updatecenter2
  1. updatecenter2
  2. UPDATECENTER2-1211

pkg(5) will not run on SELinux in enforcing mode

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: B24
    • Fix Version/s: B42
    • Component/s: ipsenhancement
    • Labels:
      None
    • Environment:

      Operating System: Linux
      Platform: Sun/x86

      Description

      I downloaded B24 (Universal zip) on Linux 5.0 32 bit. I installed the updatetool
      running the bootstrapper.

      [root@or112 pkg-toolkit]# ls
      bin pkg
      [root@or112 pkg-toolkit]# /jdk1.6/jdk1.6.0_10/bin/java -jar
      pkg/lib/pkg-bootstrap.jar /prop.txt
      Proxy: http://webcache.sfbay.sun.com:8080
      Install image: /B24/pkg-toolkit
      Installing pkg packages.
      Installing updatetool packages.
      Initialization complete.
      [root@or112 pkg-toolkit]# cd bin/
      [root@or112 bin]# ./updatetool
      IPS pkg command is not installed. Please make sure that the client libraries are
      on the PYTHONPATH before executing.
      The following can be reported to Update Tool 2.2.0 Development Team
      <dev@updatecenter.dev.java.net>.

      Traceback (innermost last):
      File "/B24/pkg-toolkit/updatetool/vendor-packages/updatetool/common/boot.py",
      line 280, in check_ips
      import common.ips
      File "/B24/pkg-toolkit/updatetool/vendor-packages/updatetool/common/ips.py",
      line 52, in ?
      import pkg.client.image as pkgimage
      File "/B24/pkg-toolkit/pkg/vendor-packages/pkg/client/image.py", line 40, in ?
      import OpenSSL.crypto as osc
      File "/B24/pkg-toolkit/pkg/vendor-packages/OpenSSL/_init_.py", line 11, in ?
      import rand, crypto, SSL, tsafe
      ImportError: /B24/pkg-toolkit/pkg/vendor-packages/OpenSSL/crypto.so: cannot
      restore segment prot after reloc: Permission denied

      [root@or112 bin]#

      [root@or112 bin]# ./pkg
      Traceback (most recent call last):
      File "/B24/pkg-toolkit/pkg/bin/client.py", line 60, in ?
      import OpenSSL.crypto
      File "/B24/pkg-toolkit/pkg/vendor-packages/OpenSSL/_init_.py", line 11, in ?
      import rand, crypto, SSL, tsafe
      ImportError: /B24/pkg-toolkit/pkg/vendor-packages/OpenSSL/crypto.so: cannot
      restore segment prot after reloc: Permission denied
      [root@or112 bin]#

        Issue Links

          Activity

          Hide
          Tom Mueller added a comment -

          Fixed in revision 2547.

          Show
          Tom Mueller added a comment - Fixed in revision 2547.
          Hide
          lalithasaroja added a comment -

          Verified on Linux RH Linux 5.1 using B38b where the SELinux is disabled and the
          updatetool installed successfully

          [root@or161 pkg-toolkit]# /usr/sbin/setenforce 1
          /usr/sbin/setenforce: SELinux is disabled
          [root@or161 pkg-toolkit]# ls
          README.txt bin pkg
          [root@or161 pkg-toolkit]# cd bin/
          [root@or161 bin]# ./pkg

          The software needed for this command (pkg) is not installed.

          When this tool interacts with package repositories, some system information
          such as your system's IP address and operating system type and version
          is sent to the repository server. For more information please see:

          http://wiki.updatecenter.java.net/Wiki.jsp?page=UsageMetricsUC2

          Once installation is complete you may re-run this command.

          Would you like to install this software now (y/n): y

          Proxy: Using system proxy settings.
          Install image: /B38b/pkg-toolkit
          Installing pkg packages.
          Initialization complete.

          Software successfully installed. You may now re-run this command (pkg).
          [root@or161 bin]# ./pkg install updatetool
          DOWNLOAD PKGS FILES XFER (MB)
          Completed 2/2 899/899 9.0/9.0

          PHASE ACTIONS
          Install Phase 1045/1045
          [root@or161 bin]# ./pkg list -v
          FMRI STATE UFIX
          pkg:/pkg@1.122.2,0-38.2770:20100414T220331Z installed ----
          pkg:/pkg-extra-tools@0.2.0,0-38.2770:20100414T215223Z installed ----
          pkg:/pkg-java@1.122,0-38.2770:20100414T215224Z installed ----
          pkg:/pkg-toolkit-incorporation@2.3.2,0-38.2770:20100414T215225Z installed ----
          pkg:/python2.4-minimal@2.4.6.0,0-38.2770:20100414T220352Z installed ----
          pkg:/updatetool@2.3.2,0-38.2770:20100414T220413Z installed ----
          pkg:/wxpython2.8-minimal@2.8.10.1,0-38.2770:20100414T220430Z installed ----
          [root@or161 bin]#

          Marking this as Verified

          Show
          lalithasaroja added a comment - Verified on Linux RH Linux 5.1 using B38b where the SELinux is disabled and the updatetool installed successfully [root@or161 pkg-toolkit] # /usr/sbin/setenforce 1 /usr/sbin/setenforce: SELinux is disabled [root@or161 pkg-toolkit] # ls README.txt bin pkg [root@or161 pkg-toolkit] # cd bin/ [root@or161 bin] # ./pkg The software needed for this command (pkg) is not installed. When this tool interacts with package repositories, some system information such as your system's IP address and operating system type and version is sent to the repository server. For more information please see: http://wiki.updatecenter.java.net/Wiki.jsp?page=UsageMetricsUC2 Once installation is complete you may re-run this command. Would you like to install this software now (y/n): y Proxy: Using system proxy settings. Install image: /B38b/pkg-toolkit Installing pkg packages. Initialization complete. Software successfully installed. You may now re-run this command (pkg). [root@or161 bin] # ./pkg install updatetool DOWNLOAD PKGS FILES XFER (MB) Completed 2/2 899/899 9.0/9.0 PHASE ACTIONS Install Phase 1045/1045 [root@or161 bin] # ./pkg list -v FMRI STATE UFIX pkg:/pkg@1.122.2,0-38.2770:20100414T220331Z installed ---- pkg:/pkg-extra-tools@0.2.0,0-38.2770:20100414T215223Z installed ---- pkg:/pkg-java@1.122,0-38.2770:20100414T215224Z installed ---- pkg:/pkg-toolkit-incorporation@2.3.2,0-38.2770:20100414T215225Z installed ---- pkg:/python2.4-minimal@2.4.6.0,0-38.2770:20100414T220352Z installed ---- pkg:/updatetool@2.3.2,0-38.2770:20100414T220413Z installed ---- pkg:/wxpython2.8-minimal@2.8.10.1,0-38.2770:20100414T220430Z installed ---- [root@or161 bin] # Marking this as Verified
          Hide
          nouar38 added a comment -

          I'm reopening the issue as the Fix is not correctly verified, and after will put
          back the status as RESOLVE
          Need to verify in B42 (2.4).

          No back port happened in 2.3u2 B38c branch. So should be released noted in 23u2.
          I was able to reproduce in level 38.2791 on Oracle Enterprise Linux Server 5.4
          64 bits.

          The setenforce 1 (or Enforcing) command is buggy, it does not have any effect.

          [root@grenache-20-vm04 ~]# uname -a
          Linux grenache-20-vm04 2.6.18-164.el5 #1 SMP Thu Sep 3 04:15:13 EDT 2009 x86_64
          x86_64 x86_64 GNU/Linux

          [root@grenache-20-vm04 ~]# man setenforce
          [root@grenache-20-vm04 ~]# getenforce
          Disabled
          [root@grenache-20-vm04 ~]# setenforce 1
          setenforce: SELinux is disabled

          root@grenache-20-vm04 ~]# getenforce
          Disabled

          [root@grenache-20-vm04 ~]# ls -al /etc/selinux
          total 84
          drwxr-xr-x 6 root root 4096 Apr 9 12:49 .
          drwxr-xr-x 142 root root 12288 May 16 04:02 ..
          rw-rr- 1 root root 447 Apr 9 12:49 config
          rw-rr- 1 root root 447 Apr 9 12:18 config.orig
          drwxr-xr-x 5 root root 4096 Apr 9 11:50 minimum
          drwxr-xr-x 5 root root 4096 Apr 9 11:50 mls
          rw------ 1 root root 234 Sep 4 2009 restorecond.conf
          rw-rr- 1 root root 1752 Sep 3 2009 semanage.conf
          drwxr-xr-x 5 root root 4096 Apr 9 11:50 strict
          drwxr-xr-x 5 root root 4096 Apr 9 11:49 targeted

          In config file:

          1. This file controls the state of SELinux on the system.
          2. SELINUX= can take one of these three values:
          3. enforcing - SELinux security policy is enforced.
          4. permissive - SELinux prints warnings instead of enforcing.
          5. disabled - SELinux is fully disabled.
            SELINUX=disabled
          6. SELINUXTYPE= type of policy in use. Possible values are:
          7. targeted - Only targeted network daemons are protected.
          8. strict - Full SELinux protection.
            SELINUXTYPE=targeted

          I changed to enforcing and rebooted the host:

          ===>>>> After reboot =======>>>>>
          In the console :
          Warning – SELinux targeted ploicy relabel is required.
          Relabeling could take a very long time, depending on file
          system size and speed of hard drive.
          /sbin/setfiles: labeling file under /

          .. and after a second reboot happened.
          ... etc.

          [root@grenache-20-vm04 ~]# getenforce
          Enforcing

          [root@grenache-20-vm04 UC23U2-B38C]#
          wget
          http://download.java.net/updatecenter2/promoted/B38c/pkg-toolkit-2.3-b38-linux-i386.zip

          [root@grenache-20-vm04 pkg-toolkit-linux-i386]# pwd
          /UC23U2-B38C/pkg-toolkit-linux-i386

          1. bin/pkg list
            Traceback (most recent call last):
            File "/UC23U2-B38C/pkg-toolkit-linux-i386/pkg/bin/client.py", line 61, in ?
            import pkg.actions as actions
            File
            "/UC23U2-B38C/pkg-toolkit-linux-i386/pkg/vendor-packages/pkg/actions/_init_.py",
            line 59, in ?
            globals(), locals(), [modname])
            File
            "/UC23U2-B38C/pkg-toolkit-linux-i386/pkg/vendor-packages/pkg/actions/attribute.py",
            line 34, in ?
            import generic
            File
            "/UC23U2-B38C/pkg-toolkit-linux-i386/pkg/vendor-packages/pkg/actions/generic.py", line
            45, in ?
            import pkg.variant as variant
            File "/UC23U2-B38C/pkg-toolkit-linux-i386/pkg/vendor-packages/pkg/variant.py",
            line 28, in ?
            from pkg.misc import EmptyI
            File "/UC23U2-B38C/pkg-toolkit-linux-i386/pkg/vendor-packages/pkg/misc.py",
            line 32, in ?
            import OpenSSL.crypto as osc
            File
            "/UC23U2-B38C/pkg-toolkit-linux-i386/pkg/vendor-packages/OpenSSL/_init_.py",
            line 11, in ?
            import rand, crypto, SSL, tsafe
            ImportError:
            /UC23U2-B38C/pkg-toolkit-linux-i386/pkg/vendor-packages/OpenSSL/crypto.so:
            cannot restore segment prot after reloc: Permission denied
          Show
          nouar38 added a comment - I'm reopening the issue as the Fix is not correctly verified, and after will put back the status as RESOLVE Need to verify in B42 (2.4). No back port happened in 2.3u2 B38c branch. So should be released noted in 23u2. I was able to reproduce in level 38.2791 on Oracle Enterprise Linux Server 5.4 64 bits. The setenforce 1 (or Enforcing) command is buggy, it does not have any effect. [root@grenache-20-vm04 ~] # uname -a Linux grenache-20-vm04 2.6.18-164.el5 #1 SMP Thu Sep 3 04:15:13 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux [root@grenache-20-vm04 ~] # man setenforce [root@grenache-20-vm04 ~] # getenforce Disabled [root@grenache-20-vm04 ~] # setenforce 1 setenforce: SELinux is disabled root@grenache-20-vm04 ~]# getenforce Disabled [root@grenache-20-vm04 ~] # ls -al /etc/selinux total 84 drwxr-xr-x 6 root root 4096 Apr 9 12:49 . drwxr-xr-x 142 root root 12288 May 16 04:02 .. rw-r r - 1 root root 447 Apr 9 12:49 config rw-r r - 1 root root 447 Apr 9 12:18 config.orig drwxr-xr-x 5 root root 4096 Apr 9 11:50 minimum drwxr-xr-x 5 root root 4096 Apr 9 11:50 mls rw ------ 1 root root 234 Sep 4 2009 restorecond.conf rw-r r - 1 root root 1752 Sep 3 2009 semanage.conf drwxr-xr-x 5 root root 4096 Apr 9 11:50 strict drwxr-xr-x 5 root root 4096 Apr 9 11:49 targeted In config file: This file controls the state of SELinux on the system. SELINUX= can take one of these three values: enforcing - SELinux security policy is enforced. permissive - SELinux prints warnings instead of enforcing. disabled - SELinux is fully disabled. SELINUX=disabled SELINUXTYPE= type of policy in use. Possible values are: targeted - Only targeted network daemons are protected. strict - Full SELinux protection. SELINUXTYPE=targeted I changed to enforcing and rebooted the host: ===>>>> After reboot =======>>>>> In the console : Warning – SELinux targeted ploicy relabel is required. Relabeling could take a very long time, depending on file system size and speed of hard drive. /sbin/setfiles: labeling file under / .. and after a second reboot happened. ... etc. [root@grenache-20-vm04 ~] # getenforce Enforcing [root@grenache-20-vm04 UC23U2-B38C] # wget http://download.java.net/updatecenter2/promoted/B38c/pkg-toolkit-2.3-b38-linux-i386.zip [root@grenache-20-vm04 pkg-toolkit-linux-i386] # pwd /UC23U2-B38C/pkg-toolkit-linux-i386 bin/pkg list Traceback (most recent call last): File "/UC23U2-B38C/pkg-toolkit-linux-i386/pkg/bin/client.py", line 61, in ? import pkg.actions as actions File "/UC23U2-B38C/pkg-toolkit-linux-i386/pkg/vendor-packages/pkg/actions/_ init _.py", line 59, in ? globals(), locals(), [modname] ) File "/UC23U2-B38C/pkg-toolkit-linux-i386/pkg/vendor-packages/pkg/actions/attribute.py", line 34, in ? import generic File "/UC23U2-B38C/pkg-toolkit-linux-i386/pkg/vendor-packages/pkg/actions/generic.py", line 45, in ? import pkg.variant as variant File "/UC23U2-B38C/pkg-toolkit-linux-i386/pkg/vendor-packages/pkg/variant.py", line 28, in ? from pkg.misc import EmptyI File "/UC23U2-B38C/pkg-toolkit-linux-i386/pkg/vendor-packages/pkg/misc.py", line 32, in ? import OpenSSL.crypto as osc File "/UC23U2-B38C/pkg-toolkit-linux-i386/pkg/vendor-packages/OpenSSL/_ init _.py", line 11, in ? import rand, crypto, SSL, tsafe ImportError: /UC23U2-B38C/pkg-toolkit-linux-i386/pkg/vendor-packages/OpenSSL/crypto.so: cannot restore segment prot after reloc: Permission denied
          Hide
          nouar38 added a comment -

          Put back the state as FIXED in 2.4 as Tom did.

          Show
          nouar38 added a comment - Put back the state as FIXED in 2.4 as Tom did.
          Hide
          nouar38 added a comment -

          mkdir /UC24B42/
          [root@grenache-20-vm04 /UC24B42]# wget
          http://download.java.net/updatecenter2/promoted/B42/pkg-toolkit-2.4-b42-linux-i386.zip

          [root@grenache-20-vm04 pkg-toolkit-linux-i386]# bin/pkg list
          NAME (PUBLISHER) VERSION STATE UFIX
          pkg 1.122.2-42.2568 installed ----
          pkg-extra-tools 0.2.0-42.2568 installed ----
          pkg-java 1.122-42.2568 installed ----
          pkg-java-docs 1.122-42.2568 installed ----
          pkg-toolkit-incorporation 2.4.0-42.2568 installed ----
          python2.4-minimal 2.4.4.0-42.2568 installed ----

          [root@grenache-20-vm04 pkg-toolkit-linux-i386]#

          Show
          nouar38 added a comment - mkdir /UC24B42/ [root@grenache-20-vm04 /UC24B42] # wget http://download.java.net/updatecenter2/promoted/B42/pkg-toolkit-2.4-b42-linux-i386.zip [root@grenache-20-vm04 pkg-toolkit-linux-i386] # bin/pkg list NAME (PUBLISHER) VERSION STATE UFIX pkg 1.122.2-42.2568 installed ---- pkg-extra-tools 0.2.0-42.2568 installed ---- pkg-java 1.122-42.2568 installed ---- pkg-java-docs 1.122-42.2568 installed ---- pkg-toolkit-incorporation 2.4.0-42.2568 installed ---- python2.4-minimal 2.4.4.0-42.2568 installed ---- [root@grenache-20-vm04 pkg-toolkit-linux-i386] #

            People

            • Assignee:
              Tom Mueller
              Reporter:
              lalithasaroja
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: