Bug 1747215
Summary: | Building live images using livemedia-creator --no-virt with SELinux in permissive mode fails due to chpasswd crash | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
Component: | shadow-utils | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 31 | CC: | bcl, dwalsh, mgrepl, plautrba, pvrabec, tmraz, vmojzis |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | openqa | ||
Fixed In Version: | shadow-utils-4.6-16.fc31 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-09-17 02:18:42 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Adam Williamson
2019-08-29 23:43:25 UTC
It looks like this problem https://bugzilla.redhat.com/show_bug.cgi?id=1321375 It it's the same problem, it's core is explained in https://bugzilla.redhat.com/show_bug.cgi?id=1321375#c15 There was a suggestion that shadow-utils could ignore the SELinux call failure in the permissive mode, and there's also described workaround - https://bugzilla.redhat.com/show_bug.cgi?id=1321375#c18 libselinux upstream does not recommend changes in libselinux as it could be hard not to break some other usecases and checks, and it would not be applicable on Android. Therefore I'm looking into possibility to update chpasswd code in order not to do selinux checks when it's chroot'ed or something similar. In the meantime, maybe 'echo -n root:tux | chroot /var/lib/machines/example/ chpasswd' could be used instead of 'chpasswd -R' as a pyworkaround in anaconda code. Changing package to shadow-utils, then. It looks like the patch could be simple: diff --git a/src/chpasswd.c b/src/chpasswd.c index e9d4b57..be4f145 100644 --- a/src/chpasswd.c +++ b/src/chpasswd.c @@ -458,6 +458,10 @@ int main (int argc, char **argv) (void) bindtextdomain (PACKAGE, LOCALEDIR); (void) textdomain (PACKAGE); +#ifdef WITH_SELINUX + selinux_check_root (); +#endif + process_root_flag ("-R", argc, argv); process_flags (argc, argv); @@ -476,10 +480,6 @@ int main (int argc, char **argv) check_perms (); -#ifdef WITH_SELINUX - selinux_check_root (); -#endif - #ifdef USE_PAM if (!use_pam) #endif /* USE_PAM */ At least it works with a simple reproducer: before: ^&^ echo -n "user:ahoj" | sudo src/chpasswd -R ~/tmp/my-root o_O echo $? 1 after: ^&^ echo -n "user:ahoj" | sudo src/chpasswd -R ~/tmp/my-root ^&^ echo $? 0 FEDORA-2019-48e90f731c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-48e90f731c shadow-utils-4.6-16.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-48e90f731c shadow-utils-4.6-16.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. |