FC2 useradd in chroot on FC5 host with SELinux
Paul Howarth
paul at city-fan.org
Thu Jul 13 16:59:12 UTC 2006
Daniel J Walsh wrote:
> Paul Howarth wrote:
>> Daniel J Walsh wrote:
>>> Paul Howarth wrote:
>>>> I use mock to build packages for old distributions in a chroot-ed
>>>> environment on my FC5 box. I've pretty well got this working for all
>>>> old
>>>> distributions now apart from FC2 (see
>>>> http://www.fedoraproject.org/wiki/Legacy/Mock). On FC2, the process
>>>> gets
>>>> off to quite a good start, installing the following packages into the
>>>> chroot:
>>>>
>>>> =============================================================================
>>>>
>>>> Package Arch Version Repository
>>>> Size
>>>> =============================================================================
>>>>
>>>> Installing:
>>>> buildsys-build noarch 0.5-1.CF.fc2 groups
>>>> 1.8 k
>>>> Installing for dependencies:
>>>> SysVinit i386 2.85-25 core
>>>> 96 k
>>>> basesystem noarch 8.0-3 core
>>>> 2.7 k
>>>> bash i386 2.05b-38 core
>>>> 1.5 M
>>>> beecrypt i386 3.1.0-3 core
>>>> 64 k
>>>> binutils i386 2.15.90.0.3-5 core
>>>> 2.8 M
>>>> buildsys-macros noarch 2-2.fc2 groups
>>>> 2.1 k
>>>> bzip2 i386 1.0.2-12.1 core
>>>> 48 k
>>>> bzip2-libs i386 1.0.2-12.1 core
>>>> 32 k chkconfig i386 1.3.9-1.1 core
>>>> 99 k
>>>> coreutils i386 5.2.1-7 core
>>>> 2.8 M
>>>> cpio i386 2.5-6 core
>>>> 45 k
>>>> cpp i386 3.3.3-7 core
>>>> 1.4 M
>>>> cracklib i386 2.7-27.1 core
>>>> 26 k
>>>> cracklib-dicts i386 2.7-27.1 core
>>>> 409 k
>>>> db4 i386 4.2.52-3.1 core
>>>> 1.5 M
>>>> dev i386 3.3.13-1 core
>>>> 3.6 M
>>>> diffutils i386 2.8.1-11 core
>>>> 205 k
>>>> e2fsprogs i386 1.35-7.1 core
>>>> 728 k
>>>> elfutils-libelf i386 0.95-2 core
>>>> 36 k
>>>> ethtool i386 1.8-3.1 core
>>>> 48 k
>>>> fedora-release i386 2-4 core
>>>> 92 k
>>>> file i386 4.07-4 core
>>>> 242 k
>>>> filesystem i386 2.2.4-1 core
>>>> 18 k
>>>> findutils i386 1:4.1.7-25 core
>>>> 102 k
>>>> gawk i386 3.1.3-7 core
>>>> 1.5 M
>>>> gcc i386 3.3.3-7 core
>>>> 3.8 M
>>>> gcc-c++ i386 3.3.3-7 core
>>>> 2.0 M
>>>> gdbm i386 1.8.0-22.1 core
>>>> 26 k
>>>> glib i386 1:1.2.10-12.1.1 core
>>>> 134 k
>>>> glib2 i386 2.4.8-1.fc2 updates-released
>>>> 477 k
>>>> glibc i686 2.3.3-27.1 updates-released
>>>> 4.9 M
>>>> glibc-common i386 2.3.3-27.1 updates-released
>>>> 14 M
>>>> glibc-devel i386 2.3.3-27.1 updates-released
>>>> 1.9 M
>>>> glibc-headers i386 2.3.3-27.1 updates-released
>>>> 530 k
>>>> glibc-kernheaders i386 2.4-8.44 core
>>>> 697 k
>>>> grep i386 2.5.1-26 core
>>>> 168 k
>>>> gzip i386 1.3.3-12.2.legacy updates-released
>>>> 88 k
>>>> info i386 4.7-4 updates-released
>>>> 147 k
>>>> initscripts i386 7.55.2-1 updates-released
>>>> 906 k
>>>> iproute i386 2.4.7-14 core
>>>> 591 k
>>>> iputils i386 20020927-13 core
>>>> 92 k
>>>> less i386 382-3 core
>>>> 85 k
>>>> libacl i386 2.2.7-5 core
>>>> 15 k
>>>> libattr i386 2.4.1-4 core
>>>> 8.6 k
>>>> libgcc i386 3.3.3-7 core
>>>> 33 k
>>>> libselinux i386 1.11.4-1 core
>>>> 45 k
>>>> libstdc++ i386 3.3.3-7 core
>>>> 240 k
>>>> libstdc++-devel i386 3.3.3-7 core
>>>> 1.3 M
>>>> libtermcap i386 2.0.8-38 core
>>>> 12 k
>>>> make i386 1:3.80-3 core
>>>> 337 k
>>>> mingetty i386 1.07-2 core
>>>> 18 k
>>>> mktemp i386 2:1.5-7 core
>>>> 12 k
>>>> modutils i386 2.4.26-16 core
>>>> 395 k
>>>> ncurses i386 5.4-5 core
>>>> 1.5 M
>>>> net-tools i386 1.60-25.1 updates-released
>>>> 311 k
>>>> pam i386 0.77-40 core
>>>> 1.9 M
>>>> patch i386 2.5.4-19 core
>>>> 61 k
>>>> pcre i386 4.5-2 core
>>>> 59 k
>>>> perl i386 3:5.8.3-18 core
>>>> 11 M
>>>> perl-Filter i386 1.30-5 core
>>>> 68 k
>>>> popt i386 1.9.1-0.4.1 updates-released
>>>> 61 k
>>>> procps i386 3.2.0-1.2 updates-released
>>>> 176 k
>>>> psmisc i386 21.4-2 core
>>>> 41 k
>>>> redhat-rpm-config noarch 8.0.28-1.1.1 core
>>>> 41 k
>>>> rpm i386 4.3.1-0.4.1 updates-released
>>>> 2.2 M
>>>> rpm-build i386 4.3.1-0.4.1 updates-released
>>>> 437 k
>>>> sed i386 4.0.8-4 core
>>>> 116 k
>>>> setup noarch 2.5.33-1 core
>>>> 29 k
>>>> shadow-utils i386 2:4.0.3-55 updates-released
>>>> 671 k
>>>> sysklogd i386 1.4.1-16 core
>>>> 65 k
>>>> tar i386 1.13.25-14 core
>>>> 351 k
>>>> termcap noarch 11.0.1-18.1 core
>>>> 237 k
>>>> tzdata noarch 2005f-1.fc2 updates-released
>>>> 449 k
>>>> unzip i386 5.50-37 core
>>>> 139 k
>>>> util-linux i386 2.12-19 updates-released
>>>> 1.5 M
>>>> which i386 2.16-2 core
>>>> 21 k
>>>> words noarch 2-22 core
>>>> 137 k
>>>> zlib i386 1.2.1.2-0.fc2 updates-released
>>>> 44 k
>>>>
>>>> After installing all of these packages successfully, the next thing
>>>> that
>>>> happens is:
>>>>
>>>> Executing /usr/sbin/mock-helper
>>>> chroot /var/lib/mock/fedora-2-i386-core/root /bin/su - root -c
>>>> "/usr/sbin/useradd -m -u 500 -d /builddir mockbuild"
>>>>
>>>> and at that point the "useradd" process just hangs indefinitely. I'm
>>>> told that if SELinux is disabled (I've tried permissive mode and that
>>>> doesn't help), this works. I can't see any AVCs in the logs.
>>>>
>>>> Any ideas what might be causing this and how it might be fixed?
>>
>>
>>> In fc2 you should disable SELinux.
>>
>> I'm running this on FC5; what I'm trying to do is set up a chroot with
>> FC2 packages. This includes the FC2 version of useradd, and it's this
>> that's hanging when run in the chroot.
>>
>> I'd happily give things in the chroot the impression that SELinux is
>> disabled (I believe mock actually does this already) but I *really*
>> don't want to disable SELinux on my FC5 host.
>>
>> Paul.
> I have no idea why this would happen then. And I am not sure I believe
> them when they say that if SELinux was disabled this would work
> differently, unless there is a kernel bug. You are not seeing avc
> messages, correct?
Correct.
> Usually if it does not work in permissive mode it is
> not an SELinux problem.
*Usually*...
I guess I'll have to bite the bullet and try it with SELinux disabled
(so I'll have to relabel my desktop box afterwards, sigh). I know of two
people that have this working with SELinux disabled, and I vaguely
recall it working for me when I was first trying this (with SELinux
disabled, probably a year ago). I've got it working for everything from
RHL7 through to FC5 targets apart from FC2, so I doubt I'm doing
something significantly wrong.
Paul.
More information about the fedora-selinux-list
mailing list