share/selinux/targeted/numad.pp.bz2
./usr/share/selinux/targeted/nut.pp.bz2
./usr/share/selinux/targeted/nx.pp.bz2
./usr/share/selinux/targeted/oddjob.pp.bz2
./usr/share/selinux/targeted/openct.pp.bz2
./usr/share/selinux/targeted/openhpid.pp.bz2
./usr/share/selinux/targeted/openoffice.pp.bz2
./usr/share/selinux/targeted/openshift-origin.pp.bz2
./usr/share/selinux/targeted/openshift.pp.bz2
./usr/share/selinux/targeted/openvpn.pp.bz2
./usr/share/selinux/targeted/openvswitch.pp.bz2
./usr/share/selinux/targeted/openwsman.pp.bz2
./usr/share/selinux/targeted/oracleasm.pp.bz2
./usr/share/selinux/targeted/osad.pp.bz2
./usr/share/selinux/targeted/pads.pp.bz2
./usr/share/selinux/targeted/passenger.pp.bz2
./usr/share/selinux/targeted/pcp.pp.bz2
./usr/share/selinux/targeted/pcscd.pp.bz2
./usr/share/selinux/targeted/pegasus.pp.bz2
./usr/share/selinux/targeted/permissivedomains.pp.bz2
./usr/share/selinux/targeted/pingd.pp.bz2
./usr/share/selinux/targeted/piranha.pp.bz2
./usr/share/selinux/targeted/pkcsslotd.pp.bz2
./usr/share/selinux/targeted/plymouthd.pp.bz2
./usr/share/selinux/targeted/podsleuth.pp.bz2
./usr/share/selinux/targeted/policykit.pp.bz2
./usr/share/selinux/targeted/portmap.pp.bz2
./usr/share/selinux/targeted/portreserve.pp.bz2
./usr/share/selinux/targeted/postfix.pp.bz2
./usr/share/selinux/targeted/postgresql.pp.bz2
./usr/share/selinux/targeted/postgrey.pp.bz2
./usr/share/selinux/targeted/ppp.pp.bz2
./usr/share/selinux/targeted/prelude.pp.bz2
./usr/share/selinux/targeted/privoxy.pp.bz2
./usr/share/selinux/targeted/procmail.pp.bz2
./usr/share/selinux/targeted/psad.pp.bz2
./usr/share/selinux/targeted/ptchown.pp.bz2
./usr/share/selinux/targeted/publicfile.pp.bz2
./usr/share/selinux/targeted/pulseaudio.pp.bz2
./usr/share/selinux/targeted/puppet.pp.bz2
./usr/share/selinux/targeted/pyzor.pp.bz2
./usr/share/selinux/targeted/qemu.pp.bz2
./usr/share/selinux/targeted/qmail.pp.bz2
./usr/share/selinux/targeted/qpidd.pp.bz2
./usr/share/selinux/targeted/quantum.pp.bz2
./usr/share/selinux/targeted/radius.pp.bz2
./usr/share/selinux/targeted/radvd.pp.bz2
./usr/share/selinux/targeted/razor.pp.bz2
./usr/share/selinux/targeted/rdisc.pp.bz2
./usr/share/selinux/targeted/remotelogin.pp.bz2
./usr/share/selinux/targeted/rhcs.pp.bz2
./usr/share/selinux/targeted/rhev.pp.bz2
./usr/share/selinux/targeted/rhgb.pp.bz2
./usr/share/selinux/targeted/rhnsd.pp.bz2
./usr/share/selinux/targeted/rhsmcertd.pp.bz2
./usr/share/selinux/targeted/ricci.pp.bz2
./usr/share/selinux/targeted/rlogin.pp.bz2
./usr/share/selinux/targeted/roundup.pp.bz2
./usr/share/selinux/targeted/rpcbind.pp.bz2
./usr/share/selinux/targeted/rshd.pp.bz2
./usr/share/selinux/targeted/rssh.pp.bz2
./usr/share/selinux/targeted/rsync.pp.bz2
./usr/share/selinux/targeted/rtas.pp.bz2
./usr/share/selinux/targeted/rtkit.pp.bz2
./usr/share/selinux/targeted/rwho.pp.bz2
./usr/share/selinux/targeted/samba.pp.bz2
./usr/share/selinux/targeted/sambagui.pp.bz2
./usr/share/selinux/targeted/sandbox.pp.bz2
./usr/share/selinux/targeted/sanlock.pp.bz2
./usr/share/selinux/targeted/sasl.pp.bz2
./usr/share/selinux/targeted/sblim.pp.bz2
./usr/share/selinux/targeted/screen.pp.bz2
./usr/share/selinux/targeted/sectoolm.pp.bz2
./usr/share/selinux/targeted/sensord.pp.bz2
./usr/share/selinux/targeted/seunshare.pp.bz2
./usr/share/selinux/targeted/sge.pp.bz2
./usr/share/selinux/targeted/shutdown.pp.bz2
./usr/share/selinux/targeted/slocate.pp.bz2
./usr/share/selinux/targeted/slpd.pp.bz2
./usr/share/selinux/targeted/smartmon.pp.bz2
./usr/share/selinux/targeted/smokeping.pp.bz2
./usr/share/selinux/targeted/smoltclient.pp.bz2
./usr/share/selinux/targeted/smstools.pp.bz2
./usr/share/selinux/targeted/snmp.pp.bz2
./usr/share/selinux/targeted/snort.pp.bz2
./usr/share/selinux/targeted/sosreport.pp.bz2
./usr/share/selinux/targeted/soundserver.pp.bz2
./usr/share/selinux/targeted/spamassassin.pp.bz2
./usr/share/selinux/targeted/squid.pp.bz2
./usr/share/selinux/targeted/sssd.pp.bz2
./usr/share/selinux/targeted/staff.pp.bz2
./usr/share/selinux/targeted/stapserver.pp.bz2
./usr/share/selinux/targeted/stunnel.pp.bz2
./usr/share/selinux/targeted/svnserve.pp.bz2
./usr/share/selinux/targeted/swift.pp.bz2
./usr/share/selinux/targeted/sysadm_secadm.pp.bz2
./usr/share/selinux/targeted/sysstat.pp.bz2
./usr/share/selinux/targeted/tcpd.pp.bz2
./usr/share/selinux/targeted/telepathy.pp.bz2
./usr/share/selinux/targeted/telnet.pp.bz2
./usr/share/selinux/targeted/tftp.pp.bz2
./usr/share/selinux/targeted/tgtd.pp.bz2
./usr/share/selinux/targeted/tmpreaper.pp.bz2
./usr/share/selinux/targeted/tomcat.pp.bz2
./usr/share/selinux/targeted/tor.pp.bz2
./usr/share/selinux/targeted/tuned.pp.bz2
./usr/share/selinux/targeted/tvtime.pp.bz2
./usr/share/selinux/targeted/ulogd.pp.bz2
./usr/share/selinux/targeted/uml.pp.bz2
./usr/share/selinux/targeted/unconfined.pp.bz2
./usr/share/selinux/targeted/unconfineduser.pp.bz2
./usr/share/selinux/targeted/unlabelednet.pp.bz2
./usr/share/selinux/targeted/unprivuser.pp.bz2
./usr/share/selinux/targeted/usbmodules.pp.bz2
./usr/share/selinux/targeted/usbmuxd.pp.bz2
./usr/share/selinux/targeted/userhelper.pp.bz2
./usr/share/selinux/targeted/usernetctl.pp.bz2
./usr/share/selinux/targeted/uucp.pp.bz2
./usr/share/selinux/targeted/uuidd.pp.bz2
./usr/share/selinux/targeted/varnishd.pp.bz2
./usr/share/selinux/targeted/vdagent.pp.bz2
./usr/share/selinux/targeted/vhostmd.pp.bz2
./usr/share/selinux/targeted/virt.pp.bz2
./usr/share/selinux/targeted/vmware.pp.bz2
./usr/share/selinux/targeted/vpn.pp.bz2
./usr/share/selinux/targeted/w3c.pp.bz2
./usr/share/selinux/targeted/watchdog.pp.bz2
./usr/share/selinux/targeted/wdmd.pp.bz2
./usr/share/selinux/targeted/webadm.pp.bz2
./usr/share/selinux/targeted/webalizer.pp.bz2
./usr/share/selinux/targeted/wine.pp.bz2
./usr/share/selinux/targeted/xen.pp.bz2
./usr/share/selinux/targeted/xfs.pp.bz2
./usr/share/selinux/targeted/xguest.pp.bz2
./usr/share/selinux/targeted/zabbix.pp.bz2
./usr/share/selinux/targeted/zarafa.pp.bz2
./usr/share/selinux/targeted/zebra.pp.bz2
./usr/share/selinux/targeted/zosremote.pp.bz2
7137 blocks
# find etc/selinux/targeted/policy/
etc/selinux/targeted/policy/

The policy.24 file isn't in the RPM manifest, somehow?

ferricoxide commented 9 years ago

Goddammit: it's running a postinstall script to copy the requisite files:

packages=`cat /usr/share/selinux/targeted/modules.lst`
if [ $1 -eq 1 ]; then

. /etc/selinux/config;
( cd /usr/share/selinux/targeted;
semodule -n -r oracle-port -b base.pp.bz2 -i $packages -s targeted 2>&1 | grep -v "oracle-port";
[ "${SELINUXTYPE}" == "targeted" ] && selinuxenabled && load_policy;
);   restorecon -R /root /var/log /var/run 2> /dev/null
else
   semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit_auth -r polkit -r rtkit_daemon -r ModemManager -r telepathysofiasip -r passanger -r rgmanager -r aisexec -r corosync -r pacemaker -r amavis -r clamav -r glusterfs 2>/dev/null

. /etc/selinux/config;
( cd /usr/share/selinux/targeted;
semodule -n -r oracle-port -b base.pp.bz2 -i $packages -s targeted 2>&1 | grep -v "oracle-port";
[ "${SELINUXTYPE}" == "targeted" ] && selinuxenabled && load_policy;
);
. /etc/selinux/config;
FILE_CONTEXT=/etc/selinux/targeted/contexts/files/file_contexts;
selinuxenabled;
if [ $? = 0  -a "${SELINUXTYPE}" = targeted -a -f ${FILE_CONTEXT}.pre ]; then
     fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null;
     restorecon -R /root /var/log /var/run 2> /dev/null;
     rm -f ${FILE_CONTEXT}.pre;
fi;fi
exit 0

Which, if you manually run things, makes sure the file is there:

# rm /etc/selinux/targeted/policy/policy.24
rm: remove regular file `/etc/selinux/targeted/policy/policy.24'? y
# sh -x /tmp/blah > /tmp/module.log 2>&1
# find /etc/selinux/targeted/policy/
/etc/selinux/targeted/policy/
/etc/selinux/targeted/policy/policy.24

So, looks like I need to update my AMI scripts to try to run that from within the chroot().

ferricoxide commented 9 years ago

Ok, fixed the NoVA AMIs. Have too add a couple steps to my AMI scripts: basically, to jump into the chroot and re-run the post-install script. Now to figure out how to do that with the least amount of effort. I'll probably borrow from my HVMprep.sh script.

Interesting thing is when I first started using this method, the RPM's post-script ran correctly. This seems to be a change in the RPM's (effective) behavior.

Any way, this isn't a salt issue, it's an issue with AMIgen

lorengordon commented 9 years ago

This issue seems to be fixed, so I'm closing it.