<html><head><style type="text/css"></style></head><body><div style="font-family:times new roman,new york,times,serif;font-size:8pt"><div> <meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8"> <title></title> <meta name="GENERATOR" content="OpenOffice.org 3.2 (Unix)"> <style type="text/css">  </style> While trying to deploy configuration files in a given channel via activation keys in a kickstart profile that has SELinux in either Permissive or Enforcing mode the config deployment task is showing as failed. If SELinux is set to Disabled in the kickstart profile and the SELinux context is wiped from the given file in the configuration channel then it gets deployed with no issues. In the simple example below I have /etc/httpd/conf/httpd.conf with the context system_u:object_r:httpd_config_t being pushed in a Web Servers profile that has SELinux set to Permissive. I'm wondering if at the point that it is doing the config deployment task, which is pre system reboot, if the SELinux context exist on the files within the install chroot or if the contexts get initialized post-reboot by maybe restorecond. If anyone has some insight into this issue it would be greatly appreciated. selinux --permissive) History: Deploy config files to system scheduled by userX 07/19/10 1:47:39 PM EDT Package Install scheduled by (none) 07/19/10 1:47:39 PM EDT Schedule a package sync for kickstarts scheduled by userX 07/19/10 1:47:31 PM EDT (n/a) Subscription via Token 07/19/10 1:47:29 PM EDT (n/a) subscribed to channel centos5-i386-rhntools 07/19/10 1:47:28 PM EDT (n/a) subscribed to channel centos5-i386-base 07/19/10 1:47:28 PM EDT (n/a) unsubscribed from channel centos5-i386-base 07/19/10 1:47:28 PM EDT (n/a) unsubscribed from channel centos5-i386-rhntools 07/19/10 1:47:28 PM EDT Deploy config files to system task detail: This action will be executed after 07/19/10 1:47:39 PM EDT. This action's status is: Failed. The client picked up this action on 07/19/10 1:47:39 PM EDT. The client completed this action on 07/19/10 1:47:40 PM EDT. Client execution returned "Failed deployment, rolled back: failed to set selinux context on /etc/httpd/conf/httpd.conf" (code 49) Config Files:/etc/httpd/conf/httpd.conf (rev. 6) /etc/sys_info (rev. 1) /root/.ssh (rev. 1) /root/.ssh/authorized_keys (rev. 1) # cat /var/log/audit/audit.log type=DAEMON_START msg=audit(1279561728.944:281): auditd start, ver=1.7.13 format=raw kernel=2.6.18-164.el5 auid=4294967295 pid=2398 subj=system_u:system_r:auditd_t:s0 res=success type=CONFIG_CHANGE msg=audit(1279561729.052:3): audit_enabled=1 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 res=1 type=CONFIG_CHANGE msg=audit(1279561729.075:4): audit_backlog_limit=320 old=64 by auid=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1 type=USER_START msg=audit(1279561741.968:5): user pid=3014 uid=0 auid=4294967295 subj=system_u:system_r:initrc_t:s0 msg='PAM: session open acct="nocpulse" : exe="/sbin/runuser" (hostname=?, addr=?, terminal=console res=success)' type=CRED_ACQ msg=audit(1279561741.969:6): user pid=3014 uid=0 auid=4294967295 subj=system_u:system_r:initrc_t:s0 msg='PAM: setcred acct="nocpulse" : exe="/sbin/runuser" (hostname=?, addr=?, terminal=console res=success)' type=CRED_DISP msg=audit(1279561742.130:7): user pid=3014 uid=0 auid=4294967295 subj=system_u:system_r:initrc_t:s0 msg='PAM: setcred acct="nocpulse" : exe="/sbin/runuser" (hostname=?, addr=?, terminal=console res=success)' type=USER_END msg=audit(1279561742.130:8): user pid=3014 uid=0 auid=4294967295 subj=system_u:system_r:initrc_t:s0 msg='PAM: session cl acct="nocpulse" : exe="/sbin/runuser" (hostname=?, addr=?, terminal=console res=success)' type=USER_ACCT msg=audit(1279561801.526:9): user pid=3115 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=CRED_ACQ msg=audit(1279561801.527:10): user pid=3115 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=LOGIN msg=audit(1279561801.527:11): login pid=3115 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1 type=USER_START msg=audit(1279561801.531:12): user pid=3115 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=CRED_DISP msg=audit(1279561801.554:13): user pid=3115 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=USER_END msg=audit(1279561801.554:14): user pid=3115 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session cl acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=USER_AUTH msg=audit(1279561829.203:15): user pid=3055 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: authentication acct="root" : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=USER_ACCT msg=audit(1279561829.203:16): user pid=3055 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=LOGIN msg=audit(1279561829.208:17): login pid=3055 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=2 type=USER_ROLE_CHANGE msg=audit(1279561829.255:18): user pid=3055 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=root:system_r:unconfined_t:s0-s0:c0.c1023 selected-context=root:system_r:unconfined_t:s0-s0:c0.c1023: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=USER_START msg=audit(1279561829.255:19): user pid=3055 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=CRED_ACQ msg=audit(1279561829.255:20): user pid=3055 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=USER_LOGIN msg=audit(1279561829.256:21): user pid=3055 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=USER_LOGIN msg=audit(1279562124.146:22): user pid=3174 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="root": exe="/usr/sbin/sshd" (hostname=?, addr=10.100.0.40, terminal=sshd res=failed)' type=USER_AUTH msg=audit(1279562125.551:23): user pid=3174 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="root" : exe="/usr/sbin/sshd" (hostname=spacewalk.lab.example.com, addr=10.100.0.40, terminal=ssh res=success)' type=USER_ACCT msg=audit(1279562125.579:24): user pid=3174 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/sshd" (hostname=spacewalk.lab.example.com, addr=10.100.0.40, terminal=ssh res=success)' type=CRED_ACQ msg=audit(1279562125.656:25): user pid=3174 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/sshd" (hostname=spacewalk.lab.example.com, addr=10.100.0.40, terminal=ssh res=success)' type=LOGIN msg=audit(1279562125.657:26): login pid=3174 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=3 type=USER_START msg=audit(1279562125.685:27): user pid=3174 uid=0 auid=0 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/sshd" (hostname=spacewalk.lab.example.com, addr=10.100.0.40, terminal=ssh res=success)' type=USER_LOGIN msg=audit(1279562125.716:28): user pid=3176 uid=0 auid=0 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='uid=0: exe="/usr/sbin/sshd" (hostname=spacewalk.lab.example.com, addr=10.100.0.40, terminal=/dev/pts/0 res=success)' type=CRED_REFR msg=audit(1279562125.745:29): user pid=3176 uid=0 auid=0 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/sshd" (hostname=spacewalk.lab.example.com, addr=10.100.0.40, terminal=ssh res=success)' Click the Reschedule button on the failed task: This action will be executed after 07/19/10 1:47:39 PM EDT. This action's status is: Completed. The client picked up this action on 07/19/10 1:56:02 PM EDT. The client completed this action on 07/19/10 1:56:02 PM EDT. Client execution returned "Files successfully deployed" (code 0) Config Files:/etc/httpd/conf/httpd.conf (rev. 6) /etc/sys_info (rev. 1) /root/.ssh (rev. 1) /root/.ssh/authorized_keys (rev. 1) selinux --disabled) History: Schedule a config deploy for activation key scheduled by (none) 07/19/10 2:18:09 PM EDT Deploy config files to system scheduled by (none) 07/19/10 2:18:09 PM EDT Deploy config files to system scheduled by userX 07/19/10 2:18:09 PM EDT Package Install scheduled by (none) 07/19/10 2:18:08 PM EDT Schedule a package sync for kickstarts scheduled by userX 07/19/10 2:18:00 PM EDT (n/a) Subscription via Token 07/19/10 2:17:58 PM EDT (n/a) subscribed to channel centos5-i386-rhntools 07/19/10 2:17:58 PM EDT (n/a) subscribed to channel centos5-i386-base 07/19/10 2:17:58 PM EDT (n/a) unsubscribed from channel centos5-i386-base 07/19/10 2:17:58 PM EDT (n/a) unsubscribed from channel centos5-i386-rhntools 07/19/10 2:17:58 PM EDT Deploy config files to system task detail: This action will be executed after 07/19/10 2:18:00 PM EDT. This action's status is: Completed. The client picked up this action on 07/19/10 2:18:09 PM EDT. The client completed this action on 07/19/10 2:18:09 PM EDT. Client execution returned "Files successfully deployed" (code 0) Config Files:/etc/httpd/conf/httpd.conf (rev. 7) /etc/sys_info (rev. 1) /root/.ssh (rev. 1) /root/.ssh/authorized_keys (rev. 1) Note: The difference in rev 6 vs rev 7 of httpd.conf was the SELinux context was removed within Spacewalk. --Matt </div> </div> </body></html>