FC2 useradd in chroot on FC5 host with SELinux
Paul Howarth
paul at city-fan.org
Wed Aug 9 15:55:35 UTC 2006
Daniel J Walsh wrote:
> Paul Howarth wrote:
>> Stephen Smalley wrote:
>>> On Wed, 2006-08-09 at 09:27 +0100, Paul Howarth wrote:
>>>> On Thu, 2006-07-13 at 17:59 +0100, Paul Howarth wrote:
>>>>> Daniel J Walsh wrote:
>>>>>> Paul Howarth wrote:
>>>>>>> Daniel J Walsh wrote:
>>>>>>>> Paul Howarth wrote:
>>>>>>>>> I use mock to build packages for old distributions in a chroot-ed
>>>>>>>>> environment on my FC5 box. I've pretty well got this working
>>>>>>>>> for all old
>>>>>>>>> distributions now apart from FC2 (see
>>>>>>>>> http://www.fedoraproject.org/wiki/Legacy/Mock). On FC2, the
>>>>>>>>> process gets
>>>>>>>>> off to quite a good start, installing the following packages
>>>>>>>>> into the
>>>>>>>>> chroot:
>>>>>>>>>
>>>>>>>>> =============================================================================
>>>>>>>>>
>>>>>>>>> Package Arch Version Repository
>>>>>>>>> Size
>>>>>>>>> =============================================================================
>>>>>>>>>
>>>>>>>>> Installing:
>>>>>>>>> buildsys-build noarch 0.5-1.CF.fc2 groups
>>>>>>>>> 1.8 k
>>>>>>>>> Installing for dependencies:
>>>>>>>>> SysVinit i386 2.85-25 core
>>>>>>>>> 96 k
>>>>>>>>> basesystem noarch 8.0-3 core
>>>>>>>>> 2.7 k
>>>>>>>>> bash i386 2.05b-38 core
>>>>>>>>> 1.5 M
>>>>>>>>> beecrypt i386 3.1.0-3 core
>>>>>>>>> 64 k
>>>>>>>>> binutils i386 2.15.90.0.3-5 core
>>>>>>>>> 2.8 M
>>>>>>>>> buildsys-macros noarch 2-2.fc2 groups
>>>>>>>>> 2.1 k
>>>>>>>>> bzip2 i386 1.0.2-12.1 core
>>>>>>>>> 48 k
>>>>>>>>> bzip2-libs i386 1.0.2-12.1 core
>>>>>>>>> 32 k chkconfig i386 1.3.9-1.1 core
>>>>>>>>> 99 k
>>>>>>>>> coreutils i386 5.2.1-7 core
>>>>>>>>> 2.8 M
>>>>>>>>> cpio i386 2.5-6 core
>>>>>>>>> 45 k
>>>>>>>>> cpp i386 3.3.3-7 core
>>>>>>>>> 1.4 M
>>>>>>>>> cracklib i386 2.7-27.1 core
>>>>>>>>> 26 k
>>>>>>>>> cracklib-dicts i386 2.7-27.1 core
>>>>>>>>> 409 k
>>>>>>>>> db4 i386 4.2.52-3.1 core
>>>>>>>>> 1.5 M
>>>>>>>>> dev i386 3.3.13-1 core
>>>>>>>>> 3.6 M
>>>>>>>>> diffutils i386 2.8.1-11 core
>>>>>>>>> 205 k
>>>>>>>>> e2fsprogs i386 1.35-7.1 core
>>>>>>>>> 728 k
>>>>>>>>> elfutils-libelf i386 0.95-2 core
>>>>>>>>> 36 k
>>>>>>>>> ethtool i386 1.8-3.1 core
>>>>>>>>> 48 k
>>>>>>>>> fedora-release i386 2-4 core
>>>>>>>>> 92 k
>>>>>>>>> file i386 4.07-4 core
>>>>>>>>> 242 k
>>>>>>>>> filesystem i386 2.2.4-1 core
>>>>>>>>> 18 k
>>>>>>>>> findutils i386 1:4.1.7-25 core
>>>>>>>>> 102 k
>>>>>>>>> gawk i386 3.1.3-7 core
>>>>>>>>> 1.5 M
>>>>>>>>> gcc i386 3.3.3-7 core
>>>>>>>>> 3.8 M
>>>>>>>>> gcc-c++ i386 3.3.3-7 core
>>>>>>>>> 2.0 M
>>>>>>>>> gdbm i386 1.8.0-22.1 core
>>>>>>>>> 26 k
>>>>>>>>> glib i386 1:1.2.10-12.1.1 core
>>>>>>>>> 134 k
>>>>>>>>> glib2 i386 2.4.8-1.fc2
>>>>>>>>> updates-released
>>>>>>>>> 477 k
>>>>>>>>> glibc i686 2.3.3-27.1
>>>>>>>>> updates-released
>>>>>>>>> 4.9 M
>>>>>>>>> glibc-common i386 2.3.3-27.1
>>>>>>>>> updates-released
>>>>>>>>> 14 M
>>>>>>>>> glibc-devel i386 2.3.3-27.1
>>>>>>>>> updates-released
>>>>>>>>> 1.9 M
>>>>>>>>> glibc-headers i386 2.3.3-27.1
>>>>>>>>> updates-released
>>>>>>>>> 530 k
>>>>>>>>> glibc-kernheaders i386 2.4-8.44 core
>>>>>>>>> 697 k
>>>>>>>>> grep i386 2.5.1-26 core
>>>>>>>>> 168 k
>>>>>>>>> gzip i386 1.3.3-12.2.legacy
>>>>>>>>> updates-released
>>>>>>>>> 88 k
>>>>>>>>> info i386 4.7-4
>>>>>>>>> updates-released
>>>>>>>>> 147 k
>>>>>>>>> initscripts i386 7.55.2-1
>>>>>>>>> updates-released
>>>>>>>>> 906 k
>>>>>>>>> iproute i386 2.4.7-14 core
>>>>>>>>> 591 k
>>>>>>>>> iputils i386 20020927-13 core
>>>>>>>>> 92 k
>>>>>>>>> less i386 382-3 core
>>>>>>>>> 85 k
>>>>>>>>> libacl i386 2.2.7-5 core
>>>>>>>>> 15 k
>>>>>>>>> libattr i386 2.4.1-4 core
>>>>>>>>> 8.6 k
>>>>>>>>> libgcc i386 3.3.3-7 core
>>>>>>>>> 33 k
>>>>>>>>> libselinux i386 1.11.4-1 core
>>>>>>>>> 45 k
>>>>>>>>> libstdc++ i386 3.3.3-7 core
>>>>>>>>> 240 k
>>>>>>>>> libstdc++-devel i386 3.3.3-7 core
>>>>>>>>> 1.3 M
>>>>>>>>> libtermcap i386 2.0.8-38 core
>>>>>>>>> 12 k
>>>>>>>>> make i386 1:3.80-3 core
>>>>>>>>> 337 k
>>>>>>>>> mingetty i386 1.07-2 core
>>>>>>>>> 18 k
>>>>>>>>> mktemp i386 2:1.5-7 core
>>>>>>>>> 12 k
>>>>>>>>> modutils i386 2.4.26-16 core
>>>>>>>>> 395 k
>>>>>>>>> ncurses i386 5.4-5 core
>>>>>>>>> 1.5 M
>>>>>>>>> net-tools i386 1.60-25.1
>>>>>>>>> updates-released
>>>>>>>>> 311 k
>>>>>>>>> pam i386 0.77-40 core
>>>>>>>>> 1.9 M
>>>>>>>>> patch i386 2.5.4-19 core
>>>>>>>>> 61 k
>>>>>>>>> pcre i386 4.5-2 core
>>>>>>>>> 59 k
>>>>>>>>> perl i386 3:5.8.3-18 core
>>>>>>>>> 11 M
>>>>>>>>> perl-Filter i386 1.30-5 core
>>>>>>>>> 68 k
>>>>>>>>> popt i386 1.9.1-0.4.1
>>>>>>>>> updates-released
>>>>>>>>> 61 k
>>>>>>>>> procps i386 3.2.0-1.2
>>>>>>>>> updates-released
>>>>>>>>> 176 k
>>>>>>>>> psmisc i386 21.4-2 core
>>>>>>>>> 41 k
>>>>>>>>> redhat-rpm-config noarch 8.0.28-1.1.1 core
>>>>>>>>> 41 k
>>>>>>>>> rpm i386 4.3.1-0.4.1
>>>>>>>>> updates-released
>>>>>>>>> 2.2 M
>>>>>>>>> rpm-build i386 4.3.1-0.4.1
>>>>>>>>> updates-released
>>>>>>>>> 437 k
>>>>>>>>> sed i386 4.0.8-4 core
>>>>>>>>> 116 k
>>>>>>>>> setup noarch 2.5.33-1 core
>>>>>>>>> 29 k
>>>>>>>>> shadow-utils i386 2:4.0.3-55
>>>>>>>>> updates-released
>>>>>>>>> 671 k
>>>>>>>>> sysklogd i386 1.4.1-16 core
>>>>>>>>> 65 k
>>>>>>>>> tar i386 1.13.25-14 core
>>>>>>>>> 351 k
>>>>>>>>> termcap noarch 11.0.1-18.1 core
>>>>>>>>> 237 k
>>>>>>>>> tzdata noarch 2005f-1.fc2
>>>>>>>>> updates-released
>>>>>>>>> 449 k
>>>>>>>>> unzip i386 5.50-37 core
>>>>>>>>> 139 k
>>>>>>>>> util-linux i386 2.12-19
>>>>>>>>> updates-released
>>>>>>>>> 1.5 M
>>>>>>>>> which i386 2.16-2 core
>>>>>>>>> 21 k
>>>>>>>>> words noarch 2-22 core
>>>>>>>>> 137 k
>>>>>>>>> zlib i386 1.2.1.2-0.fc2
>>>>>>>>> updates-released
>>>>>>>>> 44 k
>>>>>>>>>
>>>>>>>>> After installing all of these packages successfully, the next
>>>>>>>>> thing that
>>>>>>>>> happens is:
>>>>>>>>>
>>>>>>>>> Executing /usr/sbin/mock-helper
>>>>>>>>> chroot /var/lib/mock/fedora-2-i386-core/root /bin/su - root -c
>>>>>>>>> "/usr/sbin/useradd -m -u 500 -d /builddir mockbuild"
>>>>>>>>>
>>>>>>>>> and at that point the "useradd" process just hangs
>>>>>>>>> indefinitely. I'm
>>>>>>>>> told that if SELinux is disabled (I've tried permissive mode
>>>>>>>>> and that
>>>>>>>>> doesn't help), this works. I can't see any AVCs in the logs.
>>>>>>>>>
>>>>>>>>> Any ideas what might be causing this and how it might be fixed?
>>>>>>>
>>>>>>>> In fc2 you should disable SELinux.
>>>>>>> I'm running this on FC5; what I'm trying to do is set up a chroot
>>>>>>> with FC2 packages. This includes the FC2 version of useradd, and
>>>>>>> it's this that's hanging when run in the chroot.
>>>>>>>
>>>>>>> I'd happily give things in the chroot the impression that SELinux
>>>>>>> is disabled (I believe mock actually does this already) but I
>>>>>>> *really* don't want to disable SELinux on my FC5 host.
>>>>>>>
>>>>>>> Paul.
>>>>>> I have no idea why this would happen then. And I am not sure I
>>>>>> believe them when they say that if SELinux was disabled this would
>>>>>> work differently, unless there is a kernel bug. You are not
>>>>>> seeing avc messages, correct?
>>>>> Correct.
>>>>>
>>>>>> Usually if it does not work in permissive mode it is not an
>>>>>> SELinux problem.
>>>>> *Usually*...
>>>>>
>>>>> I guess I'll have to bite the bullet and try it with SELinux
>>>>> disabled (so I'll have to relabel my desktop box afterwards, sigh).
>>>>> I know of two people that have this working with SELinux disabled,
>>>>> and I vaguely recall it working for me when I was first trying this
>>>>> (with SELinux disabled, probably a year ago). I've got it working
>>>>> for everything from RHL7 through to FC5 targets apart from FC2, so
>>>>> I doubt I'm doing something significantly wrong.
>>>> I've now got a nice shiny new x86_64 box so at last I've been able to
>>>> sacrifice my old build system by disabling SELinux on it. My
>>>> recollection was correct - the mock build for FC2 worked just fine with
>>>> SELinux disabled.
>>>>
>>>> Any thoughts on what might be going on here?
>>>
>>> Did you ever try stracing the useradd process to see what it is doing at
>>> the point where it hangs?
>>
>> Aha. Now we're getting somewhere:
>>
>> open("/dev/console", O_WRONLY|O_NOCTTY) = -1 ENOENT (No such file or
>> directory)
>> rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0
>> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo
>> ...}) = 0
>> open("/proc/filesystems", O_RDONLY) = 5
>> read(5, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 4095) = 360
>> open("/proc/self/attr/current", O_RDONLY) = 6
>> read(6, "user_u:system_r:mock_t:s0\0", 4095) = 26
>> close(6) = 0
>> close(5) = 0
>> open("/proc/self/attr/current", O_RDONLY) = 5
>> read(5, "user_u:system_r:mock_t:s0\0", 4095) = 26
>> close(5) = 0
>> open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or
>> directory)
>> open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or
>> directory)
>> open("/etc/security/failsafe_context", O_RDONLY) = -1 ENOENT (No such
>> file or directory)
>> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo
>> ...}) = 0
>> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo
>> ...}) = 0
>> rt_sigprocmask(SIG_BLOCK, [INT TSTP], [], 8) = 0
>> time([-577099120727426906]) = 1155135654
>> write(2, "Would you like to enter a securi"..., 48Would you like to
>> enter a security context? [y] ) = 48
>> ioctl(0, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon
>> echo ...}) = 0
>> read(0, 0xff90f920, 511) = ? ERESTARTSYS (To be restarted)
>> --- SIGTERM (Terminated) @ 0 (0) ---
>> +++ killed by SIGTERM +++
>> Process 6199 detached
>>
>>
>> Any suggestions on how I get past this request to enter a security
>> context, or better still, have it not ask?
>>
>> Paul.
> Remove multiple from pam_selinux line in /etc/pam.d/su or better yet use
> runuser.
FC2 doesn't have runuser, which is why we need to use su here.
I should be able to fix /etc/pam.d/su by patching the FC2 coreutils
package to remove the "multiple"; what's that actually do?
Mock includes a dummy libselinux that works for FC3 onwards in
convincing programs running in the chroot that selinux is disabled:
#include <selinux/selinux.h>
extern int is_selinux_enabled(void)
{
/* always return 0; this way we don't trigger any SELINUX calls */
return 0;
}
/* this function gives failures when installing basic rpms in the root;
* so we fake it out as well */
extern int lsetfilecon(const char *path, security_context_t con)
{
return 0;
}
Why does this not seem to be working for FC2?
Paul.
More information about the fedora-selinux-list
mailing list