Stephen Smalley wrote:
On Wed, 2006-08-09 at 09:27 +0100, Paul Howarth wrote:
> On Thu, 2006-07-13 at 17:59 +0100, Paul Howarth wrote:
>> Daniel J Walsh wrote:
>>> Paul Howarth wrote:
>>>> Daniel J Walsh wrote:
>>>>> Paul Howarth wrote:
>>>>>> I use mock to build packages for old distributions in a
chroot-ed
>>>>>> environment on my FC5 box. I've pretty well got this working
for all
>>>>>> old
>>>>>> distributions now apart from FC2 (see
>>>>>>
http://www.fedoraproject.org/wiki/Legacy/Mock). On FC2, the
process
>>>>>> gets
>>>>>> off to quite a good start, installing the following packages into
the
>>>>>> chroot:
>>>>>>
>>>>>>
=============================================================================
>>>>>>
>>>>>> Package Arch Version Repository
>>>>>> Size
>>>>>>
=============================================================================
>>>>>>
>>>>>> Installing:
>>>>>> buildsys-build noarch 0.5-1.CF.fc2 groups
>>>>>> 1.8 k
>>>>>> Installing for dependencies:
>>>>>> SysVinit i386 2.85-25 core
>>>>>> 96 k
>>>>>> basesystem noarch 8.0-3 core
>>>>>> 2.7 k
>>>>>> bash i386 2.05b-38 core
>>>>>> 1.5 M
>>>>>> beecrypt i386 3.1.0-3 core
>>>>>> 64 k
>>>>>> binutils i386 2.15.90.0.3-5 core
>>>>>> 2.8 M
>>>>>> buildsys-macros noarch 2-2.fc2 groups
>>>>>> 2.1 k
>>>>>> bzip2 i386 1.0.2-12.1 core
>>>>>> 48 k
>>>>>> bzip2-libs i386 1.0.2-12.1 core
>>>>>> 32 k chkconfig i386 1.3.9-1.1 core
>>>>>> 99 k
>>>>>> coreutils i386 5.2.1-7 core
>>>>>> 2.8 M
>>>>>> cpio i386 2.5-6 core
>>>>>> 45 k
>>>>>> cpp i386 3.3.3-7 core
>>>>>> 1.4 M
>>>>>> cracklib i386 2.7-27.1 core
>>>>>> 26 k
>>>>>> cracklib-dicts i386 2.7-27.1 core
>>>>>> 409 k
>>>>>> db4 i386 4.2.52-3.1 core
>>>>>> 1.5 M
>>>>>> dev i386 3.3.13-1 core
>>>>>> 3.6 M
>>>>>> diffutils i386 2.8.1-11 core
>>>>>> 205 k
>>>>>> e2fsprogs i386 1.35-7.1 core
>>>>>> 728 k
>>>>>> elfutils-libelf i386 0.95-2 core
>>>>>> 36 k
>>>>>> ethtool i386 1.8-3.1 core
>>>>>> 48 k
>>>>>> fedora-release i386 2-4 core
>>>>>> 92 k
>>>>>> file i386 4.07-4 core
>>>>>> 242 k
>>>>>> filesystem i386 2.2.4-1 core
>>>>>> 18 k
>>>>>> findutils i386 1:4.1.7-25 core
>>>>>> 102 k
>>>>>> gawk i386 3.1.3-7 core
>>>>>> 1.5 M
>>>>>> gcc i386 3.3.3-7 core
>>>>>> 3.8 M
>>>>>> gcc-c++ i386 3.3.3-7 core
>>>>>> 2.0 M
>>>>>> gdbm i386 1.8.0-22.1 core
>>>>>> 26 k
>>>>>> glib i386 1:1.2.10-12.1.1 core
>>>>>> 134 k
>>>>>> glib2 i386 2.4.8-1.fc2
updates-released
>>>>>> 477 k
>>>>>> glibc i686 2.3.3-27.1
updates-released
>>>>>> 4.9 M
>>>>>> glibc-common i386 2.3.3-27.1
updates-released
>>>>>> 14 M
>>>>>> glibc-devel i386 2.3.3-27.1
updates-released
>>>>>> 1.9 M
>>>>>> glibc-headers i386 2.3.3-27.1
updates-released
>>>>>> 530 k
>>>>>> glibc-kernheaders i386 2.4-8.44 core
>>>>>> 697 k
>>>>>> grep i386 2.5.1-26 core
>>>>>> 168 k
>>>>>> gzip i386 1.3.3-12.2.legacy
updates-released
>>>>>> 88 k
>>>>>> info i386 4.7-4
updates-released
>>>>>> 147 k
>>>>>> initscripts i386 7.55.2-1
updates-released
>>>>>> 906 k
>>>>>> iproute i386 2.4.7-14 core
>>>>>> 591 k
>>>>>> iputils i386 20020927-13 core
>>>>>> 92 k
>>>>>> less i386 382-3 core
>>>>>> 85 k
>>>>>> libacl i386 2.2.7-5 core
>>>>>> 15 k
>>>>>> libattr i386 2.4.1-4 core
>>>>>> 8.6 k
>>>>>> libgcc i386 3.3.3-7 core
>>>>>> 33 k
>>>>>> libselinux i386 1.11.4-1 core
>>>>>> 45 k
>>>>>> libstdc++ i386 3.3.3-7 core
>>>>>> 240 k
>>>>>> libstdc++-devel i386 3.3.3-7 core
>>>>>> 1.3 M
>>>>>> libtermcap i386 2.0.8-38 core
>>>>>> 12 k
>>>>>> make i386 1:3.80-3 core
>>>>>> 337 k
>>>>>> mingetty i386 1.07-2 core
>>>>>> 18 k
>>>>>> mktemp i386 2:1.5-7 core
>>>>>> 12 k
>>>>>> modutils i386 2.4.26-16 core
>>>>>> 395 k
>>>>>> ncurses i386 5.4-5 core
>>>>>> 1.5 M
>>>>>> net-tools i386 1.60-25.1
updates-released
>>>>>> 311 k
>>>>>> pam i386 0.77-40 core
>>>>>> 1.9 M
>>>>>> patch i386 2.5.4-19 core
>>>>>> 61 k
>>>>>> pcre i386 4.5-2 core
>>>>>> 59 k
>>>>>> perl i386 3:5.8.3-18 core
>>>>>> 11 M
>>>>>> perl-Filter i386 1.30-5 core
>>>>>> 68 k
>>>>>> popt i386 1.9.1-0.4.1
updates-released
>>>>>> 61 k
>>>>>> procps i386 3.2.0-1.2
updates-released
>>>>>> 176 k
>>>>>> psmisc i386 21.4-2 core
>>>>>> 41 k
>>>>>> redhat-rpm-config noarch 8.0.28-1.1.1 core
>>>>>> 41 k
>>>>>> rpm i386 4.3.1-0.4.1
updates-released
>>>>>> 2.2 M
>>>>>> rpm-build i386 4.3.1-0.4.1
updates-released
>>>>>> 437 k
>>>>>> sed i386 4.0.8-4 core
>>>>>> 116 k
>>>>>> setup noarch 2.5.33-1 core
>>>>>> 29 k
>>>>>> shadow-utils i386 2:4.0.3-55
updates-released
>>>>>> 671 k
>>>>>> sysklogd i386 1.4.1-16 core
>>>>>> 65 k
>>>>>> tar i386 1.13.25-14 core
>>>>>> 351 k
>>>>>> termcap noarch 11.0.1-18.1 core
>>>>>> 237 k
>>>>>> tzdata noarch 2005f-1.fc2
updates-released
>>>>>> 449 k
>>>>>> unzip i386 5.50-37 core
>>>>>> 139 k
>>>>>> util-linux i386 2.12-19
updates-released
>>>>>> 1.5 M
>>>>>> which i386 2.16-2 core
>>>>>> 21 k
>>>>>> words noarch 2-22 core
>>>>>> 137 k
>>>>>> zlib i386 1.2.1.2-0.fc2
updates-released
>>>>>> 44 k
>>>>>>
>>>>>> After installing all of these packages successfully, the next
thing
>>>>>> that
>>>>>> happens is:
>>>>>>
>>>>>> Executing /usr/sbin/mock-helper
>>>>>> chroot /var/lib/mock/fedora-2-i386-core/root /bin/su - root -c
>>>>>> "/usr/sbin/useradd -m -u 500 -d /builddir mockbuild"
>>>>>>
>>>>>> and at that point the "useradd" process just hangs
indefinitely. I'm
>>>>>> told that if SELinux is disabled (I've tried permissive mode
and that
>>>>>> doesn't help), this works. I can't see any AVCs in the
logs.
>>>>>>
>>>>>> Any ideas what might be causing this and how it might be fixed?
>>>>
>>>>> In fc2 you should disable SELinux.
>>>> I'm running this on FC5; what I'm trying to do is set up a chroot
with
>>>> FC2 packages. This includes the FC2 version of useradd, and it's this
>>>> that's hanging when run in the chroot.
>>>>
>>>> I'd happily give things in the chroot the impression that SELinux is
>>>> disabled (I believe mock actually does this already) but I *really*
>>>> don't want to disable SELinux on my FC5 host.
>>>>
>>>> Paul.
>>> I have no idea why this would happen then. And I am not sure I believe
>>> them when they say that if SELinux was disabled this would work
>>> differently, unless there is a kernel bug. You are not seeing avc
>>> messages, correct?
>> Correct.
>>
>>> Usually if it does not work in permissive mode it is
>>> not an SELinux problem.
>> *Usually*...
>>
>> I guess I'll have to bite the bullet and try it with SELinux disabled
>> (so I'll have to relabel my desktop box afterwards, sigh). I know of two
>> people that have this working with SELinux disabled, and I vaguely
>> recall it working for me when I was first trying this (with SELinux
>> disabled, probably a year ago). I've got it working for everything from
>> RHL7 through to FC5 targets apart from FC2, so I doubt I'm doing
>> something significantly wrong.
> I've now got a nice shiny new x86_64 box so at last I've been able to
> sacrifice my old build system by disabling SELinux on it. My
> recollection was correct - the mock build for FC2 worked just fine with
> SELinux disabled.
>
> Any thoughts on what might be going on here?
Did you ever try stracing the useradd process to see what it is doing at
the point where it hangs?
Aha. Now we're getting somewhere:
open("/dev/console", O_WRONLY|O_NOCTTY) = -1 ENOENT (No such file or
directory)
rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo
...}) = 0
open("/proc/filesystems", O_RDONLY) = 5
read(5, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 4095) = 360
open("/proc/self/attr/current", O_RDONLY) = 6
read(6, "user_u:system_r:mock_t:s0\0", 4095) = 26
close(6) = 0
close(5) = 0
open("/proc/self/attr/current", O_RDONLY) = 5
read(5, "user_u:system_r:mock_t:s0\0", 4095) = 26
close(5) = 0
open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or
directory)
open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or
directory)
open("/etc/security/failsafe_context", O_RDONLY) = -1 ENOENT (No such
file or directory)
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo
...}) = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo
...}) = 0
rt_sigprocmask(SIG_BLOCK, [INT TSTP], [], 8) = 0
time([-577099120727426906]) = 1155135654
write(2, "Would you like to enter a securi"..., 48Would you like to
enter a security context? [y] ) = 48
ioctl(0, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon echo
...}) = 0
read(0, 0xff90f920, 511) = ? ERESTARTSYS (To be restarted)
--- SIGTERM (Terminated) @ 0 (0) ---
+++ killed by SIGTERM +++
Process 6199 detached
Any suggestions on how I get past this request to enter a security
context, or better still, have it not ask?
Paul.