Bug 1906289

Summary: rpm --initdb fails with error code 255
Product: [Fedora] Fedora Reporter: Rama McIntosh <rama>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 33CC: dwalsh, grepl.miroslav, igor.raits, lvrabec, mjw, mmalik, omosnace, packaging-team-maint, plautrba, pmatilai, pmoravco, vmojzis, vmukhame, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-04 12:17:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
SELinux denials which appeared in enforcing mode
none
SELinux denials which appeared in permissive mode none

Description Rama McIntosh 2020-12-10 06:42:45 UTC 
Description of problem:  rpm --initdb silently fails, no db is created.  I'm attempting to build qubes-os on Fedora but it fails initalizing the rpm databae.

Version-Release number of selected component (if applicable):
Fedora 33: rpm 4.16.0-5.fc33
Fedora 32: rpm 4.15.1-3.fc32.1

How reproducible:
Follow example here:  https://docs.fedoraproject.org/en-US/Fedora_Draft_Documentation/0.1/html/RPM_Guide/ch04s05s03.html


Steps to Reproduce:
1. mkdir /tmp/rpm
2. rpm --initdb --dbpath /tmp/rpm
3. echo $?
4. ls /tmp/rpm

Actual results:
rpm exit code is 255 and /tmp/rpm is empty

Expected results:
A new rpm databased should be in /tmp/rpm

Additional info:
Comment 1 Panu Matilainen 2020-12-10 09:04:42 UTC 
The new selinux-policy is preventing both rpmdb from initializing a database in an arbitrary location and also from logging an error about it.
Comment 2 Milos Malik 2020-12-10 09:28:43 UTC 
After removing the dontaudit rules, the Steps to Reproduce lead to several SELinux denials which will be attached. Here is a summary from audit2allow:

#============= rpmdb_t ==============
allow rpmdb_t net_conf_t:file { getattr open };
allow rpmdb_t nscd_var_run_t:dir search;
allow rpmdb_t passwd_file_t:file open;
allow rpmdb_t self:capability net_admin;
allow rpmdb_t sssd_var_lib_t:dir search;
allow rpmdb_t system_dbusd_var_run_t:dir search;

#!!!! This avc can be allowed using the boolean 'daemons_use_tty'
allow rpmdb_t user_devpts_t:chr_file { read write };
allow rpmdb_t user_tmp_t:dir { getattr search };
Comment 3 Milos Malik 2020-12-10 09:33:18 UTC 
Created attachment 1738148 [details]
SELinux denials which appeared in enforcing mode
Comment 4 Milos Malik 2020-12-10 09:35:39 UTC 
Created attachment 1738149 [details]
SELinux denials which appeared in permissive mode
Comment 5 Panu Matilainen 2020-12-10 09:55:32 UTC 
The first half of that, ie the name services and network part, can (continue to) be ignored/denied. rpmdb doesn't actually need them for anything and in fact they should be gone entirely in rpm >= 4.16.1 when released.
Comment 6 Rama McIntosh 2020-12-12 14:01:52 UTC 
Thanks everyone.   As this is a selinux issue, I'm able to continue to build qubes-os by using a boxes vm with `sudo setenforce 0` to work around selinux causing rpm to fail.    Dropping the priority to medium.

Thanks for the quick response.
Comment 7 Zdenek Pytela 2021-01-04 12:17:49 UTC 

*** This bug has been marked as a duplicate of bug 1901961 ***