Bug 1906289
Summary: | rpm --initdb fails with error code 255 | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Rama McIntosh <rama> | ||||||
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||||
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 33 | CC: | dwalsh, grepl.miroslav, igor.raits, lvrabec, mjw, mmalik, omosnace, packaging-team-maint, plautrba, pmatilai, pmoravco, vmojzis, vmukhame, zpytela | ||||||
Target Milestone: | --- | Keywords: | Triaged | ||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2021-01-04 12:17:49 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Rama McIntosh
2020-12-10 06:42:45 UTC
The new selinux-policy is preventing both rpmdb from initializing a database in an arbitrary location and also from logging an error about it. After removing the dontaudit rules, the Steps to Reproduce lead to several SELinux denials which will be attached. Here is a summary from audit2allow: #============= rpmdb_t ============== allow rpmdb_t net_conf_t:file { getattr open }; allow rpmdb_t nscd_var_run_t:dir search; allow rpmdb_t passwd_file_t:file open; allow rpmdb_t self:capability net_admin; allow rpmdb_t sssd_var_lib_t:dir search; allow rpmdb_t system_dbusd_var_run_t:dir search; #!!!! This avc can be allowed using the boolean 'daemons_use_tty' allow rpmdb_t user_devpts_t:chr_file { read write }; allow rpmdb_t user_tmp_t:dir { getattr search }; Created attachment 1738148 [details]
SELinux denials which appeared in enforcing mode
Created attachment 1738149 [details]
SELinux denials which appeared in permissive mode
The first half of that, ie the name services and network part, can (continue to) be ignored/denied. rpmdb doesn't actually need them for anything and in fact they should be gone entirely in rpm >= 4.16.1 when released. Thanks everyone. As this is a selinux issue, I'm able to continue to build qubes-os by using a boxes vm with `sudo setenforce 0` to work around selinux causing rpm to fail. Dropping the priority to medium. Thanks for the quick response. *** This bug has been marked as a duplicate of bug 1901961 *** |