Selinux and pbuilder
luto at mit.edu
Thu Dec 11 00:13:35 UTC 2014
On Wed, Dec 10, 2014 at 4:03 PM, Sandro Mani <manisandro at gmail.com> wrote:
> Before digging around more, though I'd check here if some debian+selinux
> experienced person has any ideas... I'm encountering two kinds of failure
> when using pbuilder which seem selinux related:
> - When building packages for newer releases (i.e. Ubuntu >= trusty),
> pbuilder used to fail with
> dpkg: error processing archive
> <package_name>.deb (--unpack):
> cannot get security labeling handle: No such file or directory
> This looked like upstream , at the end of which it was suggested to
> bind-mount /sys/fs/selinux into the pbuilder chroot and remount it
> read-only. Did so, and things worked, horray.
> - Today I built the package for an older release, and now, with selinux
> mounted read-only, it fails with
> I: Extracting source
> Password: su: Authentication failure
Can you run setpriv -d inside your chroot and see what it says?
You could also try running su directly and confirming that it works.
> E: pbuilder: Failed extracting the source
> Reverting the patch applied to fix the first problem (or even just not
> remounting read-only), things work again for the older releases, but clearly
> not anymore for the newer releases. There are a few reports of similar
> problems here and there (, old and fixed; , not relevant here, since
> /selinux is being mounted); , old an related to pam), but nothing recent
> or particularly revealing.
> So in short: mounting read-only works for ubuntu >= trusty but breaks older,
> and mounting read-write works for older but breaks ubuntu >= trusty. (Same
> most likely applies to newish vs oldish debian, haven't tested though).
> So... Any one with any ideas?
> And heads up: I got overexcited with the fix for the first issue and already
> built a patched pbuilder, so if you are using pbuilder-0.215-12 from
> rawhide, f21+testing or f20+testing, building packages for older releases
> will currently fail. To work around, just comment/uncomment line 280 of
> /usr/lib/pbuilder/pbuilder-modules as necessary.
>  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734193
>  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384389
>  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506917
>  https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/22739
> devel mailing list
> devel at lists.fedoraproject.org
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
More information about the devel