Daniel J Walsh wrote:
> Paul Howarth wrote:
>> Stephen Smalley wrote:
>>> On Wed, 2006-08-09 at 09:27 +0100, Paul Howarth wrote:
>>>> On Thu, 2006-07-13 at 17:59 +0100, Paul Howarth wrote:
>>>>> Daniel J Walsh wrote:
>>>>>> Paul Howarth wrote:
>>>>>>> Daniel J Walsh wrote:
>>>>>>>> Paul Howarth wrote:
>>>>>>>>> I use mock to build packages for old distributions in
a chroot-ed
>>>>>>>>> environment on my FC5 box. I've pretty well got
this working
>>>>>>>>> for all old
>>>>>>>>> distributions now apart from FC2 (see
>>>>>>>>>
http://www.fedoraproject.org/wiki/Legacy/Mock). On
FC2, the
>>>>>>>>> process gets
>>>>>>>>> off to quite a good start, installing the following
packages
>>>>>>>>> into the
>>>>>>>>> chroot:
>>>>>>>>>
>>>>>>>>>
=============================================================================
>>>>>>>>>
>>>>>>>>> Package Arch Version
Repository
>>>>>>>>> Size
>>>>>>>>>
=============================================================================
>>>>>>>>>
>>>>>>>>> Installing:
>>>>>>>>> buildsys-build noarch 0.5-1.CF.fc2
groups
>>>>>>>>> 1.8 k
>>>>>>>>> Installing for dependencies:
>>>>>>>>> SysVinit i386 2.85-25
core
>>>>>>>>> 96 k
>>>>>>>>> basesystem noarch 8.0-3
core
>>>>>>>>> 2.7 k
>>>>>>>>> bash i386 2.05b-38
core
>>>>>>>>> 1.5 M
>>>>>>>>> beecrypt i386 3.1.0-3
core
>>>>>>>>> 64 k
>>>>>>>>> binutils i386 2.15.90.0.3-5
core
>>>>>>>>> 2.8 M
>>>>>>>>> buildsys-macros noarch 2-2.fc2
groups
>>>>>>>>> 2.1 k
>>>>>>>>> bzip2 i386 1.0.2-12.1
core
>>>>>>>>> 48 k
>>>>>>>>> bzip2-libs i386 1.0.2-12.1
core
>>>>>>>>> 32 k chkconfig i386 1.3.9-1.1
core
>>>>>>>>> 99 k
>>>>>>>>> coreutils i386 5.2.1-7
core
>>>>>>>>> 2.8 M
>>>>>>>>> cpio i386 2.5-6
core
>>>>>>>>> 45 k
>>>>>>>>> cpp i386 3.3.3-7
core
>>>>>>>>> 1.4 M
>>>>>>>>> cracklib i386 2.7-27.1
core
>>>>>>>>> 26 k
>>>>>>>>> cracklib-dicts i386 2.7-27.1
core
>>>>>>>>> 409 k
>>>>>>>>> db4 i386 4.2.52-3.1
core
>>>>>>>>> 1.5 M
>>>>>>>>> dev i386 3.3.13-1
core
>>>>>>>>> 3.6 M
>>>>>>>>> diffutils i386 2.8.1-11
core
>>>>>>>>> 205 k
>>>>>>>>> e2fsprogs i386 1.35-7.1
core
>>>>>>>>> 728 k
>>>>>>>>> elfutils-libelf i386 0.95-2
core
>>>>>>>>> 36 k
>>>>>>>>> ethtool i386 1.8-3.1
core
>>>>>>>>> 48 k
>>>>>>>>> fedora-release i386 2-4
core
>>>>>>>>> 92 k
>>>>>>>>> file i386 4.07-4
core
>>>>>>>>> 242 k
>>>>>>>>> filesystem i386 2.2.4-1
core
>>>>>>>>> 18 k
>>>>>>>>> findutils i386 1:4.1.7-25
core
>>>>>>>>> 102 k
>>>>>>>>> gawk i386 3.1.3-7
core
>>>>>>>>> 1.5 M
>>>>>>>>> gcc i386 3.3.3-7
core
>>>>>>>>> 3.8 M
>>>>>>>>> gcc-c++ i386 3.3.3-7
core
>>>>>>>>> 2.0 M
>>>>>>>>> gdbm i386 1.8.0-22.1
core
>>>>>>>>> 26 k
>>>>>>>>> glib i386 1:1.2.10-12.1.1
core
>>>>>>>>> 134 k
>>>>>>>>> glib2 i386 2.4.8-1.fc2
>>>>>>>>> updates-released
>>>>>>>>> 477 k
>>>>>>>>> glibc i686 2.3.3-27.1
>>>>>>>>> updates-released
>>>>>>>>> 4.9 M
>>>>>>>>> glibc-common i386 2.3.3-27.1
>>>>>>>>> updates-released
>>>>>>>>> 14 M
>>>>>>>>> glibc-devel i386 2.3.3-27.1
>>>>>>>>> updates-released
>>>>>>>>> 1.9 M
>>>>>>>>> glibc-headers i386 2.3.3-27.1
>>>>>>>>> updates-released
>>>>>>>>> 530 k
>>>>>>>>> glibc-kernheaders i386 2.4-8.44
core
>>>>>>>>> 697 k
>>>>>>>>> grep i386 2.5.1-26
core
>>>>>>>>> 168 k
>>>>>>>>> gzip i386 1.3.3-12.2.legacy
>>>>>>>>> updates-released
>>>>>>>>> 88 k
>>>>>>>>> info i386 4.7-4
>>>>>>>>> updates-released
>>>>>>>>> 147 k
>>>>>>>>> initscripts i386 7.55.2-1
>>>>>>>>> updates-released
>>>>>>>>> 906 k
>>>>>>>>> iproute i386 2.4.7-14
core
>>>>>>>>> 591 k
>>>>>>>>> iputils i386 20020927-13
core
>>>>>>>>> 92 k
>>>>>>>>> less i386 382-3
core
>>>>>>>>> 85 k
>>>>>>>>> libacl i386 2.2.7-5
core
>>>>>>>>> 15 k
>>>>>>>>> libattr i386 2.4.1-4
core
>>>>>>>>> 8.6 k
>>>>>>>>> libgcc i386 3.3.3-7
core
>>>>>>>>> 33 k
>>>>>>>>> libselinux i386 1.11.4-1
core
>>>>>>>>> 45 k
>>>>>>>>> libstdc++ i386 3.3.3-7
core
>>>>>>>>> 240 k
>>>>>>>>> libstdc++-devel i386 3.3.3-7
core
>>>>>>>>> 1.3 M
>>>>>>>>> libtermcap i386 2.0.8-38
core
>>>>>>>>> 12 k
>>>>>>>>> make i386 1:3.80-3
core
>>>>>>>>> 337 k
>>>>>>>>> mingetty i386 1.07-2
core
>>>>>>>>> 18 k
>>>>>>>>> mktemp i386 2:1.5-7
core
>>>>>>>>> 12 k
>>>>>>>>> modutils i386 2.4.26-16
core
>>>>>>>>> 395 k
>>>>>>>>> ncurses i386 5.4-5
core
>>>>>>>>> 1.5 M
>>>>>>>>> net-tools i386 1.60-25.1
>>>>>>>>> updates-released
>>>>>>>>> 311 k
>>>>>>>>> pam i386 0.77-40
core
>>>>>>>>> 1.9 M
>>>>>>>>> patch i386 2.5.4-19
core
>>>>>>>>> 61 k
>>>>>>>>> pcre i386 4.5-2
core
>>>>>>>>> 59 k
>>>>>>>>> perl i386 3:5.8.3-18
core
>>>>>>>>> 11 M
>>>>>>>>> perl-Filter i386 1.30-5
core
>>>>>>>>> 68 k
>>>>>>>>> popt i386 1.9.1-0.4.1
>>>>>>>>> updates-released
>>>>>>>>> 61 k
>>>>>>>>> procps i386 3.2.0-1.2
>>>>>>>>> updates-released
>>>>>>>>> 176 k
>>>>>>>>> psmisc i386 21.4-2
core
>>>>>>>>> 41 k
>>>>>>>>> redhat-rpm-config noarch 8.0.28-1.1.1
core
>>>>>>>>> 41 k
>>>>>>>>> rpm i386 4.3.1-0.4.1
>>>>>>>>> updates-released
>>>>>>>>> 2.2 M
>>>>>>>>> rpm-build i386 4.3.1-0.4.1
>>>>>>>>> updates-released
>>>>>>>>> 437 k
>>>>>>>>> sed i386 4.0.8-4
core
>>>>>>>>> 116 k
>>>>>>>>> setup noarch 2.5.33-1
core
>>>>>>>>> 29 k
>>>>>>>>> shadow-utils i386 2:4.0.3-55
>>>>>>>>> updates-released
>>>>>>>>> 671 k
>>>>>>>>> sysklogd i386 1.4.1-16
core
>>>>>>>>> 65 k
>>>>>>>>> tar i386 1.13.25-14
core
>>>>>>>>> 351 k
>>>>>>>>> termcap noarch 11.0.1-18.1
core
>>>>>>>>> 237 k
>>>>>>>>> tzdata noarch 2005f-1.fc2
>>>>>>>>> updates-released
>>>>>>>>> 449 k
>>>>>>>>> unzip i386 5.50-37
core
>>>>>>>>> 139 k
>>>>>>>>> util-linux i386 2.12-19
>>>>>>>>> updates-released
>>>>>>>>> 1.5 M
>>>>>>>>> which i386 2.16-2
core
>>>>>>>>> 21 k
>>>>>>>>> words noarch 2-22
core
>>>>>>>>> 137 k
>>>>>>>>> zlib i386 1.2.1.2-0.fc2
>>>>>>>>> updates-released
>>>>>>>>> 44 k
>>>>>>>>>
>>>>>>>>> After installing all of these packages successfully,
the next
>>>>>>>>> thing that
>>>>>>>>> happens is:
>>>>>>>>>
>>>>>>>>> Executing /usr/sbin/mock-helper
>>>>>>>>> chroot /var/lib/mock/fedora-2-i386-core/root /bin/su
- root -c
>>>>>>>>> "/usr/sbin/useradd -m -u 500 -d /builddir
mockbuild"
>>>>>>>>>
>>>>>>>>> and at that point the "useradd" process
just hangs
>>>>>>>>> indefinitely. I'm
>>>>>>>>> told that if SELinux is disabled (I've tried
permissive mode
>>>>>>>>> and that
>>>>>>>>> doesn't help), this works. I can't see any
AVCs in the logs.
>>>>>>>>>
>>>>>>>>> Any ideas what might be causing this and how it might
be fixed?
>>>>>>>
>>>>>>>> In fc2 you should disable SELinux.
>>>>>>> I'm running this on FC5; what I'm trying to do is set
up a
>>>>>>> chroot with FC2 packages. This includes the FC2 version of
>>>>>>> useradd, and it's this that's hanging when run in the
chroot.
>>>>>>>
>>>>>>> I'd happily give things in the chroot the impression that
>>>>>>> SELinux is disabled (I believe mock actually does this
already)
>>>>>>> but I *really* don't want to disable SELinux on my FC5
host.
>>>>>>>
>>>>>>> Paul.
>>>>>> I have no idea why this would happen then. And I am not sure I
>>>>>> believe them when they say that if SELinux was disabled this
>>>>>> would work differently, unless there is a kernel bug. You are
>>>>>> not seeing avc messages, correct?
>>>>> Correct.
>>>>>
>>>>>> Usually if it does not work in permissive mode it is not an
>>>>>> SELinux problem.
>>>>> *Usually*...
>>>>>
>>>>> I guess I'll have to bite the bullet and try it with SELinux
>>>>> disabled (so I'll have to relabel my desktop box afterwards,
>>>>> sigh). I know of two people that have this working with SELinux
>>>>> disabled, and I vaguely recall it working for me when I was first
>>>>> trying this (with SELinux disabled, probably a year ago). I've
got
>>>>> it working for everything from RHL7 through to FC5 targets apart
>>>>> from FC2, so I doubt I'm doing something significantly wrong.
>>>> I've now got a nice shiny new x86_64 box so at last I've been
able to
>>>> sacrifice my old build system by disabling SELinux on it. My
>>>> recollection was correct - the mock build for FC2 worked just fine
>>>> with
>>>> SELinux disabled.
>>>>
>>>> Any thoughts on what might be going on here?
>>>
>>> Did you ever try stracing the useradd process to see what it is
>>> doing at
>>> the point where it hangs?
>>
>> Aha. Now we're getting somewhere:
>>
>> open("/dev/console", O_WRONLY|O_NOCTTY) = -1 ENOENT (No such file or
>> directory)
>> rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0
>> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon
>> echo ...}) = 0
>> open("/proc/filesystems", O_RDONLY) = 5
>> read(5, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 4095) = 360
>> open("/proc/self/attr/current", O_RDONLY) = 6
>> read(6, "user_u:system_r:mock_t:s0\0", 4095) = 26
>> close(6) = 0
>> close(5) = 0
>> open("/proc/self/attr/current", O_RDONLY) = 5
>> read(5, "user_u:system_r:mock_t:s0\0", 4095) = 26
>> close(5) = 0
>> open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or
>> directory)
>> open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or
>> directory)
>> open("/etc/security/failsafe_context", O_RDONLY) = -1 ENOENT (No such
>> file or directory)
>> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon
>> echo ...}) = 0
>> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon
>> echo ...}) = 0
>> rt_sigprocmask(SIG_BLOCK, [INT TSTP], [], 8) = 0
>> time([-577099120727426906]) = 1155135654
>> write(2, "Would you like to enter a securi"..., 48Would you like to
>> enter a security context? [y] ) = 48
>> ioctl(0, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon
>> echo ...}) = 0
>> read(0, 0xff90f920, 511) = ? ERESTARTSYS (To be
>> restarted)
>> --- SIGTERM (Terminated) @ 0 (0) ---
>> +++ killed by SIGTERM +++
>> Process 6199 detached
>>
>>
>> Any suggestions on how I get past this request to enter a security
>> context, or better still, have it not ask?
>>
>> Paul.
> Remove multiple from pam_selinux line in /etc/pam.d/su or better yet
> use runuser.
FC2 doesn't have runuser, which is why we need to use su here.
I should be able to fix /etc/pam.d/su by patching the FC2 coreutils
package to remove the "multiple"; what's that actually do?
This didn't work. Fails in exactly the same way as before.
I do see attempted reads of the non-existent files:
/selinux/access
/selinux/enforce
/selinux/user
/etc/security/failsafe_context
and I see a read of /proc/self/attr/current returning
user_u:system_r:mock_t:s0, which clearly isn't going to be appropriate
for a process running in an FC2 chroot.
Supposing I just remove the pam_selinux from /etc/pam.d/su altogether?
Is that likely to break anything? Any other way of persuading an FC2
system that SELinux is disabled?
Paul.