Bug 2061141
| Summary: | rpm --rebuilddb issue with /usr/lib/sysimage | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Alessio <alciregi> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 36 | CC: | bugzilla, dwalsh, gmarr, grepl.miroslav, lvrabec, mmalik, ngompa13, nixuser, omosnace, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | Flags: | alciregi:
fedora_prioritized_bug?
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | AcceptedFreezeException | ||
| Fixed In Version: | selinux-policy-36.5-1.fc36 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-03-24 19:34:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1953784, 2042099 | ||
I think that this is not a critical issue, but, as I can imagine, since it involves this Fedora 36 ChangeSet https://fedoraproject.org/wiki/Changes/RelocateRPMToUsr, it should be addressed before the release. I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/1107 *** Bug 2061211 has been marked as a duplicate of this bug. *** Proposed as a Freeze Exception for 36-beta by Fedora user ngompa using the blocker tracking app because: This bug has a potential to cause problems with upgrades to F36 and it would be good to have this fix in now. selinux-policy-36.5 exists upstream with a fix that just needs to be built and shipped. FEDORA-2022-b0805acc47 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-b0805acc47 FEDORA-2022-b0805acc47 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-b0805acc47` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-b0805acc47 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. I just did a clean install of f35, updated it, then rand dnf system upgrade to f36.
$ journalctl -b | grep AVC
Mar 21 11:21:56 fedora audit[585]: AVC avc: denied { read } for pid=585 comm="systemd-sysctl" name="suid_dumpable" dev="proc" ino=15715 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
Mar 21 11:21:56 fedora audit[585]: AVC avc: denied { read } for pid=585 comm="systemd-sysctl" name="suid_dumpable" dev="proc" ino=15715 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
Mar 21 11:21:56 fedora audit[585]: AVC avc: denied { read } for pid=585 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=15735 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
Mar 21 11:21:56 fedora audit[585]: AVC avc: denied { read } for pid=585 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=15735 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
Mar 21 11:21:56 fedora audit[585]: AVC avc: denied { read } for pid=585 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=15736 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
Mar 21 11:21:56 fedora audit[585]: AVC avc: denied { read } for pid=585 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=15736 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
$ rpm -q selinux-policy
selinux-policy-36.3-1.fc36.noarch
# ls -l /var/lib/rpm
lrwxrwxrwx. 1 root root 26 Mar 21 11:22 /var/lib/rpm -> ../../usr/lib/sysimage/rpm
# ls -la /usr/lib/sysimage/rpm/
total 51144
drwxr-xr-x. 1 root root 88 Mar 21 11:21 .
drwxr-xr-x. 1 root root 6 Mar 21 11:22 ..
-rw-r--r--. 1 root root 52338688 Mar 21 11:22 rpmdb.sqlite
-rw-r--r--. 1 root root 32768 Mar 21 11:23 rpmdb.sqlite-shm
-rw-r--r--. 1 root root 0 Mar 21 11:22 rpmdb.sqlite-wal
# journalctl -b | grep rpmdb
Mar 21 11:21:56 fedora systemd[1]: unit_file_build_name_map: normal unit file: /usr/lib/systemd/system/rpmdb-migrate.service
Mar 21 11:21:56 fedora systemd[1]: unit_file_build_name_map: normal unit file: /usr/lib/systemd/system/rpmdb-rebuild.service
Mar 21 11:21:56 fedora systemd[1]: rpmdb-migrate.service: Installed new job rpmdb-migrate.service/start as 247
Mar 21 11:21:56 fedora systemd[1]: rpmdb-rebuild.service: Installed new job rpmdb-rebuild.service/start as 219
Mar 21 11:21:56 fedora systemd-tmpfiles[588]: Entry "/var/lib/dnf/rpmdb_lock.pid" does not match any include prefix, skipping.
Mar 21 11:21:57 fedora systemd[1]: basic.target: starting held back, waiting for: rpmdb-migrate.service
Mar 21 11:21:58 fedora systemd-tmpfiles[692]: Running remove action for entry r /var/lib/dnf/rpmdb_lock.pid
Mar 21 11:21:58 fedora systemd-tmpfiles[692]: Running create action for entry r /var/lib/dnf/rpmdb_lock.pid
Mar 21 11:21:58 fedora systemd[1]: basic.target: starting held back, waiting for: rpmdb-migrate.service
Mar 21 11:21:58 fedora systemd[1]: basic.target: starting held back, waiting for: rpmdb-migrate.service
Mar 21 11:21:58 fedora systemd[1]: basic.target: starting held back, waiting for: rpmdb-migrate.service
Mar 21 11:21:58 fedora systemd[1]: rpmdb-migrate.service: ConditionPathExists=/var/lib/rpm/.migratedb succeeded.
Mar 21 11:21:58 fedora systemd[1]: rpmdb-migrate.service: Passing 0 fds to service
Mar 21 11:21:58 fedora systemd[1]: rpmdb-migrate.service: About to execute /usr/lib/rpm/rpmdb_migrate
Mar 21 11:21:58 fedora systemd[1]: rpmdb-migrate.service: Forked /usr/lib/rpm/rpmdb_migrate as 725
Mar 21 11:21:58 fedora systemd[1]: rpmdb-migrate.service: Changed dead -> start
Mar 21 11:21:58 fedora systemd[1]: Starting rpmdb-migrate.service - RPM database migration to /usr...
Mar 21 11:21:58 fedora systemd[725]: rpmdb-migrate.service: Executing: /usr/lib/rpm/rpmdb_migrate
Mar 21 11:21:58 fedora systemd[1]: rpmdb-rebuild.service: ConditionPathExists=/usr/lib/sysimage/rpm/.rebuilddb failed.
Mar 21 11:21:58 fedora systemd[1]: rpmdb-rebuild.service: Starting requested but condition failed. Not starting unit.
Mar 21 11:21:58 fedora systemd[1]: rpmdb-rebuild.service: Job 219 rpmdb-rebuild.service/start finished, result=done
Mar 21 11:21:58 fedora systemd[1]: rpmdb-rebuild.service - RPM database rebuild was skipped because of a failed condition check (ConditionPathExists=/usr/lib/sysimage/rpm/.rebuilddb).
Mar 21 11:21:58 fedora systemd[1]: basic.target: starting held back, waiting for: rpmdb-migrate.service
Mar 21 11:21:58 fedora systemd[1]: basic.target: starting held back, waiting for: rpmdb-migrate.service
Mar 21 11:22:00 fedora rpmdb_migrate[735]: removed '/var/lib/rpm/rpmdb.sqlite'
Mar 21 11:22:00 fedora rpmdb_migrate[735]: removed '/var/lib/rpm/rpmdb.sqlite-shm'
Mar 21 11:22:00 fedora rpmdb_migrate[735]: removed '/var/lib/rpm/rpmdb.sqlite-wal'
Mar 21 11:22:00 fedora rpmdb_migrate[735]: removed '/var/lib/rpm/.migratedb'
Mar 21 11:22:00 fedora rpmdb_migrate[735]: removed '/var/lib/rpm/.rpm.lock'
Mar 21 11:22:00 fedora rpmdb_migrate[735]: removed directory '/var/lib/rpm'
Mar 21 11:22:00 fedora rpmdb_migrate[736]: '/var/lib/rpm' -> '../../usr/lib/sysimage/rpm'
Mar 21 11:22:00 fedora systemd[1]: Received SIGCHLD from PID 725 (rpmdb_migrate).
Mar 21 11:22:00 fedora systemd[1]: Child 725 (rpmdb_migrate) died (code=exited, status=0/SUCCESS)
Mar 21 11:22:00 fedora systemd[1]: rpmdb-migrate.service: Child 725 belongs to rpmdb-migrate.service.
Mar 21 11:22:00 fedora systemd[1]: rpmdb-migrate.service: Main process exited, code=exited, status=0/SUCCESS (success)
Mar 21 11:22:00 fedora systemd[1]: rpmdb-migrate.service: Deactivated successfully.
Mar 21 11:22:00 fedora systemd[1]: rpmdb-migrate.service: Service will not restart (restart setting)
Mar 21 11:22:00 fedora systemd[1]: rpmdb-migrate.service: Changed start -> dead
Mar 21 11:22:00 fedora systemd[1]: varlink-62: Sending message: {"parameters":{"cgroups":[{"mode":"auto","path":"/system.slice/rpmdb-migrate.service","property":"ManagedOOMSwap"},{"mode":"auto","path":"/system.slice/rpmdb-migrate.service","property":"ManagedOOMMemoryPressure"}]},"continues":true}
Mar 21 11:22:00 fedora systemd[1]: rpmdb-migrate.service: Failed to delete cgroup entry from LSM BPF map: No such file or directory
Mar 21 11:22:00 fedora systemd[1]: rpmdb-migrate.service: Job 247 rpmdb-migrate.service/start finished, result=done
Mar 21 11:22:00 fedora systemd[1]: Finished rpmdb-migrate.service - RPM database migration to /usr.
Mar 21 11:22:00 fedora systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/rpmdb_2dmigrate_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=50 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
Mar 21 11:22:00 fedora systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/rpmdb_2dmigrate_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=51 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
Mar 21 11:22:00 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpmdb-migrate comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Mar 21 11:22:00 fedora audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpmdb-migrate comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Mar 21 11:22:00 fedora systemd[1]: rpmdb-migrate.service: Consumed 964ms CPU time.
Mar 21 11:22:00 fedora systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/rpmdb_2dmigrate_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=53 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
Mar 21 11:22:00 fedora systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/rpmdb_2dmigrate_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=54 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
Mar 21 11:22:00 fedora systemd[1]: rpmdb-migrate.service: Control group is empty.
Mar 21 11:22:00 fedora systemd-oomd[697]: oomd: New incoming message: {"parameters":{"cgroups":[{"mode":"auto","path":"/system.slice/rpmdb-migrate.service","property":"ManagedOOMSwap"},{"mode":"auto","path":"/system.slice/rpmdb-migrate.service","property":"ManagedOOMMemoryPressure"}]},"continues":true}
Discussed during the 2022-03-21 blocker review meeting: [0] The decision to classify this bug as an "AcceptedFreezeException (Beta)" was made as it is a noticeable issue that cannot be fixed with an update. [0] https://meetbot.fedoraproject.org/fedora-blocker-review/2022-03-21/f36-blocker-review.2022-03-21-16.01.txt FEDORA-2022-c564d315fc has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-c564d315fc Bleh, wrong bug... FEDORA-2022-b0805acc47 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. |
Fresh install of Fedora Workstation 36 $ sudo rpm --rebuilddb error: failed to create directory /usr/lib/sysimage/rpmrebuilddb.28807: Permission denied journalctl content: mar 06 08:11:44 audit[28807]: AVC avc: denied { write } for pid=28807 comm="rpmdb" name="sysimage" dev="dm-0" ino=5209 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0 Disabling selinux, such command works. Re-enabling selinux, and issuing the command, lead to: error: can't create transaction lock on /usr/lib/sysimage/rpm/.rpm.lock (No such file or directory) mar 06 08:26:36 audit[29040]: AVC avc: denied { write } for pid=29040 comm="rpmdb" name="rpm" dev="dm-0" ino=225142 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=dir permissive=0 rpm-plugin-selinux-4.17.0-9.fc36.x86_64 selinux-policy-36.3-1.fc36.noarch selinux-policy-targeted-36.3-1.fc36.noarch