xpra icon
Bug tracker and wiki

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#399 closed defect (wontfix)

CentOS 6.3 package install error: "can't apply partial context to unlabeled file"

Reported by: Mark Hills Owned by: Mark Hills
Priority: minor Milestone:
Component: packaging Version: 0.9.x
Keywords: rpm Cc:

Description (last modified by Antoine Martin)

The following error when installing the CentOS 6.3 package.

  • 0.9.x affected
  • 0.8.8 not affected

The message varies slightly in newer 0.9.x packages.

Note that my test is on Scientific Linux 6.3 (a clone of RedHat 6.3 and CentOS 6.3).
I tested multiple machines with the same result. I'm afraid I don't have an actual CentOS 6.3 available to test.

The same error happens on upgrade, as well as install (below)

After install, things seem to be working ok, but presumably this is a bug.

---

$ sudo rpm -ivh xpra-0.9.8-1.el6_3.x86_64.rpm
warning: xpra-0.9.8-1.el6_3.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f18ad6bb: NOKEY
Preparing...                ########################################### [100%]
   1:xpra                   ########################################### [100%]
chcon: can't apply partial context to unlabeled file `/usr/lib/python2.6/site-packages/xpra/x264/codec.so'
chcon: can't apply partial context to unlabeled file `/usr/lib/python2.6/site-packages/xpra/vpx/codec.so'
/var/tmp/rpm-tmp.UmKUdN: line 4: fg: no job control
/var/tmp/rpm-tmp.UmKUdN: line 5: fg: no job control
warning: %post(xpra-0.9.8-1.el6_3.x86_64) scriptlet failed, exit status 1

---

$ rpm -qf /usr/lib/python2.6/site-packages/xpra/x264/codec.so
xpra-0.9.8-1.el6_3.x86_64

---

$ sudo rpm -e xpra
$ sudo rpm -ivh xpra-0.9.0-25.el6.x86_64.rpm 
warning: xpra-0.9.0-25.el6.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f18ad6bb: NOKEY
Preparing...                ########################################### [100%]
   1:xpra                   ########################################### [100%]
chcon: can't apply partial context to unlabeled file `/usr/lib/python2.6/site-packages/xpra/x264/codec.so'
chcon: can't apply partial context to unlabeled file `/usr/lib/python2.6/site-packages/xpra/vpx/codec.so'
warning: %post(xpra-0.9.0-25.el6.x86_64) scriptlet failed, exit status 1

---

$ sudo rpm -e xpra
$ sudo rpm -ivh xpra-0.8.8-1.el6.x86_64.rpm
warning: xpra-0.8.8-1.el6.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f18ad6bb: NOKEY
Preparing...                ########################################### [100%]
   1:xpra                   ########################################### [100%]

---

$ cat /etc/redhat-release
Scientific Linux release 6.3 (Carbon)

Change History (7)

comment:1 Changed 6 years ago by Antoine Martin

Description: modified (diff)
Owner: changed from Antoine Martin to Mark Hills

The chcon warnings are related to SELinux:

chcon -t texrel_shlib_t %{python_sitelib}/xpra/x264/codec.so
chcon -t texrel_shlib_t %{python_sitelib}/xpra/vpx/codec.so

Can you please try running these two commands to see what the exact problem is?
I've just tried it on CentOS 6.4 and didn't get any such errors during installation.
(you will need to replace python_sitelib with your arch specific location)


The other two come from these two lines in the spec file:

update-desktop-database &> /dev/null || :
touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :

No idea why that causes problems, those were suggested as being required for proper packaging (see Packaging Scriptlet Snippets)...
But since I was getting those same errors on CentOS 6.4, I have now removed this crap from the non-Fedora packaging as of r4039.
(this will be part of 0.10.0 - I may backport if there is another 0.9.x release)

comment:2 Changed 6 years ago by Mark Hills

Thanks. Not having much luck, I know little about SELinux. But I did try and use the 'full' context name and that did not help. I cannot find a way to, maybe, 'label' the file(?)

Here are all my attempts below.


$ sudo chcon -v -t texrel_shlib_t /usr/lib/python2.6/site-packages/xpra/x264/codec.so
changing security context of `/usr/lib/python2.6/site-packages/xpra/x264/codec.so'
chcon: can't apply partial context to unlabeled file `/usr/lib/python2.6/site-packages/xpra/x264/codec.so'

$ ls -l /usr/lib/python2.6/site-packages/xpra/x264/codec.so
-rwxr-xr-x 1 root root 12469260 Jul 29 12:07 /usr/lib/python2.6/site-packages/xpra/x264/codec.so

$ ls -Z /usr/lib/python2.6/site-packages/xpra/x264/codec.so
-rwxr-xr-x root root ?                                /usr/lib/python2.6/site-packages/xpra/x264/codec.so

$ file /usr/lib/python2.6/site-packages/xpra/x264/codec.so
/usr/lib/python2.6/site-packages/xpra/x264/codec.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, not stripped

$ sudo chcon -v -t system_u:object_r:texrel_shlib_t /usr/lib/python2.6/site-packages/xpra/x264/codec.so
changing security context of `/usr/lib/python2.6/site-packages/xpra/x264/codec.so'
chcon: can't apply partial context to unlabeled file `/usr/lib/python2.6/site-packages/xpra/x264/codec.so'
Last edited 6 years ago by Antoine Martin (previous) (diff)

comment:3 Changed 6 years ago by Antoine Martin

Are you even running with SELinux enabled and with a labelled filesystem?

From what I am reading, you are probably not and that is why the label cannot be set.

comment:4 Changed 6 years ago by Mark Hills

You're right, SELinux has not been enabled. Sorry, that would have been a key piece of information.

Tho I've not seen this error from any other RPM, or other .so files. Presumable if xpra is special it needs to handle this in some way.
(eg. set the attribute on the RPM file rather than script the action afterwards? Just a guess, I am not familiar with SELinux.

This has already been reported on the mailing list, with a bit more info (no replies)

http://lists.devloop.org.uk/pipermail/shifter-users/2013-April/000482.html

comment:5 Changed 6 years ago by Antoine Martin

Resolution: wontfix
Status: newclosed

Actually I found the same answer in that thread:

Can you update the script to take into account
the case where SELinux is diasabled and files don't have any security
context assigned to them?

I'm not sure how, or if it is even worth doing.

Thank you, I'm relieved. If this is the only task that the script
handles, then it wouldn't be worth the effort to go check for SELinux.



I guess we could add 2>/dev/null to ignore errors, but I'm not keen on it at all: those that have SELinux enabled should see the errors, if any, and those that have disabled SELinux... should remember they have.

Last edited 6 years ago by Antoine Martin (previous) (diff)

comment:6 Changed 6 years ago by Mark Hills

I'm not keen on 2>/dev/null either, that's a hack, agreed.

I guess I'm just confused for never seeing this error before on any other package.

So I suppose it should just do what the other packages do. If they error in the same way then it's fine. I'm afraid I'm out of time to look for this myself.

I assume xpra is explicitly doing something specialist with SELinux.

comment:7 Changed 6 years ago by Antoine Martin

I assume xpra is explicitly doing something specialist with SELinux.


We are: the x264 and vpx libraries in versions of CentOS (and clones) older than 6.4 are either not available or just too old to work, so we ship a statically linked codec - which requires special labelling to work with SELinux.
Easiest fix is to upgrade to 6.4 - another reason why we are unlikely to change anything.

Note: See TracTickets for help on using tickets.