FC2 useradd in chroot on FC5 host with SELinux
Daniel J Walsh
dwalsh at redhat.com
Wed Aug 9 15:38:43 UTC 2006
Paul Howarth wrote:
> Stephen Smalley wrote:
>> On Wed, 2006-08-09 at 09:27 +0100, Paul Howarth wrote:
>>> On Thu, 2006-07-13 at 17:59 +0100, Paul Howarth wrote:
>>>> Daniel J Walsh wrote:
>>>>> Paul Howarth wrote:
>>>>>> Daniel J Walsh wrote:
>>>>>>> Paul Howarth wrote:
>>>>>>>> I use mock to build packages for old distributions in a chroot-ed
>>>>>>>> environment on my FC5 box. I've pretty well got this working
>>>>>>>> for all old
>>>>>>>> distributions now apart from FC2 (see
>>>>>>>> http://www.fedoraproject.org/wiki/Legacy/Mock). On FC2, the
>>>>>>>> process gets
>>>>>>>> off to quite a good start, installing the following packages
>>>>>>>> into the
>>>>>>>> chroot:
>>>>>>>>
>>>>>>>> =============================================================================
>>>>>>>>
>>>>>>>> Package Arch Version Repository
>>>>>>>> Size
>>>>>>>> =============================================================================
>>>>>>>>
>>>>>>>> Installing:
>>>>>>>> buildsys-build noarch 0.5-1.CF.fc2 groups
>>>>>>>> 1.8 k
>>>>>>>> Installing for dependencies:
>>>>>>>> SysVinit i386 2.85-25 core
>>>>>>>> 96 k
>>>>>>>> basesystem noarch 8.0-3 core
>>>>>>>> 2.7 k
>>>>>>>> bash i386 2.05b-38 core
>>>>>>>> 1.5 M
>>>>>>>> beecrypt i386 3.1.0-3 core
>>>>>>>> 64 k
>>>>>>>> binutils i386 2.15.90.0.3-5 core
>>>>>>>> 2.8 M
>>>>>>>> buildsys-macros noarch 2-2.fc2 groups
>>>>>>>> 2.1 k
>>>>>>>> bzip2 i386 1.0.2-12.1 core
>>>>>>>> 48 k
>>>>>>>> bzip2-libs i386 1.0.2-12.1 core
>>>>>>>> 32 k chkconfig i386 1.3.9-1.1 core
>>>>>>>> 99 k
>>>>>>>> coreutils i386 5.2.1-7 core
>>>>>>>> 2.8 M
>>>>>>>> cpio i386 2.5-6 core
>>>>>>>> 45 k
>>>>>>>> cpp i386 3.3.3-7 core
>>>>>>>> 1.4 M
>>>>>>>> cracklib i386 2.7-27.1 core
>>>>>>>> 26 k
>>>>>>>> cracklib-dicts i386 2.7-27.1 core
>>>>>>>> 409 k
>>>>>>>> db4 i386 4.2.52-3.1 core
>>>>>>>> 1.5 M
>>>>>>>> dev i386 3.3.13-1 core
>>>>>>>> 3.6 M
>>>>>>>> diffutils i386 2.8.1-11 core
>>>>>>>> 205 k
>>>>>>>> e2fsprogs i386 1.35-7.1 core
>>>>>>>> 728 k
>>>>>>>> elfutils-libelf i386 0.95-2 core
>>>>>>>> 36 k
>>>>>>>> ethtool i386 1.8-3.1 core
>>>>>>>> 48 k
>>>>>>>> fedora-release i386 2-4 core
>>>>>>>> 92 k
>>>>>>>> file i386 4.07-4 core
>>>>>>>> 242 k
>>>>>>>> filesystem i386 2.2.4-1 core
>>>>>>>> 18 k
>>>>>>>> findutils i386 1:4.1.7-25 core
>>>>>>>> 102 k
>>>>>>>> gawk i386 3.1.3-7 core
>>>>>>>> 1.5 M
>>>>>>>> gcc i386 3.3.3-7 core
>>>>>>>> 3.8 M
>>>>>>>> gcc-c++ i386 3.3.3-7 core
>>>>>>>> 2.0 M
>>>>>>>> gdbm i386 1.8.0-22.1 core
>>>>>>>> 26 k
>>>>>>>> glib i386 1:1.2.10-12.1.1 core
>>>>>>>> 134 k
>>>>>>>> glib2 i386 2.4.8-1.fc2
>>>>>>>> updates-released
>>>>>>>> 477 k
>>>>>>>> glibc i686 2.3.3-27.1
>>>>>>>> updates-released
>>>>>>>> 4.9 M
>>>>>>>> glibc-common i386 2.3.3-27.1
>>>>>>>> updates-released
>>>>>>>> 14 M
>>>>>>>> glibc-devel i386 2.3.3-27.1
>>>>>>>> updates-released
>>>>>>>> 1.9 M
>>>>>>>> glibc-headers i386 2.3.3-27.1
>>>>>>>> updates-released
>>>>>>>> 530 k
>>>>>>>> glibc-kernheaders i386 2.4-8.44 core
>>>>>>>> 697 k
>>>>>>>> grep i386 2.5.1-26 core
>>>>>>>> 168 k
>>>>>>>> gzip i386 1.3.3-12.2.legacy
>>>>>>>> updates-released
>>>>>>>> 88 k
>>>>>>>> info i386 4.7-4
>>>>>>>> updates-released
>>>>>>>> 147 k
>>>>>>>> initscripts i386 7.55.2-1
>>>>>>>> updates-released
>>>>>>>> 906 k
>>>>>>>> iproute i386 2.4.7-14 core
>>>>>>>> 591 k
>>>>>>>> iputils i386 20020927-13 core
>>>>>>>> 92 k
>>>>>>>> less i386 382-3 core
>>>>>>>> 85 k
>>>>>>>> libacl i386 2.2.7-5 core
>>>>>>>> 15 k
>>>>>>>> libattr i386 2.4.1-4 core
>>>>>>>> 8.6 k
>>>>>>>> libgcc i386 3.3.3-7 core
>>>>>>>> 33 k
>>>>>>>> libselinux i386 1.11.4-1 core
>>>>>>>> 45 k
>>>>>>>> libstdc++ i386 3.3.3-7 core
>>>>>>>> 240 k
>>>>>>>> libstdc++-devel i386 3.3.3-7 core
>>>>>>>> 1.3 M
>>>>>>>> libtermcap i386 2.0.8-38 core
>>>>>>>> 12 k
>>>>>>>> make i386 1:3.80-3 core
>>>>>>>> 337 k
>>>>>>>> mingetty i386 1.07-2 core
>>>>>>>> 18 k
>>>>>>>> mktemp i386 2:1.5-7 core
>>>>>>>> 12 k
>>>>>>>> modutils i386 2.4.26-16 core
>>>>>>>> 395 k
>>>>>>>> ncurses i386 5.4-5 core
>>>>>>>> 1.5 M
>>>>>>>> net-tools i386 1.60-25.1
>>>>>>>> updates-released
>>>>>>>> 311 k
>>>>>>>> pam i386 0.77-40 core
>>>>>>>> 1.9 M
>>>>>>>> patch i386 2.5.4-19 core
>>>>>>>> 61 k
>>>>>>>> pcre i386 4.5-2 core
>>>>>>>> 59 k
>>>>>>>> perl i386 3:5.8.3-18 core
>>>>>>>> 11 M
>>>>>>>> perl-Filter i386 1.30-5 core
>>>>>>>> 68 k
>>>>>>>> popt i386 1.9.1-0.4.1
>>>>>>>> updates-released
>>>>>>>> 61 k
>>>>>>>> procps i386 3.2.0-1.2
>>>>>>>> updates-released
>>>>>>>> 176 k
>>>>>>>> psmisc i386 21.4-2 core
>>>>>>>> 41 k
>>>>>>>> redhat-rpm-config noarch 8.0.28-1.1.1 core
>>>>>>>> 41 k
>>>>>>>> rpm i386 4.3.1-0.4.1
>>>>>>>> updates-released
>>>>>>>> 2.2 M
>>>>>>>> rpm-build i386 4.3.1-0.4.1
>>>>>>>> updates-released
>>>>>>>> 437 k
>>>>>>>> sed i386 4.0.8-4 core
>>>>>>>> 116 k
>>>>>>>> setup noarch 2.5.33-1 core
>>>>>>>> 29 k
>>>>>>>> shadow-utils i386 2:4.0.3-55
>>>>>>>> updates-released
>>>>>>>> 671 k
>>>>>>>> sysklogd i386 1.4.1-16 core
>>>>>>>> 65 k
>>>>>>>> tar i386 1.13.25-14 core
>>>>>>>> 351 k
>>>>>>>> termcap noarch 11.0.1-18.1 core
>>>>>>>> 237 k
>>>>>>>> tzdata noarch 2005f-1.fc2
>>>>>>>> updates-released
>>>>>>>> 449 k
>>>>>>>> unzip i386 5.50-37 core
>>>>>>>> 139 k
>>>>>>>> util-linux i386 2.12-19
>>>>>>>> updates-released
>>>>>>>> 1.5 M
>>>>>>>> which i386 2.16-2 core
>>>>>>>> 21 k
>>>>>>>> words noarch 2-22 core
>>>>>>>> 137 k
>>>>>>>> zlib i386 1.2.1.2-0.fc2
>>>>>>>> updates-released
>>>>>>>> 44 k
>>>>>>>>
>>>>>>>> After installing all of these packages successfully, the next
>>>>>>>> thing that
>>>>>>>> happens is:
>>>>>>>>
>>>>>>>> Executing /usr/sbin/mock-helper
>>>>>>>> chroot /var/lib/mock/fedora-2-i386-core/root /bin/su - root -c
>>>>>>>> "/usr/sbin/useradd -m -u 500 -d /builddir mockbuild"
>>>>>>>>
>>>>>>>> and at that point the "useradd" process just hangs
>>>>>>>> indefinitely. I'm
>>>>>>>> told that if SELinux is disabled (I've tried permissive mode
>>>>>>>> and that
>>>>>>>> doesn't help), this works. I can't see any AVCs in the logs.
>>>>>>>>
>>>>>>>> Any ideas what might be causing this and how it might be fixed?
>>>>>>
>>>>>>> In fc2 you should disable SELinux.
>>>>>> I'm running this on FC5; what I'm trying to do is set up a chroot
>>>>>> with FC2 packages. This includes the FC2 version of useradd, and
>>>>>> it's this that's hanging when run in the chroot.
>>>>>>
>>>>>> I'd happily give things in the chroot the impression that SELinux
>>>>>> is disabled (I believe mock actually does this already) but I
>>>>>> *really* don't want to disable SELinux on my FC5 host.
>>>>>>
>>>>>> Paul.
>>>>> I have no idea why this would happen then. And I am not sure I
>>>>> believe them when they say that if SELinux was disabled this would
>>>>> work differently, unless there is a kernel bug. You are not
>>>>> seeing avc messages, correct?
>>>> Correct.
>>>>
>>>>> Usually if it does not work in permissive mode it is not an
>>>>> SELinux problem.
>>>> *Usually*...
>>>>
>>>> I guess I'll have to bite the bullet and try it with SELinux
>>>> disabled (so I'll have to relabel my desktop box afterwards, sigh).
>>>> I know of two people that have this working with SELinux disabled,
>>>> and I vaguely recall it working for me when I was first trying this
>>>> (with SELinux disabled, probably a year ago). I've got it working
>>>> for everything from RHL7 through to FC5 targets apart from FC2, so
>>>> I doubt I'm doing something significantly wrong.
>>> I've now got a nice shiny new x86_64 box so at last I've been able to
>>> sacrifice my old build system by disabling SELinux on it. My
>>> recollection was correct - the mock build for FC2 worked just fine with
>>> SELinux disabled.
>>>
>>> Any thoughts on what might be going on here?
>>
>> Did you ever try stracing the useradd process to see what it is doing at
>> the point where it hangs?
>
> Aha. Now we're getting somewhere:
>
> open("/dev/console", O_WRONLY|O_NOCTTY) = -1 ENOENT (No such file or
> directory)
> rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0
> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo
> ...}) = 0
> open("/proc/filesystems", O_RDONLY) = 5
> read(5, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 4095) = 360
> open("/proc/self/attr/current", O_RDONLY) = 6
> read(6, "user_u:system_r:mock_t:s0\0", 4095) = 26
> close(6) = 0
> close(5) = 0
> open("/proc/self/attr/current", O_RDONLY) = 5
> read(5, "user_u:system_r:mock_t:s0\0", 4095) = 26
> close(5) = 0
> open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or
> directory)
> open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or
> directory)
> open("/etc/security/failsafe_context", O_RDONLY) = -1 ENOENT (No such
> file or directory)
> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo
> ...}) = 0
> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo
> ...}) = 0
> rt_sigprocmask(SIG_BLOCK, [INT TSTP], [], 8) = 0
> time([-577099120727426906]) = 1155135654
> write(2, "Would you like to enter a securi"..., 48Would you like to
> enter a security context? [y] ) = 48
> ioctl(0, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon
> echo ...}) = 0
> read(0, 0xff90f920, 511) = ? ERESTARTSYS (To be restarted)
> --- SIGTERM (Terminated) @ 0 (0) ---
> +++ killed by SIGTERM +++
> Process 6199 detached
>
>
> Any suggestions on how I get past this request to enter a security
> context, or better still, have it not ask?
>
> Paul.
Remove multiple from pam_selinux line in /etc/pam.d/su or better yet use
runuser.
More information about the fedora-selinux-list
mailing list