FC2 useradd in chroot on FC5 host with SELinux

Paul Howarth paul at city-fan.org
Fri Aug 11 07:47:48 UTC 2006

On Wed, 2006-08-09 at 23:05 +0100, Paul Howarth wrote:
> On Wed, 2006-08-09 at 15:41 -0400, Stephen Smalley wrote:
> > On Wed, 2006-08-09 at 18:28 +0100, Paul Howarth wrote:
> > > Supposing I just remove the pam_selinux from /etc/pam.d/su altogether? 
> > > Is that likely to break anything? Any other way of persuading an FC2 
> > > system that SELinux is disabled?
> > 
> > Removing it should be fine (and has already happened in FC5). I'm not
> > clear on the cause though - pam_selinux returns immediately with
> > PAM_SUCCESS if is_selinux_enabled() returns <= 0.
> It got further with that line removed, and now hangs when trying to run
> rpm as the user "mockbuild" that was added by "useradd". This appears to
> be the first chroot command that's not running as root. It's not obvious
> to me what it's waiting for.

It turns out it must have been waiting for a password, because after
killing the process the echo on the terminal was turned off.

I now believe I have solved this problem. Many, many thanks to Dan and
Stephen for helping.

The mock tool does include a dummy libselinux library that returns 0 for
all calls to is_selinux_enabled(). This library is LD-PRELOAD-ed for
calls to yum to install packages into the chroot. However, it is not
LD-PRELOAD-ed for any other operation, such as running "useradd" or
"rpmbuild" in the chroot. In FC2, this results in a hangup when the user
is prompted for a new context to use if the host system has SELinux

I tried building an FC2 libselinux package with the is_selinux_enabled()
hack to install into the chroot so that this wouldn't happen, but this
appeared to have no effect. Further investigation revealed that although
I had included the hack patch in the libselinux package, and that
package was being installed into the chroot, I actually forgotten to
*apply* the patch in the hacked libselinux package and it was therefore
identical to the original FC2 libselinux package. D'oh!

After configuring mock to install the properly-hacked libselinux package
into the chroot, it appears to be building packages successfully now.

I'll try it on a few more packages and if all seems well, I'll update
the Legacy/Mock wiki page with the new information.


More information about the fedora-selinux-list mailing list