SELinux policy is not updated

[uweiss]

Plesk 11.5.30 Update #32, CentOS 6.5, x86_64

Today i deployed an additional SELinux module to all our CentOS 6.5 machines by Puppet to fix a small problem with our monitoring agent. All machines worked fine, except all Plesk machines.

So i tried to updated selinux-policy and selinux-policy-targeted packages first. I received the following errors :

libsemanage.semanage_direct_commit: WARNING: genhomedircon is disabled.
See /etc/selinux/semanage.conf if you need to enable it.


/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/qmail/queue(/.*)?  (system_u:object_r:qmail_spool_t:s0 and system_u:object_r:mail_spool_t:s0).

/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/qmail/control(/.*)?  (system_u:object_r:qmail_etc_t:s0 and system_u:object_r:etc_mail_t:s0).

/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/qmail/bin/tcp-env  (system_u:object_r:qmail_tcp_env_exec_t:s0 and system_u:object_r:sendmail_exec_t:s0).

/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/qmail/bin/qmail-smtpd  (system_u:object_r:qmail_smtpd_exec_t:s0 and system_u:object_r:sendmail_exec_t:s0).

/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_active: setfiles returned error code 1.

semodule:  Failed!

This was already mentioned in another forum post. There the result was that these errors do not affect other policies. But they do. Not one policy was updated. I compared it with another machine which works fine:

The *.pp.bz2 files are from the same date and time (Mar 25 11:38) on both machines (these are the files the packages installs, so, not surprising)

But if i look into "/etc/selinux/targeted/modules/active/modules/" (the folder where the active policy files are located), the files in there should have the time when the package was installed. In my case "Apr 4 10:34". But on the Plesk machines they still have the old date after the update of the SElinux packages (Mar 14 13:58, last time the packages were updated i guess). So, they where not updated at all.


Any ideas how to fix that?

Thanks
Urs

 

[Nikolay.]

If you deploy your own SELinux modules you should probably be able to figure out on your own where the following errors come from:

/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_active: setfiles returned error code 1.

semodule: Failed!

Other warning are in fact due to Plesk policy, but they are harmless.

 

[uweiss]

Unfortunately i can't install my own module because for that to work i need the most current policy from the system, which fails because of these errors. The problem has to come from Plesk because dozens of other CentOS installations just update fine, only our three Plesk servers all have the same problem.

 

[uweiss]

Oh, and btw. The policies do not update anymore since i have updated Plesk the last time...

 

[Nikolay.]

Either rewrite your module so that current policy is OK for it too, or try following: deinstall Plesk policy, update system packages, install Plesk policy back. No guarantees it will help though.

I would normally suggest looking through the logs and/or debugging, but I expect you know this stuff and already tried it.

 

[uweiss]

Very good idea!

i disabled the module, that was enough:

setenforce 0
semodule -d plesk
yum downgrade selinux-policy selinux-policy-targeted
yum update selinux-policy selinux-policy-targeted
semodule -e plesk
sentenforce 1

Downgrade and update because i didn't knew how to rebuild the modules as it is done after installing the rpms.

And now, my module works too. Doesn't fixes the main problem, but OK. If i find anything else i will post it.

Thank you very much.
Urs

 

[uweiss]

Oh, the plesk module could not be enabled after updating the policy because of the errors...

# semodule -v -e plesk
Attempting to enable module 'plesk':
Ok: return value of 0.
Committing changes:
libsemanage.semanage_direct_commit: WARNING: genhomedircon is disabled.                                See /etc/selinux/semanage.conf if you need to enable it.
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/qmail/queue(/.*)?  (system_u:object_r:qmail_spool_t:s0 and system_u:object_r:mail_spool_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/qmail/control(/.*)?  (system_u:object_r:qmail_etc_t:s0 and system_u:object_r:etc_mail_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/qmail/bin/tcp-env  (system_u:object_r:qmail_tcp_env_exec_t:s0 and system_u:object_r:sendmail_exec_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/qmail/bin/qmail-smtpd  (system_u:object_r:qmail_smtpd_exec_t:s0 and system_u:object_r:sendmail_exec_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule:  Failed!

Stays disabled:

# semodule -l | grep plesk
plesk	11.5.30	Disabled

 

[uweiss]

Is the plesk.te file available somewhere?

 

[uweiss]

OK, I'm a bit closer to a solution now.

Thought qmail.pp was disabled already before, but it wasn't. So i disabled it and then could load the plesk module without errors. Don't use qmail anyway (Postfix FTW!) ;-D

Doesn't looks too bad now. Had to add some SELinux rules to prevent some other errors, but Parallels SELinux policy never was complete anyway.