1556787 – setsebool fails with "type conntrackd_var_run_t is not defined"

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1556787 - setsebool fails with "type conntrackd_var_run_t is not defined"

Summary: setsebool fails with "type conntrackd_var_run_t is not defined"

Keywords:
Status:	CLOSED DUPLICATE of bug 1559174
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	28
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-03-15 09:22 UTC by Christian Heimes
Modified:	2018-03-24 20:22 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-03-24 20:22:44 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Christian Heimes 2018-03-15 09:22:28 UTC

Description of problem:
FreeIPA installer is having trouble because setsebool is failing to set SELinux booleans.

Version-Release number of selected component (if applicable):
policycoreutils-2.7-14.fc28.x86_64
selinux-policy-3.14.1-13.fc28.noarch

How reproducible:
always

Steps to Reproduce:
1. setsebool -P httpd_can_network_connect=on

Actual results:
# setsebool -P httpd_can_network_connect=on httpd_manage_ipa=on httpd_run_ipa=on httpd_dbus_sssd=on
libsepol.context_from_record: type conntrackd_var_run_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:conntrackd_var_run_t:s0 to sid
invalid context system_u:object_r:conntrackd_var_run_t:s0

Expected results:
No error

Additional info:
Related FreeIPA upstream bug: https://pagure.io/freeipa/issue/7448

Comment 1 Petr Lautrbach 2018-03-15 10:40:14 UTC

Both setsebool and dnf install freeipa-server work for me on update Fedora-Cloud-Base-28-20180310 image.

Lukas, any idea?

Comment 2 Christian Heimes 2018-03-15 10:59:03 UTC

I forgot to mention that the machine has been upgraded from F27 to F28.

The FreeIPA error occurs during ipa-server-install with latest build from git master. Fedora 28 has freeipa-server 4.6.3, which is broken.

According to seinfo, the type is available:

# seinfo -t | grep conntrackd_var_run_t
   conntrackd_var_run_t

Despite the error, setsebool seems to flip the switches just fine:

# getsebool httpd_can_network_connect
httpd_can_network_connect --> off
# setsebool -P httpd_can_network_connect=on
libsepol.context_from_record: type conntrackd_var_run_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:conntrackd_var_run_t:s0 to sid
invalid context system_u:object_r:conntrackd_var_run_t:s0
# getsebool httpd_can_network_connect
httpd_can_network_connect --> on

Comment 4 Daniel Walsh 2018-03-18 11:58:52 UTC

I would figure it is no longer available in your image store so it can not be recompiled.

Comment 5 Lukas Vrabec 2018-03-23 12:30:09 UTC

Christian, 

Moving this ticket to POST state, we have more issues with upgrading from F27 to F28, it should be in updates-testing repos for both F27 and F28 soon.

Comment 6 Lukas Vrabec 2018-03-24 20:22:44 UTC


*** This bug has been marked as a duplicate of bug 1559174 ***

Note You need to log in before you can comment on or make changes to this bug.