Paul Howarth wrote:
Daniel J Walsh wrote:Paul Howarth wrote:Remove multiple from pam_selinux line in /etc/pam.d/su or better yet use runuser.Stephen Smalley wrote:On Wed, 2006-08-09 at 09:27 +0100, Paul Howarth wrote:On Thu, 2006-07-13 at 17:59 +0100, Paul Howarth wrote:Daniel J Walsh wrote:Paul Howarth wrote:I have no idea why this would happen then. And I am not sure I believe them when they say that if SELinux was disabled this would work differently, unless there is a kernel bug. You are not seeing avc messages, correct?Daniel J Walsh wrote:Paul Howarth wrote:I use mock to build packages for old distributions in a chroot-edenvironment on my FC5 box. I've pretty well got this working for all olddistributions now apart from FC2 (seehttp://www.fedoraproject.org/wiki/Legacy/Mock). On FC2, the process gets off to quite a good start, installing the following packages into thechroot:=============================================================================Package Arch Version Repository Size=============================================================================Installing: buildsys-build noarch 0.5-1.CF.fc2 groups 1.8 k Installing for dependencies: SysVinit i386 2.85-25 core 96 k basesystem noarch 8.0-3 core 2.7 k bash i386 2.05b-38 core 1.5 M beecrypt i386 3.1.0-3 core 64 k binutils i386 2.15.90.0.3-5 core 2.8 M buildsys-macros noarch 2-2.fc2 groups 2.1 k bzip2 i386 1.0.2-12.1 core 48 k bzip2-libs i386 1.0.2-12.1 core 32 k chkconfig i386 1.3.9-1.1 core 99 k coreutils i386 5.2.1-7 core 2.8 M cpio i386 2.5-6 core 45 k cpp i386 3.3.3-7 core 1.4 M cracklib i386 2.7-27.1 core 26 k cracklib-dicts i386 2.7-27.1 core 409 k db4 i386 4.2.52-3.1 core 1.5 M dev i386 3.3.13-1 core 3.6 M diffutils i386 2.8.1-11 core 205 k e2fsprogs i386 1.35-7.1 core 728 k elfutils-libelf i386 0.95-2 core 36 k ethtool i386 1.8-3.1 core 48 k fedora-release i386 2-4 core 92 k file i386 4.07-4 core 242 k filesystem i386 2.2.4-1 core 18 k findutils i386 1:4.1.7-25 core 102 k gawk i386 3.1.3-7 core 1.5 M gcc i386 3.3.3-7 core 3.8 M gcc-c++ i386 3.3.3-7 core 2.0 M gdbm i386 1.8.0-22.1 core 26 k glib i386 1:1.2.10-12.1.1 core 134 kglib2 i386 2.4.8-1.fc2 updates-released477 kglibc i686 2.3.3-27.1 updates-released4.9 Mglibc-common i386 2.3.3-27.1 updates-released14 Mglibc-devel i386 2.3.3-27.1 updates-released1.9 Mglibc-headers i386 2.3.3-27.1 updates-released530 k glibc-kernheaders i386 2.4-8.44 core 697 k grep i386 2.5.1-26 core 168 kgzip i386 1.3.3-12.2.legacy updates-released88 kinfo i386 4.7-4 updates-released147 kinitscripts i386 7.55.2-1 updates-released906 k iproute i386 2.4.7-14 core 591 k iputils i386 20020927-13 core 92 k less i386 382-3 core 85 k libacl i386 2.2.7-5 core 15 k libattr i386 2.4.1-4 core 8.6 k libgcc i386 3.3.3-7 core 33 k libselinux i386 1.11.4-1 core 45 k libstdc++ i386 3.3.3-7 core 240 k libstdc++-devel i386 3.3.3-7 core 1.3 M libtermcap i386 2.0.8-38 core 12 k make i386 1:3.80-3 core 337 k mingetty i386 1.07-2 core 18 k mktemp i386 2:1.5-7 core 12 k modutils i386 2.4.26-16 core 395 k ncurses i386 5.4-5 core 1.5 Mnet-tools i386 1.60-25.1 updates-released311 k pam i386 0.77-40 core 1.9 M patch i386 2.5.4-19 core 61 k pcre i386 4.5-2 core 59 k perl i386 3:5.8.3-18 core 11 M perl-Filter i386 1.30-5 core 68 kpopt i386 1.9.1-0.4.1 updates-released61 kprocps i386 3.2.0-1.2 updates-released176 k psmisc i386 21.4-2 core 41 k redhat-rpm-config noarch 8.0.28-1.1.1 core 41 krpm i386 4.3.1-0.4.1 updates-released2.2 Mrpm-build i386 4.3.1-0.4.1 updates-released437 k sed i386 4.0.8-4 core 116 k setup noarch 2.5.33-1 core 29 kshadow-utils i386 2:4.0.3-55 updates-released671 k sysklogd i386 1.4.1-16 core 65 k tar i386 1.13.25-14 core 351 k termcap noarch 11.0.1-18.1 core 237 ktzdata noarch 2005f-1.fc2 updates-released449 k unzip i386 5.50-37 core 139 kutil-linux i386 2.12-19 updates-released1.5 M which i386 2.16-2 core 21 k words noarch 2-22 core 137 kzlib i386 1.2.1.2-0.fc2 updates-released44 kAfter installing all of these packages successfully, the next thing thathappens is: Executing /usr/sbin/mock-helper chroot /var/lib/mock/fedora-2-i386-core/root /bin/su - root -c "/usr/sbin/useradd -m -u 500 -d /builddir mockbuild"and at that point the "useradd" process just hangs indefinitely. I'm told that if SELinux is disabled (I've tried permissive mode and thatdoesn't help), this works. I can't see any AVCs in the logs. Any ideas what might be causing this and how it might be fixed?I'm running this on FC5; what I'm trying to do is set up a chroot with FC2 packages. This includes the FC2 version of useradd, and it's this that's hanging when run in the chroot.In fc2 you should disable SELinux.I'd happily give things in the chroot the impression that SELinux is disabled (I believe mock actually does this already) but I *really* don't want to disable SELinux on my FC5 host.Paul.Correct.Usually if it does not work in permissive mode it is not an SELinux problem.*Usually*...I guess I'll have to bite the bullet and try it with SELinux disabled (so I'll have to relabel my desktop box afterwards, sigh). I know of two people that have this working with SELinux disabled, and I vaguely recall it working for me when I was first trying this (with SELinux disabled, probably a year ago). I've got it working for everything from RHL7 through to FC5 targets apart from FC2, so I doubt I'm doing something significantly wrong.I've now got a nice shiny new x86_64 box so at last I've been able to sacrifice my old build system by disabling SELinux on it. Myrecollection was correct - the mock build for FC2 worked just fine withSELinux disabled. Any thoughts on what might be going on here?Did you ever try stracing the useradd process to see what it is doing atthe point where it hangs?Aha. Now we're getting somewhere:open("/dev/console", O_WRONLY|O_NOCTTY) = -1 ENOENT (No such file or directory)rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0open("/proc/filesystems", O_RDONLY) = 5 read(5, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 4095) = 360 open("/proc/self/attr/current", O_RDONLY) = 6 read(6, "user_u:system_r:mock_t:s0\0", 4095) = 26 close(6) = 0 close(5) = 0 open("/proc/self/attr/current", O_RDONLY) = 5 read(5, "user_u:system_r:mock_t:s0\0", 4095) = 26 close(5) = 0open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or directory) open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or directory) open("/etc/security/failsafe_context", O_RDONLY) = -1 ENOENT (No such file or directory) ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0rt_sigprocmask(SIG_BLOCK, [INT TSTP], [], 8) = 0 time([-577099120727426906]) = 1155135654write(2, "Would you like to enter a securi"..., 48Would you like to enter a security context? [y] ) = 48 ioctl(0, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon echo ...}) = 0 read(0, 0xff90f920, 511) = ? ERESTARTSYS (To be restarted)--- SIGTERM (Terminated) @ 0 (0) --- +++ killed by SIGTERM +++ Process 6199 detachedAny suggestions on how I get past this request to enter a security context, or better still, have it not ask?Paul.FC2 doesn't have runuser, which is why we need to use su here.I should be able to fix /etc/pam.d/su by patching the FC2 coreutils package to remove the "multiple"; what's that actually do?
This didn't work. Fails in exactly the same way as before. I do see attempted reads of the non-existent files: /selinux/access /selinux/enforce /selinux/user /etc/security/failsafe_contextand I see a read of /proc/self/attr/current returning user_u:system_r:mock_t:s0, which clearly isn't going to be appropriate for a process running in an FC2 chroot.
Supposing I just remove the pam_selinux from /etc/pam.d/su altogether? Is that likely to break anything? Any other way of persuading an FC2 system that SELinux is disabled?
Paul. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
