Bug 2208282

Summary: RPM's %post script doesn't handle invocation with --root flag properly
Product: Red Hat Enterprise Linux 8 Reporter: Thomas Jones <redhat>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED MIGRATED QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact:
Priority: medium    
Version: 8.7CC: loren.gordon, lvrabec, mmalik, nknazeko, vmojzis
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: ---Flags: vmojzis: needinfo? (redhat)
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-16 17:30:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thomas Jones 2023-05-18 13:29:44 UTC 
Description of problem:

We leverage a VM-creation process that builds VMs into a chrooted environment. As part of this process, we invoke package-installation by passing the --root flag to dnf. The selinux-policy RPM's %post script seems to not properly handle this usage-scenario. As a result, it both tests for an existing /etc/selinux/config file and, if it tries to create a new one, it does so in the environment's real root rather than the chroot location


Version-Release number of selected component (if applicable):

Presumably all 8.x versions up through at least selinux-policy-3.14.3-117.el8.noarch

How reproducible:

Steps to Reproduce:
1. Execute an installation by passing a chroot-location to dnf with the `--root` flag 
2. Execute a find within the chroot-location to look for the ${CHROOT}/etc/selinux/config file (or simply any file under the CHROOT that might contain ^SELINUX=
3. Get a null result from the find

Actual results:

Get a null result from the find

Expected results:

${CHROOT}/etc/selinux/config SHOULD exist

Additional info:

In looking at the RPM's %post script:

~~~
postinstall scriptlet (using /bin/sh):
if [ ! -s /etc/selinux/config ]; then
#
#     New install so we will default to targeted policy
#
echo "
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

" > /etc/selinux/config

     ln -sf ../selinux/config /etc/sysconfig/selinux
     restorecon /etc/selinux/config 2> /dev/null || :
else
     . /etc/selinux/config
fi
exit 0
~~~

It looks like there's no logic in the script to "understand" that the locations should be adjusted if the --root flag has been passed to dnf.
Comment 1 Thomas Jones 2023-05-18 13:50:52 UTC 
Side note: I *did* look at the man page for RPM and it *claims*

   --root DIRECTORY
           Use the file system tree rooted at DIRECTORY for all operations.  Note that this means the database
           within DIRECTORY will be used for dependency checks and any scriptlet(s) (e.g. %post if installing,
           or %prep if building, a package) will be run after a chroot(2) to DIRECTORY.

However, the behavior I'm seeing seems to indicate that that chroot-before-post isn't actually happening (as noted, the relevant files don't exist in the chroot after the RPM completes its installation)