FC2 useradd in chroot on FC5 host with SELinux

Daniel J Walsh dwalsh at redhat.com
Wed Aug 9 15:38:43 UTC 2006


Paul Howarth wrote:
> Stephen Smalley wrote:
>> On Wed, 2006-08-09 at 09:27 +0100, Paul Howarth wrote:
>>> On Thu, 2006-07-13 at 17:59 +0100, Paul Howarth wrote:
>>>> Daniel J Walsh wrote:
>>>>> Paul Howarth wrote:
>>>>>> Daniel J Walsh wrote:
>>>>>>> Paul Howarth wrote:
>>>>>>>> I use mock to build packages for old distributions in a chroot-ed
>>>>>>>> environment on my FC5 box. I've pretty well got this working 
>>>>>>>> for all old
>>>>>>>> distributions now apart from FC2 (see
>>>>>>>> http://www.fedoraproject.org/wiki/Legacy/Mock). On FC2, the 
>>>>>>>> process gets
>>>>>>>> off to quite a good start, installing the following packages 
>>>>>>>> into the
>>>>>>>> chroot:
>>>>>>>>
>>>>>>>> ============================================================================= 
>>>>>>>>
>>>>>>>>  Package                 Arch       Version          Repository
>>>>>>>> Size
>>>>>>>> ============================================================================= 
>>>>>>>>
>>>>>>>> Installing:
>>>>>>>>  buildsys-build          noarch     0.5-1.CF.fc2     groups
>>>>>>>> 1.8 k
>>>>>>>> Installing for dependencies:
>>>>>>>>  SysVinit                i386       2.85-25          core
>>>>>>>> 96 k
>>>>>>>>  basesystem              noarch     8.0-3            core
>>>>>>>> 2.7 k
>>>>>>>>  bash                    i386       2.05b-38         core
>>>>>>>> 1.5 M
>>>>>>>>  beecrypt                i386       3.1.0-3          core
>>>>>>>> 64 k
>>>>>>>>  binutils                i386       2.15.90.0.3-5    core
>>>>>>>> 2.8 M
>>>>>>>>  buildsys-macros         noarch     2-2.fc2          groups
>>>>>>>> 2.1 k
>>>>>>>>  bzip2                   i386       1.0.2-12.1       core
>>>>>>>> 48 k
>>>>>>>>  bzip2-libs              i386       1.0.2-12.1       core
>>>>>>>> 32 k  chkconfig               i386       1.3.9-1.1        core
>>>>>>>> 99 k
>>>>>>>>  coreutils               i386       5.2.1-7          core
>>>>>>>> 2.8 M
>>>>>>>>  cpio                    i386       2.5-6            core
>>>>>>>> 45 k
>>>>>>>>  cpp                     i386       3.3.3-7          core
>>>>>>>> 1.4 M
>>>>>>>>  cracklib                i386       2.7-27.1         core
>>>>>>>> 26 k
>>>>>>>>  cracklib-dicts          i386       2.7-27.1         core
>>>>>>>> 409 k
>>>>>>>>  db4                     i386       4.2.52-3.1       core
>>>>>>>> 1.5 M
>>>>>>>>  dev                     i386       3.3.13-1         core
>>>>>>>> 3.6 M
>>>>>>>>  diffutils               i386       2.8.1-11         core
>>>>>>>> 205 k
>>>>>>>>  e2fsprogs               i386       1.35-7.1         core
>>>>>>>> 728 k
>>>>>>>>  elfutils-libelf         i386       0.95-2           core
>>>>>>>> 36 k
>>>>>>>>  ethtool                 i386       1.8-3.1          core
>>>>>>>> 48 k
>>>>>>>>  fedora-release          i386       2-4              core
>>>>>>>> 92 k
>>>>>>>>  file                    i386       4.07-4           core
>>>>>>>> 242 k
>>>>>>>>  filesystem              i386       2.2.4-1          core
>>>>>>>> 18 k
>>>>>>>>  findutils               i386       1:4.1.7-25       core
>>>>>>>> 102 k
>>>>>>>>  gawk                    i386       3.1.3-7          core
>>>>>>>> 1.5 M
>>>>>>>>  gcc                     i386       3.3.3-7          core
>>>>>>>> 3.8 M
>>>>>>>>  gcc-c++                 i386       3.3.3-7          core
>>>>>>>> 2.0 M
>>>>>>>>  gdbm                    i386       1.8.0-22.1       core
>>>>>>>> 26 k
>>>>>>>>  glib                    i386       1:1.2.10-12.1.1  core
>>>>>>>> 134 k
>>>>>>>>  glib2                   i386       2.4.8-1.fc2      
>>>>>>>> updates-released
>>>>>>>> 477 k
>>>>>>>>  glibc                   i686       2.3.3-27.1       
>>>>>>>> updates-released
>>>>>>>> 4.9 M
>>>>>>>>  glibc-common            i386       2.3.3-27.1       
>>>>>>>> updates-released
>>>>>>>> 14 M
>>>>>>>>  glibc-devel             i386       2.3.3-27.1       
>>>>>>>> updates-released
>>>>>>>> 1.9 M
>>>>>>>>  glibc-headers           i386       2.3.3-27.1       
>>>>>>>> updates-released
>>>>>>>> 530 k
>>>>>>>>  glibc-kernheaders       i386       2.4-8.44         core
>>>>>>>> 697 k
>>>>>>>>  grep                    i386       2.5.1-26         core
>>>>>>>> 168 k
>>>>>>>>  gzip                    i386       1.3.3-12.2.legacy  
>>>>>>>> updates-released
>>>>>>>> 88 k
>>>>>>>>  info                    i386       4.7-4            
>>>>>>>> updates-released
>>>>>>>> 147 k
>>>>>>>>  initscripts             i386       7.55.2-1         
>>>>>>>> updates-released
>>>>>>>> 906 k
>>>>>>>>  iproute                 i386       2.4.7-14         core
>>>>>>>> 591 k
>>>>>>>>  iputils                 i386       20020927-13      core
>>>>>>>> 92 k
>>>>>>>>  less                    i386       382-3            core
>>>>>>>> 85 k
>>>>>>>>  libacl                  i386       2.2.7-5          core
>>>>>>>> 15 k
>>>>>>>>  libattr                 i386       2.4.1-4          core
>>>>>>>> 8.6 k
>>>>>>>>  libgcc                  i386       3.3.3-7          core
>>>>>>>> 33 k
>>>>>>>>  libselinux              i386       1.11.4-1         core
>>>>>>>> 45 k
>>>>>>>>  libstdc++               i386       3.3.3-7          core
>>>>>>>> 240 k
>>>>>>>>  libstdc++-devel         i386       3.3.3-7          core
>>>>>>>> 1.3 M
>>>>>>>>  libtermcap              i386       2.0.8-38         core
>>>>>>>> 12 k
>>>>>>>>  make                    i386       1:3.80-3         core
>>>>>>>> 337 k
>>>>>>>>  mingetty                i386       1.07-2           core
>>>>>>>> 18 k
>>>>>>>>  mktemp                  i386       2:1.5-7          core
>>>>>>>> 12 k
>>>>>>>>  modutils                i386       2.4.26-16        core
>>>>>>>> 395 k
>>>>>>>>  ncurses                 i386       5.4-5            core
>>>>>>>> 1.5 M
>>>>>>>>  net-tools               i386       1.60-25.1        
>>>>>>>> updates-released
>>>>>>>> 311 k
>>>>>>>>  pam                     i386       0.77-40          core
>>>>>>>> 1.9 M
>>>>>>>>  patch                   i386       2.5.4-19         core
>>>>>>>> 61 k
>>>>>>>>  pcre                    i386       4.5-2            core
>>>>>>>> 59 k
>>>>>>>>  perl                    i386       3:5.8.3-18       core
>>>>>>>> 11 M
>>>>>>>>  perl-Filter             i386       1.30-5           core
>>>>>>>> 68 k
>>>>>>>>  popt                    i386       1.9.1-0.4.1      
>>>>>>>> updates-released
>>>>>>>> 61 k
>>>>>>>>  procps                  i386       3.2.0-1.2        
>>>>>>>> updates-released
>>>>>>>> 176 k
>>>>>>>>  psmisc                  i386       21.4-2           core
>>>>>>>> 41 k
>>>>>>>>  redhat-rpm-config       noarch     8.0.28-1.1.1     core
>>>>>>>> 41 k
>>>>>>>>  rpm                     i386       4.3.1-0.4.1      
>>>>>>>> updates-released
>>>>>>>> 2.2 M
>>>>>>>>  rpm-build               i386       4.3.1-0.4.1      
>>>>>>>> updates-released
>>>>>>>> 437 k
>>>>>>>>  sed                     i386       4.0.8-4          core
>>>>>>>> 116 k
>>>>>>>>  setup                   noarch     2.5.33-1         core
>>>>>>>> 29 k
>>>>>>>>  shadow-utils            i386       2:4.0.3-55       
>>>>>>>> updates-released
>>>>>>>> 671 k
>>>>>>>>  sysklogd                i386       1.4.1-16         core
>>>>>>>> 65 k
>>>>>>>>  tar                     i386       1.13.25-14       core
>>>>>>>> 351 k
>>>>>>>>  termcap                 noarch     11.0.1-18.1      core
>>>>>>>> 237 k
>>>>>>>>  tzdata                  noarch     2005f-1.fc2      
>>>>>>>> updates-released
>>>>>>>> 449 k
>>>>>>>>  unzip                   i386       5.50-37          core
>>>>>>>> 139 k
>>>>>>>>  util-linux              i386       2.12-19          
>>>>>>>> updates-released
>>>>>>>> 1.5 M
>>>>>>>>  which                   i386       2.16-2           core
>>>>>>>> 21 k
>>>>>>>>  words                   noarch     2-22             core
>>>>>>>> 137 k
>>>>>>>>  zlib                    i386       1.2.1.2-0.fc2    
>>>>>>>> updates-released
>>>>>>>> 44 k
>>>>>>>>
>>>>>>>> After installing all of these packages successfully, the next 
>>>>>>>> thing that
>>>>>>>> happens is:
>>>>>>>>
>>>>>>>> Executing /usr/sbin/mock-helper
>>>>>>>> chroot /var/lib/mock/fedora-2-i386-core/root /bin/su - root -c
>>>>>>>> "/usr/sbin/useradd -m -u 500 -d /builddir mockbuild"
>>>>>>>>
>>>>>>>> and at that point the "useradd" process just hangs 
>>>>>>>> indefinitely. I'm
>>>>>>>> told that if SELinux is disabled (I've tried permissive mode 
>>>>>>>> and that
>>>>>>>> doesn't help), this works. I can't see any AVCs in the logs.
>>>>>>>>
>>>>>>>> Any ideas what might be causing this and how it might be fixed?
>>>>>>
>>>>>>> In fc2 you should disable SELinux.
>>>>>> I'm running this on FC5; what I'm trying to do is set up a chroot 
>>>>>> with FC2 packages. This includes the FC2 version of useradd, and 
>>>>>> it's this that's hanging when run in the chroot.
>>>>>>
>>>>>> I'd happily give things in the chroot the impression that SELinux 
>>>>>> is disabled (I believe mock actually does this already) but I 
>>>>>> *really* don't want to disable SELinux on my FC5 host.
>>>>>>
>>>>>> Paul.
>>>>> I have no idea why this would happen then. And I am not sure I 
>>>>> believe them when they say that if SELinux was disabled this would 
>>>>> work differently, unless there is a kernel bug.  You are not 
>>>>> seeing avc messages, correct?
>>>> Correct.
>>>>
>>>>> Usually if it does not work in permissive mode it is not an 
>>>>> SELinux problem.
>>>> *Usually*...
>>>>
>>>> I guess I'll have to bite the bullet and try it with SELinux 
>>>> disabled (so I'll have to relabel my desktop box afterwards, sigh). 
>>>> I know of two people that have this working with SELinux disabled, 
>>>> and I vaguely recall it working for me when I was first trying this 
>>>> (with SELinux disabled, probably a year ago). I've got it working 
>>>> for everything from RHL7 through to FC5 targets apart from FC2, so 
>>>> I doubt I'm doing something significantly wrong.
>>> I've now got a nice shiny new x86_64 box so at last I've been able to
>>> sacrifice my old build system by disabling SELinux on it. My
>>> recollection was correct - the mock build for FC2 worked just fine with
>>> SELinux disabled.
>>>
>>> Any thoughts on what might be going on here?
>>
>> Did you ever try stracing the useradd process to see what it is doing at
>> the point where it hangs?
>
> Aha. Now we're getting somewhere:
>
> open("/dev/console", O_WRONLY|O_NOCTTY) = -1 ENOENT (No such file or 
> directory)
> rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0
> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo 
> ...}) = 0
> open("/proc/filesystems", O_RDONLY)     = 5
> read(5, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 4095) = 360
> open("/proc/self/attr/current", O_RDONLY) = 6
> read(6, "user_u:system_r:mock_t:s0\0", 4095) = 26
> close(6)                                = 0
> close(5)                                = 0
> open("/proc/self/attr/current", O_RDONLY) = 5
> read(5, "user_u:system_r:mock_t:s0\0", 4095) = 26
> close(5)                                = 0
> open("/selinux/user", O_RDWR)           = -1 ENOENT (No such file or 
> directory)
> open("/selinux/user", O_RDWR)           = -1 ENOENT (No such file or 
> directory)
> open("/etc/security/failsafe_context", O_RDONLY) = -1 ENOENT (No such 
> file or directory)
> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo 
> ...}) = 0
> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo 
> ...}) = 0
> rt_sigprocmask(SIG_BLOCK, [INT TSTP], [], 8) = 0
> time([-577099120727426906])             = 1155135654
> write(2, "Would you like to enter a securi"..., 48Would you like to 
> enter a security context? [y] ) = 48
> ioctl(0, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon 
> echo ...}) = 0
> read(0, 0xff90f920, 511)                = ? ERESTARTSYS (To be restarted)
> --- SIGTERM (Terminated) @ 0 (0) ---
> +++ killed by SIGTERM +++
> Process 6199 detached
>
>
> Any suggestions on how I get past this request to enter a security 
> context, or better still, have it not ask?
>
> Paul.
Remove multiple from pam_selinux line in /etc/pam.d/su or better yet use 
runuser.




More information about the fedora-selinux-list mailing list