Bug 2094683
| Summary: | policycoreutils 3.4 appears to break setfiles in chroot | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Ian Wienand <iwienand> |
| Component: | libselinux | Assignee: | Petr Lautrbach <plautrba> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | CentOS Stream | CC: | bstinson, dwalsh, jwboyer, lvrabec, mmalik, plautrba, ssekidde, vmojzis |
| Target Milestone: | rc | Flags: | pm-rhel:
mirror+
|
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-06-29 08:25:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I believe this is already fixed in libselinux-3.4-2.el9 by this commit - https://gitlab.com/redhat/centos-stream/rpms/libselinux/-/commit/c68e490c94b21c6733eaa43aed9eba849b794a56 # rpm -q libselinux libselinux-3.4-1.el9.x86_64 # chroot /mnt/ /usr/sbin/setfiles -F /etc/selinux/targeted/contexts/files/file_contexts / /usr/sbin/setfiles: Could not set context for /: No such file or directory /usr/sbin/setfiles: Could not set context for /dev: No such file or directory /usr/sbin/setfiles: Could not set context for /dev/null: No such file or directory /usr/sbin/setfiles: Could not set context for /proc: No such file or directory /usr/sbin/setfiles: Could not set context for /run: No such file or directory ... # dnf update https://kojihub.stream.centos.org/kojifiles/packages/libselinux/3.4/2.el9/x86_64/libselinux-3.4-2.el9.x86_64.rpm https://kojihub.stream.centos.org/kojifiles/packages/libselinux/3.4/2.el9/x86_64/libselinux-utils-3.4-2.el9.x86_64.rpm https://kojihub.stream.centos.org/kojifiles/packages/libselinux/3.4/2.el9/x86_64/python3-libselinux-3.4-2.el9.x86_64.rpm # chroot /mnt/ /usr/sbin/setfiles -F /etc/selinux/targeted/contexts/files/file_contexts / # echo $? 0 Thanks, I've pulled these updated packages and confirmed they work [1]. How long until this makes it to the release repos? [1] https://review.opendev.org/c/openstack/diskimage-builder/+/845189 I have no idea. This one was built on Tue, 31 May 2022. I'd expect it's already available. Hrm, it seems it is not; as of this comment http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/ shows only 3.4-1 [1]. I'm still trying to figure out if there's periodic rebuilds or what; something about side-tags, maybe? I'm sure somebody knows, finding that somebody is the hard part :) [1] https://imgur.com/a/aZPMHrA Just for the record, further investigation shows some discussion of this recently in #centos-stream (don't think this channel is logged). I guess the conclusion remains that it is unclear <chandankumar> It is available 07th June compose <arrfab> chandankumar: composes.stream.centos.org isn't the official mirror, which is mirror.stream.centos.org <arrfab> so you have to wait for a composes to be "promoted" and so synced to mirror.stream.centos.org to make it to the other mirrors ... <chandankumar> Any idea when it will be available? <arrfab> chandankumar: no idea, but I guess bstinson will be able to answer that but when he'll be online and not now :) <chandankumar> arrfab: ok, cool, will wait for bstinson :-) ... Additional request to see what's up with this @ https://lists.centos.org/pipermail/centos-devel/2022-June/120414.html |
We build 9-stream in a chroot environment ontop of a Debian Buster host using diskimage-builder Essentially we build up the 9-stream chroot environment then run $ sudo chroot <9-stream-chroot> /usr/sbin/setfiles -F /etc/selinux/targeted/contexts/files/file_contexts / This started failing with a message like 2022-06-08 06:48:09.313 | /usr/sbin/setfiles: Could not set context for /usr/include: No such file or directory for every single file. I've run this under strace now and can see the following operations for each file 73896 openat(AT_FDCWD, "/etc/hostname", O_RDONLY|O_EXCL|O_NOFOLLOW|O_PATH) = 3 73896 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=1, ...}, AT_EMPTY_PATH) = 0 73896 fgetxattr(3, "security.selinux", 0x55848464a2b0, 255) = -1 EBADF (Bad file descriptor) 73896 fcntl(3, F_GETFL) = 0x220000 (flags O_RDONLY|O_NOFOLLOW|O_PATH) 73896 getxattr("/proc/self/fd/3", "security.selinux", 0x55848464a2b0, 255) = -1 ENOENT (No such file or directory) 73896 write(2, "/usr/sbin/setfiles: ", 20) = 20 73896 write(2, "Could not set context for /etc/h"..., 68) = 68 73896 close(3) = 0 Nothing has changed in our code in this time. I haven't been able to roll back, but the last time this worked it seemed to be using [1] 2022-06-06 22:34:01.894 | > Package python3-policycoreutils-3.3-5.el9.noarch is already installed. but now (two days later) we are have python3-policycoreutils-3.4-1.el9.noarch (unfortunately this doesn't list in this log the policycoreutils package but I'm assuming it's all same build). [1] https://docs.openstack.org/diskimage-builder/latest/ [2] https://opendev.org/openstack/diskimage-builder/src/branch/master/diskimage_builder/elements//rpm-distro/cleanup.d/99-selinux-fixfiles-restore#L95 [3] https://zuul.opendev.org/t/openstack/build/fc88b2a71c7146cf8a2bbc5334819c49/logs [4] https://zuul.opendev.org/t/openstack/build/f52ad90b96254c37a13d9327efbf03b5/logs