Selinux and pbuilder

Andrew Lutomirski luto at mit.edu
Thu Dec 11 00:13:35 UTC 2014


On Wed, Dec 10, 2014 at 4:03 PM, Sandro Mani <manisandro at gmail.com> wrote:
> Hi,
>
> Before digging around more, though I'd check here if some debian+selinux
> experienced person has any ideas... I'm encountering two kinds of failure
> when using pbuilder which seem selinux related:
>
> - When building packages for newer releases (i.e. Ubuntu >= trusty),
> pbuilder used to fail with
>
> [...]
> dpkg: error processing archive
> <package_name>.deb (--unpack):
>  cannot get security labeling handle: No such file or directory
> [...]
>
> This looked like upstream [1], at the end of which it was suggested to
> bind-mount /sys/fs/selinux into the pbuilder chroot and remount it
> read-only. Did so, and things worked, horray.
>
> - Today I built the package for an older release, and now, with selinux
> mounted read-only, it fails with
> [...]
> I: Extracting source
> Password: su: Authentication failure

Hmm.

Can you run setpriv -d inside your chroot and see what it says?

You could also try running su directly and confirming that it works.

--Andy

> E: pbuilder: Failed extracting the source
> [...]
> Reverting the patch applied to fix the first problem (or even just not
> remounting read-only), things work again for the older releases, but clearly
> not anymore for the newer releases. There are a few reports of similar
> problems here and there ([2], old and fixed; [3], not relevant here, since
> /selinux is being mounted); [4], old an related to pam), but nothing recent
> or particularly revealing.
>
> So in short: mounting read-only works for ubuntu >= trusty but breaks older,
> and mounting read-write works for older but breaks ubuntu >= trusty. (Same
> most likely applies to newish vs oldish debian, haven't tested though).
>
>
> So... Any one with any ideas?
>
> And heads up: I got overexcited with the fix for the first issue and already
> built a patched pbuilder, so if you are using pbuilder-0.215-12 from
> rawhide, f21+testing or f20+testing, building packages for older releases
> will currently fail. To work around, just comment/uncomment line 280 of
> /usr/lib/pbuilder/pbuilder-modules as necessary.
>
>
> Thanks,
> Sandro
>
>
>
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734193
> [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384389
> [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506917
> [4] https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/22739
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct


More information about the devel mailing list