Followed the instructions for kickstart install of CLIP 3.1.1 on a CentOS 5.3 VM running on XenServer? 5.0.0-13192p. After reboot and relabel noticed network not up and other SELinux-related errors that would all go away with "setenforce 0".
Installation steps:
My kickstart differed from the svn clip.ks only in trivial ways (Cobbler-based pxe boot vs. cdrom, Xen install didn't allow chvt, different password):
[root@cobbler kickstart]# diff clip.ks clip.ks.orig
77c77
< #cdrom
---
> cdrom
89d88
< url --url=http://192.168.1.32:80/cblr/links/CentOS-5.3-xen-x86_64
150,151c149
< #rootpw 123)(*qweASD
< rootpw MYPASSWORD
---
> rootpw 123)(*qweASD
367,374c365,372
< #chvt 3
< #clear
< #echo "Please choose a root password"
< #passwd root
< #echo "Please choose a password for clipuser"
< #passwd clipuser
< #clear
< #chvt 7
---
> chvt 3
> clear
> echo "Please choose a root password"
> passwd root
> echo "Please choose a password for clipuser"
> passwd clipuser
> clear
> chvt 7
376c374
< #eject
---
> eject
Followed instructions in Installing the CLIP 3.1.1 RHEL 5.3 Base System by doing the kickstart install, reboot, login as root and
passwd clipuser
rpm -ivh --force clip-3.1-1.x86_64.rpm
genhomedircon
touch /.autorelabel
reboot
Errors noted after reboot
Login as clipuser gave this error:
localhost login: clipuser
Password:
Last login: Sun Aug 30 21:17:57 on xvc0
No directory /home/clipuser!
Logging in with home = "/".
[clipuser@localhost /]$ su - root
Password:
su: warning: cannot change directory to /root: Permission denied
[root@localhost /]# ls -ldZ /home/clipuser /root
drwx------ clipuser clipuser system_u:object_r:default_t:s0 /home/clipuser
drwx------ root root system_u:object_r:default_t:s0 /root
[root@localhost /]# cd /root
[root@localhost ~]# ifconfig
[root@localhost ~]# # Hmmm - no network, plus cannot manipulate system services
[root@localhost ~]# service network status
network: unrecognized service
[root@localhost ~]# setenforce 0
[root@localhost ~]# service network status
Configured devices:
lo eth0
Currently active devices:
[root@localhost ~]# setenforce 1
[root@localhost ~]#
So started collecting some information:
[root@puppet-client ~]# sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: clip
Process contexts:
Current context: root:sysadm_r:sysadm_t:s0-s0:c0.c255
Init context: system_u:system_r:init_t:s0
File contexts:
Controlling term: root:object_r:sysadm_tty_device_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:
shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_t:s0
/sbin/init system_u:object_r:init_exec_t:s0
/sbin/mingetty system_u:object_r:getty_exec_t:s0
/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
/lib/libc.so.6 system_u:object_r:lib_t:s0 -> system_u:object_r:
lib_t:s0
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:
ld_so_t:s0
Also piped "ausearch -m AVC ... | audit2allow ..." and the gist of the allows were:
allow cupsd_t default_context_t:dir search;
allow cupsd_t hosts_conf_t:file read;
allow cupsd_t self:process setfscreate;
allow initrc_t network_conf_t:file read;
allow local_login_t default_t:dir search;
allow sendmail_t hosts_conf_t:file read;
allow sendmail_t lo_node_t:tcp_socket node_bind;
allow sendmail_t sysctl_t:file read;
allow sshd_t sysctl_t:file read;
allow sshd_t unspec_node_t:tcp_socket node_bind;
allow sysadm_su_t default_t:dir search;
allow sysadm_t self:netlink_audit_socket create;
allow syslogd_t hosts_conf_t:file read;
If you need more information I'd be happy to provide it.
