FC2 useradd in chroot on FC5 host with SELinux
Paul Howarth
paul at city-fan.org
Wed Aug 9 17:28:33 UTC 2006
Paul Howarth wrote:
> Daniel J Walsh wrote:
>> Paul Howarth wrote:
>>> Stephen Smalley wrote:
>>>> On Wed, 2006-08-09 at 09:27 +0100, Paul Howarth wrote:
>>>>> On Thu, 2006-07-13 at 17:59 +0100, Paul Howarth wrote:
>>>>>> Daniel J Walsh wrote:
>>>>>>> Paul Howarth wrote:
>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>> Paul Howarth wrote:
>>>>>>>>>> I use mock to build packages for old distributions in a chroot-ed
>>>>>>>>>> environment on my FC5 box. I've pretty well got this working
>>>>>>>>>> for all old
>>>>>>>>>> distributions now apart from FC2 (see
>>>>>>>>>> http://www.fedoraproject.org/wiki/Legacy/Mock). On FC2, the
>>>>>>>>>> process gets
>>>>>>>>>> off to quite a good start, installing the following packages
>>>>>>>>>> into the
>>>>>>>>>> chroot:
>>>>>>>>>>
>>>>>>>>>> =============================================================================
>>>>>>>>>>
>>>>>>>>>> Package Arch Version Repository
>>>>>>>>>> Size
>>>>>>>>>> =============================================================================
>>>>>>>>>>
>>>>>>>>>> Installing:
>>>>>>>>>> buildsys-build noarch 0.5-1.CF.fc2 groups
>>>>>>>>>> 1.8 k
>>>>>>>>>> Installing for dependencies:
>>>>>>>>>> SysVinit i386 2.85-25 core
>>>>>>>>>> 96 k
>>>>>>>>>> basesystem noarch 8.0-3 core
>>>>>>>>>> 2.7 k
>>>>>>>>>> bash i386 2.05b-38 core
>>>>>>>>>> 1.5 M
>>>>>>>>>> beecrypt i386 3.1.0-3 core
>>>>>>>>>> 64 k
>>>>>>>>>> binutils i386 2.15.90.0.3-5 core
>>>>>>>>>> 2.8 M
>>>>>>>>>> buildsys-macros noarch 2-2.fc2 groups
>>>>>>>>>> 2.1 k
>>>>>>>>>> bzip2 i386 1.0.2-12.1 core
>>>>>>>>>> 48 k
>>>>>>>>>> bzip2-libs i386 1.0.2-12.1 core
>>>>>>>>>> 32 k chkconfig i386 1.3.9-1.1 core
>>>>>>>>>> 99 k
>>>>>>>>>> coreutils i386 5.2.1-7 core
>>>>>>>>>> 2.8 M
>>>>>>>>>> cpio i386 2.5-6 core
>>>>>>>>>> 45 k
>>>>>>>>>> cpp i386 3.3.3-7 core
>>>>>>>>>> 1.4 M
>>>>>>>>>> cracklib i386 2.7-27.1 core
>>>>>>>>>> 26 k
>>>>>>>>>> cracklib-dicts i386 2.7-27.1 core
>>>>>>>>>> 409 k
>>>>>>>>>> db4 i386 4.2.52-3.1 core
>>>>>>>>>> 1.5 M
>>>>>>>>>> dev i386 3.3.13-1 core
>>>>>>>>>> 3.6 M
>>>>>>>>>> diffutils i386 2.8.1-11 core
>>>>>>>>>> 205 k
>>>>>>>>>> e2fsprogs i386 1.35-7.1 core
>>>>>>>>>> 728 k
>>>>>>>>>> elfutils-libelf i386 0.95-2 core
>>>>>>>>>> 36 k
>>>>>>>>>> ethtool i386 1.8-3.1 core
>>>>>>>>>> 48 k
>>>>>>>>>> fedora-release i386 2-4 core
>>>>>>>>>> 92 k
>>>>>>>>>> file i386 4.07-4 core
>>>>>>>>>> 242 k
>>>>>>>>>> filesystem i386 2.2.4-1 core
>>>>>>>>>> 18 k
>>>>>>>>>> findutils i386 1:4.1.7-25 core
>>>>>>>>>> 102 k
>>>>>>>>>> gawk i386 3.1.3-7 core
>>>>>>>>>> 1.5 M
>>>>>>>>>> gcc i386 3.3.3-7 core
>>>>>>>>>> 3.8 M
>>>>>>>>>> gcc-c++ i386 3.3.3-7 core
>>>>>>>>>> 2.0 M
>>>>>>>>>> gdbm i386 1.8.0-22.1 core
>>>>>>>>>> 26 k
>>>>>>>>>> glib i386 1:1.2.10-12.1.1 core
>>>>>>>>>> 134 k
>>>>>>>>>> glib2 i386 2.4.8-1.fc2
>>>>>>>>>> updates-released
>>>>>>>>>> 477 k
>>>>>>>>>> glibc i686 2.3.3-27.1
>>>>>>>>>> updates-released
>>>>>>>>>> 4.9 M
>>>>>>>>>> glibc-common i386 2.3.3-27.1
>>>>>>>>>> updates-released
>>>>>>>>>> 14 M
>>>>>>>>>> glibc-devel i386 2.3.3-27.1
>>>>>>>>>> updates-released
>>>>>>>>>> 1.9 M
>>>>>>>>>> glibc-headers i386 2.3.3-27.1
>>>>>>>>>> updates-released
>>>>>>>>>> 530 k
>>>>>>>>>> glibc-kernheaders i386 2.4-8.44 core
>>>>>>>>>> 697 k
>>>>>>>>>> grep i386 2.5.1-26 core
>>>>>>>>>> 168 k
>>>>>>>>>> gzip i386 1.3.3-12.2.legacy
>>>>>>>>>> updates-released
>>>>>>>>>> 88 k
>>>>>>>>>> info i386 4.7-4
>>>>>>>>>> updates-released
>>>>>>>>>> 147 k
>>>>>>>>>> initscripts i386 7.55.2-1
>>>>>>>>>> updates-released
>>>>>>>>>> 906 k
>>>>>>>>>> iproute i386 2.4.7-14 core
>>>>>>>>>> 591 k
>>>>>>>>>> iputils i386 20020927-13 core
>>>>>>>>>> 92 k
>>>>>>>>>> less i386 382-3 core
>>>>>>>>>> 85 k
>>>>>>>>>> libacl i386 2.2.7-5 core
>>>>>>>>>> 15 k
>>>>>>>>>> libattr i386 2.4.1-4 core
>>>>>>>>>> 8.6 k
>>>>>>>>>> libgcc i386 3.3.3-7 core
>>>>>>>>>> 33 k
>>>>>>>>>> libselinux i386 1.11.4-1 core
>>>>>>>>>> 45 k
>>>>>>>>>> libstdc++ i386 3.3.3-7 core
>>>>>>>>>> 240 k
>>>>>>>>>> libstdc++-devel i386 3.3.3-7 core
>>>>>>>>>> 1.3 M
>>>>>>>>>> libtermcap i386 2.0.8-38 core
>>>>>>>>>> 12 k
>>>>>>>>>> make i386 1:3.80-3 core
>>>>>>>>>> 337 k
>>>>>>>>>> mingetty i386 1.07-2 core
>>>>>>>>>> 18 k
>>>>>>>>>> mktemp i386 2:1.5-7 core
>>>>>>>>>> 12 k
>>>>>>>>>> modutils i386 2.4.26-16 core
>>>>>>>>>> 395 k
>>>>>>>>>> ncurses i386 5.4-5 core
>>>>>>>>>> 1.5 M
>>>>>>>>>> net-tools i386 1.60-25.1
>>>>>>>>>> updates-released
>>>>>>>>>> 311 k
>>>>>>>>>> pam i386 0.77-40 core
>>>>>>>>>> 1.9 M
>>>>>>>>>> patch i386 2.5.4-19 core
>>>>>>>>>> 61 k
>>>>>>>>>> pcre i386 4.5-2 core
>>>>>>>>>> 59 k
>>>>>>>>>> perl i386 3:5.8.3-18 core
>>>>>>>>>> 11 M
>>>>>>>>>> perl-Filter i386 1.30-5 core
>>>>>>>>>> 68 k
>>>>>>>>>> popt i386 1.9.1-0.4.1
>>>>>>>>>> updates-released
>>>>>>>>>> 61 k
>>>>>>>>>> procps i386 3.2.0-1.2
>>>>>>>>>> updates-released
>>>>>>>>>> 176 k
>>>>>>>>>> psmisc i386 21.4-2 core
>>>>>>>>>> 41 k
>>>>>>>>>> redhat-rpm-config noarch 8.0.28-1.1.1 core
>>>>>>>>>> 41 k
>>>>>>>>>> rpm i386 4.3.1-0.4.1
>>>>>>>>>> updates-released
>>>>>>>>>> 2.2 M
>>>>>>>>>> rpm-build i386 4.3.1-0.4.1
>>>>>>>>>> updates-released
>>>>>>>>>> 437 k
>>>>>>>>>> sed i386 4.0.8-4 core
>>>>>>>>>> 116 k
>>>>>>>>>> setup noarch 2.5.33-1 core
>>>>>>>>>> 29 k
>>>>>>>>>> shadow-utils i386 2:4.0.3-55
>>>>>>>>>> updates-released
>>>>>>>>>> 671 k
>>>>>>>>>> sysklogd i386 1.4.1-16 core
>>>>>>>>>> 65 k
>>>>>>>>>> tar i386 1.13.25-14 core
>>>>>>>>>> 351 k
>>>>>>>>>> termcap noarch 11.0.1-18.1 core
>>>>>>>>>> 237 k
>>>>>>>>>> tzdata noarch 2005f-1.fc2
>>>>>>>>>> updates-released
>>>>>>>>>> 449 k
>>>>>>>>>> unzip i386 5.50-37 core
>>>>>>>>>> 139 k
>>>>>>>>>> util-linux i386 2.12-19
>>>>>>>>>> updates-released
>>>>>>>>>> 1.5 M
>>>>>>>>>> which i386 2.16-2 core
>>>>>>>>>> 21 k
>>>>>>>>>> words noarch 2-22 core
>>>>>>>>>> 137 k
>>>>>>>>>> zlib i386 1.2.1.2-0.fc2
>>>>>>>>>> updates-released
>>>>>>>>>> 44 k
>>>>>>>>>>
>>>>>>>>>> After installing all of these packages successfully, the next
>>>>>>>>>> thing that
>>>>>>>>>> happens is:
>>>>>>>>>>
>>>>>>>>>> Executing /usr/sbin/mock-helper
>>>>>>>>>> chroot /var/lib/mock/fedora-2-i386-core/root /bin/su - root -c
>>>>>>>>>> "/usr/sbin/useradd -m -u 500 -d /builddir mockbuild"
>>>>>>>>>>
>>>>>>>>>> and at that point the "useradd" process just hangs
>>>>>>>>>> indefinitely. I'm
>>>>>>>>>> told that if SELinux is disabled (I've tried permissive mode
>>>>>>>>>> and that
>>>>>>>>>> doesn't help), this works. I can't see any AVCs in the logs.
>>>>>>>>>>
>>>>>>>>>> Any ideas what might be causing this and how it might be fixed?
>>>>>>>>
>>>>>>>>> In fc2 you should disable SELinux.
>>>>>>>> I'm running this on FC5; what I'm trying to do is set up a
>>>>>>>> chroot with FC2 packages. This includes the FC2 version of
>>>>>>>> useradd, and it's this that's hanging when run in the chroot.
>>>>>>>>
>>>>>>>> I'd happily give things in the chroot the impression that
>>>>>>>> SELinux is disabled (I believe mock actually does this already)
>>>>>>>> but I *really* don't want to disable SELinux on my FC5 host.
>>>>>>>>
>>>>>>>> Paul.
>>>>>>> I have no idea why this would happen then. And I am not sure I
>>>>>>> believe them when they say that if SELinux was disabled this
>>>>>>> would work differently, unless there is a kernel bug. You are
>>>>>>> not seeing avc messages, correct?
>>>>>> Correct.
>>>>>>
>>>>>>> Usually if it does not work in permissive mode it is not an
>>>>>>> SELinux problem.
>>>>>> *Usually*...
>>>>>>
>>>>>> I guess I'll have to bite the bullet and try it with SELinux
>>>>>> disabled (so I'll have to relabel my desktop box afterwards,
>>>>>> sigh). I know of two people that have this working with SELinux
>>>>>> disabled, and I vaguely recall it working for me when I was first
>>>>>> trying this (with SELinux disabled, probably a year ago). I've got
>>>>>> it working for everything from RHL7 through to FC5 targets apart
>>>>>> from FC2, so I doubt I'm doing something significantly wrong.
>>>>> I've now got a nice shiny new x86_64 box so at last I've been able to
>>>>> sacrifice my old build system by disabling SELinux on it. My
>>>>> recollection was correct - the mock build for FC2 worked just fine
>>>>> with
>>>>> SELinux disabled.
>>>>>
>>>>> Any thoughts on what might be going on here?
>>>>
>>>> Did you ever try stracing the useradd process to see what it is
>>>> doing at
>>>> the point where it hangs?
>>>
>>> Aha. Now we're getting somewhere:
>>>
>>> open("/dev/console", O_WRONLY|O_NOCTTY) = -1 ENOENT (No such file or
>>> directory)
>>> rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0
>>> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon
>>> echo ...}) = 0
>>> open("/proc/filesystems", O_RDONLY) = 5
>>> read(5, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 4095) = 360
>>> open("/proc/self/attr/current", O_RDONLY) = 6
>>> read(6, "user_u:system_r:mock_t:s0\0", 4095) = 26
>>> close(6) = 0
>>> close(5) = 0
>>> open("/proc/self/attr/current", O_RDONLY) = 5
>>> read(5, "user_u:system_r:mock_t:s0\0", 4095) = 26
>>> close(5) = 0
>>> open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or
>>> directory)
>>> open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or
>>> directory)
>>> open("/etc/security/failsafe_context", O_RDONLY) = -1 ENOENT (No such
>>> file or directory)
>>> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon
>>> echo ...}) = 0
>>> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon
>>> echo ...}) = 0
>>> rt_sigprocmask(SIG_BLOCK, [INT TSTP], [], 8) = 0
>>> time([-577099120727426906]) = 1155135654
>>> write(2, "Would you like to enter a securi"..., 48Would you like to
>>> enter a security context? [y] ) = 48
>>> ioctl(0, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon
>>> echo ...}) = 0
>>> read(0, 0xff90f920, 511) = ? ERESTARTSYS (To be
>>> restarted)
>>> --- SIGTERM (Terminated) @ 0 (0) ---
>>> +++ killed by SIGTERM +++
>>> Process 6199 detached
>>>
>>>
>>> Any suggestions on how I get past this request to enter a security
>>> context, or better still, have it not ask?
>>>
>>> Paul.
>> Remove multiple from pam_selinux line in /etc/pam.d/su or better yet
>> use runuser.
>
> FC2 doesn't have runuser, which is why we need to use su here.
>
> I should be able to fix /etc/pam.d/su by patching the FC2 coreutils
> package to remove the "multiple"; what's that actually do?
This didn't work. Fails in exactly the same way as before.
I do see attempted reads of the non-existent files:
/selinux/access
/selinux/enforce
/selinux/user
/etc/security/failsafe_context
and I see a read of /proc/self/attr/current returning
user_u:system_r:mock_t:s0, which clearly isn't going to be appropriate
for a process running in an FC2 chroot.
Supposing I just remove the pam_selinux from /etc/pam.d/su altogether?
Is that likely to break anything? Any other way of persuading an FC2
system that SELinux is disabled?
Paul.
More information about the fedora-selinux-list
mailing list