Selinux and pbuilder

Sandro Mani manisandro at gmail.com
Thu Dec 11 00:03:07 UTC 2014 

Hi,

Before digging around more, though I'd check here if some debian+selinux 
experienced person has any ideas... I'm encountering two kinds of 
failure when using pbuilder which seem selinux related:

- When building packages for newer releases (i.e. Ubuntu >= trusty), 
pbuilder used to fail with

[...]
dpkg: error processing archive
<package_name>.deb (--unpack):
  cannot get security labeling handle: No such file or directory
[...]

This looked like upstream [1], at the end of which it was suggested to 
bind-mount /sys/fs/selinux into the pbuilder chroot and remount it 
read-only. Did so, and things worked, horray.

- Today I built the package for an older release, and now, with selinux 
mounted read-only, it fails with
[...]
I: Extracting source
Password: su: Authentication failure
E: pbuilder: Failed extracting the source
[...]
Reverting the patch applied to fix the first problem (or even just not 
remounting read-only), things work again for the older releases, but 
clearly not anymore for the newer releases. There are a few reports of 
similar problems here and there ([2], old and fixed; [3], not relevant 
here, since /selinux is being mounted); [4], old an related to pam), but 
nothing recent or particularly revealing.

So in short: mounting read-only works for ubuntu >= trusty but breaks 
older, and mounting read-write works for older but breaks ubuntu >= 
trusty. (Same most likely applies to newish vs oldish debian, haven't 
tested though).


So... Any one with any ideas?

And heads up: I got overexcited with the fix for the first issue and 
already built a patched pbuilder, so if you are using pbuilder-0.215-12 
from rawhide, f21+testing or f20+testing, building packages for older 
releases will currently fail. To work around, just comment/uncomment 
line 280 of /usr/lib/pbuilder/pbuilder-modules as necessary.


Thanks,
Sandro



[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734193
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384389
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506917
[4] https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/22739

More information about the devel mailing list