Re: FC2 useradd in chroot on FC5 host with SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Paul Howarth wrote:
Daniel J Walsh wrote:
Paul Howarth wrote:
Stephen Smalley wrote:
On Wed, 2006-08-09 at 09:27 +0100, Paul Howarth wrote:
On Thu, 2006-07-13 at 17:59 +0100, Paul Howarth wrote:
Daniel J Walsh wrote:
Paul Howarth wrote:
Daniel J Walsh wrote:
Paul Howarth wrote:
I use mock to build packages for old distributions in a chroot-ed
environment on my FC5 box. I've pretty well got this working for all old
distributions now apart from FC2 (see
http://www.fedoraproject.org/wiki/Legacy/Mock). On FC2, the process gets off to quite a good start, installing the following packages into the
chroot:

=============================================================================
 Package                 Arch       Version          Repository
Size
=============================================================================
Installing:
 buildsys-build          noarch     0.5-1.CF.fc2     groups
1.8 k
Installing for dependencies:
 SysVinit                i386       2.85-25          core
96 k
 basesystem              noarch     8.0-3            core
2.7 k
 bash                    i386       2.05b-38         core
1.5 M
 beecrypt                i386       3.1.0-3          core
64 k
 binutils                i386       2.15.90.0.3-5    core
2.8 M
 buildsys-macros         noarch     2-2.fc2          groups
2.1 k
 bzip2                   i386       1.0.2-12.1       core
48 k
 bzip2-libs              i386       1.0.2-12.1       core
32 k  chkconfig               i386       1.3.9-1.1        core
99 k
 coreutils               i386       5.2.1-7          core
2.8 M
 cpio                    i386       2.5-6            core
45 k
 cpp                     i386       3.3.3-7          core
1.4 M
 cracklib                i386       2.7-27.1         core
26 k
 cracklib-dicts          i386       2.7-27.1         core
409 k
 db4                     i386       4.2.52-3.1       core
1.5 M
 dev                     i386       3.3.13-1         core
3.6 M
 diffutils               i386       2.8.1-11         core
205 k
 e2fsprogs               i386       1.35-7.1         core
728 k
 elfutils-libelf         i386       0.95-2           core
36 k
 ethtool                 i386       1.8-3.1          core
48 k
 fedora-release          i386       2-4              core
92 k
 file                    i386       4.07-4           core
242 k
 filesystem              i386       2.2.4-1          core
18 k
 findutils               i386       1:4.1.7-25       core
102 k
 gawk                    i386       3.1.3-7          core
1.5 M
 gcc                     i386       3.3.3-7          core
3.8 M
 gcc-c++                 i386       3.3.3-7          core
2.0 M
 gdbm                    i386       1.8.0-22.1       core
26 k
 glib                    i386       1:1.2.10-12.1.1  core
134 k
glib2 i386 2.4.8-1.fc2 updates-released
477 k
glibc i686 2.3.3-27.1 updates-released
4.9 M
glibc-common i386 2.3.3-27.1 updates-released
14 M
glibc-devel i386 2.3.3-27.1 updates-released
1.9 M
glibc-headers i386 2.3.3-27.1 updates-released
530 k
 glibc-kernheaders       i386       2.4-8.44         core
697 k
 grep                    i386       2.5.1-26         core
168 k
gzip i386 1.3.3-12.2.legacy updates-released
88 k
info i386 4.7-4 updates-released
147 k
initscripts i386 7.55.2-1 updates-released
906 k
 iproute                 i386       2.4.7-14         core
591 k
 iputils                 i386       20020927-13      core
92 k
 less                    i386       382-3            core
85 k
 libacl                  i386       2.2.7-5          core
15 k
 libattr                 i386       2.4.1-4          core
8.6 k
 libgcc                  i386       3.3.3-7          core
33 k
 libselinux              i386       1.11.4-1         core
45 k
 libstdc++               i386       3.3.3-7          core
240 k
 libstdc++-devel         i386       3.3.3-7          core
1.3 M
 libtermcap              i386       2.0.8-38         core
12 k
 make                    i386       1:3.80-3         core
337 k
 mingetty                i386       1.07-2           core
18 k
 mktemp                  i386       2:1.5-7          core
12 k
 modutils                i386       2.4.26-16        core
395 k
 ncurses                 i386       5.4-5            core
1.5 M
net-tools i386 1.60-25.1 updates-released
311 k
 pam                     i386       0.77-40          core
1.9 M
 patch                   i386       2.5.4-19         core
61 k
 pcre                    i386       4.5-2            core
59 k
 perl                    i386       3:5.8.3-18       core
11 M
 perl-Filter             i386       1.30-5           core
68 k
popt i386 1.9.1-0.4.1 updates-released
61 k
procps i386 3.2.0-1.2 updates-released
176 k
 psmisc                  i386       21.4-2           core
41 k
 redhat-rpm-config       noarch     8.0.28-1.1.1     core
41 k
rpm i386 4.3.1-0.4.1 updates-released
2.2 M
rpm-build i386 4.3.1-0.4.1 updates-released
437 k
 sed                     i386       4.0.8-4          core
116 k
 setup                   noarch     2.5.33-1         core
29 k
shadow-utils i386 2:4.0.3-55 updates-released
671 k
 sysklogd                i386       1.4.1-16         core
65 k
 tar                     i386       1.13.25-14       core
351 k
 termcap                 noarch     11.0.1-18.1      core
237 k
tzdata noarch 2005f-1.fc2 updates-released
449 k
 unzip                   i386       5.50-37          core
139 k
util-linux i386 2.12-19 updates-released
1.5 M
 which                   i386       2.16-2           core
21 k
 words                   noarch     2-22             core
137 k
zlib i386 1.2.1.2-0.fc2 updates-released
44 k

After installing all of these packages successfully, the next thing that
happens is:

Executing /usr/sbin/mock-helper
chroot /var/lib/mock/fedora-2-i386-core/root /bin/su - root -c
"/usr/sbin/useradd -m -u 500 -d /builddir mockbuild"

and at that point the "useradd" process just hangs indefinitely. I'm told that if SELinux is disabled (I've tried permissive mode and that
doesn't help), this works. I can't see any AVCs in the logs.

Any ideas what might be causing this and how it might be fixed?

In fc2 you should disable SELinux.
I'm running this on FC5; what I'm trying to do is set up a chroot with FC2 packages. This includes the FC2 version of useradd, and it's this that's hanging when run in the chroot.

I'd happily give things in the chroot the impression that SELinux is disabled (I believe mock actually does this already) but I *really* don't want to disable SELinux on my FC5 host.

Paul.
I have no idea why this would happen then. And I am not sure I believe them when they say that if SELinux was disabled this would work differently, unless there is a kernel bug. You are not seeing avc messages, correct?
Correct.

Usually if it does not work in permissive mode it is not an SELinux problem.
*Usually*...

I guess I'll have to bite the bullet and try it with SELinux disabled (so I'll have to relabel my desktop box afterwards, sigh). I know of two people that have this working with SELinux disabled, and I vaguely recall it working for me when I was first trying this (with SELinux disabled, probably a year ago). I've got it working for everything from RHL7 through to FC5 targets apart from FC2, so I doubt I'm doing something significantly wrong.
I've now got a nice shiny new x86_64 box so at last I've been able to
sacrifice my old build system by disabling SELinux on it. My
recollection was correct - the mock build for FC2 worked just fine with
SELinux disabled.

Any thoughts on what might be going on here?

Did you ever try stracing the useradd process to see what it is doing at
the point where it hangs?

Aha. Now we're getting somewhere:

open("/dev/console", O_WRONLY|O_NOCTTY) = -1 ENOENT (No such file or directory)
rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
open("/proc/filesystems", O_RDONLY)     = 5
read(5, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 4095) = 360
open("/proc/self/attr/current", O_RDONLY) = 6
read(6, "user_u:system_r:mock_t:s0\0", 4095) = 26
close(6)                                = 0
close(5)                                = 0
open("/proc/self/attr/current", O_RDONLY) = 5
read(5, "user_u:system_r:mock_t:s0\0", 4095) = 26
close(5)                                = 0
open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or directory) open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or directory) open("/etc/security/failsafe_context", O_RDONLY) = -1 ENOENT (No such file or directory) ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
rt_sigprocmask(SIG_BLOCK, [INT TSTP], [], 8) = 0
time([-577099120727426906])             = 1155135654
write(2, "Would you like to enter a securi"..., 48Would you like to enter a security context? [y] ) = 48 ioctl(0, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon echo ...}) = 0 read(0, 0xff90f920, 511) = ? ERESTARTSYS (To be restarted)
--- SIGTERM (Terminated) @ 0 (0) ---
+++ killed by SIGTERM +++
Process 6199 detached


Any suggestions on how I get past this request to enter a security context, or better still, have it not ask?

Paul.
Remove multiple from pam_selinux line in /etc/pam.d/su or better yet use runuser.

FC2 doesn't have runuser, which is why we need to use su here.

I should be able to fix /etc/pam.d/su by patching the FC2 coreutils package to remove the "multiple"; what's that actually do?

This didn't work. Fails in exactly the same way as before.

I do see attempted reads of the non-existent files:

/selinux/access
/selinux/enforce
/selinux/user
/etc/security/failsafe_context

and I see a read of /proc/self/attr/current returning user_u:system_r:mock_t:s0, which clearly isn't going to be appropriate for a process running in an FC2 chroot.

Supposing I just remove the pam_selinux from /etc/pam.d/su altogether? Is that likely to break anything? Any other way of persuading an FC2 system that SELinux is disabled?

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux