Bug 758251
| Summary: | Missing dependencies and wrong arch | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mads Kiilerich <mads> |
| Component: | rpm | Assignee: | Panu Matilainen <pmatilai> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | dwalsh, ffesti, jnovy, mgrepl, notting, pmatilai |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | rpm-4.9.1.2-5.fc16 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-02-11 21:55:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Mads Kiilerich
2011-11-29 16:09:33 UTC
Bill do you agree? Yes. Although just having the binary have the proper DT_NEEDED seems way simpler. The command we are compiling this with is. cc -o seunshare seunshare.o -lcgroup -lselinux -lcap-ng -L/usr/lib64 Is there something wrong here? I guess the -L could be moved forward? ldd /usr/sbin/seunshare linux-vdso.so.1 => (0x00007fffca5ff000) libcgroup.so.1 => /lib64/libcgroup.so.1 (0x00007faaf6837000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007faaf6617000) libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007faaf6411000) libc.so.6 => /lib64/libc.so.6 (0x00007faaf6058000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007faaf5e3c000) /lib64/ld-linux-x86-64.so.2 (0x0000003b43000000) libdl.so.2 => /lib64/libdl.so.2 (0x00007faaf5c37000) Something wrong here? -> rpm RPM apparently isn't reading DT_NEEDEDs from setuid binaries. Why? I confirmed this. If I remove the setuid from the make install within the package, everything works correctly. It took me some time to understand dwalsh's comment.
policycoreutils-2.1.8/sandbox/Makefile has
install -m 4755 seunshare $(SBINDIR)/
and ldd will thus fail.
The spec do however have
%attr(0755,root,root) %caps(cap_setpcap,cap_setuid,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
and the file will thus be installed without suid bit. It seems like it works correctly anyway (because of caps?), so I guess the whole suid could be removed completely.
It could be argued that rpmbuild should remove all suid flags before running ldd ... or that ldd should work with suids. IMHO it is ok to require that packages don't install files suid in %install but only specify it in %files. In that case rpmbuild should fail if it finds any suid binaries that it can't process.
Well the problem with that is make install In a lot of packages installs the apps with 5755, and having maintainers patching this out seems painful. notting pointed out on irc that ldd does work with suids. We will thus get the right dependencies with echo /usr/sbin/seunshare | /usr/lib/rpm/redhat/find-requires This helper is however not used because we have /usr/lib/rpm/macros:%_use_internal_dependency_generator 1 Adding %define _use_internal_dependency_generator 0 to the spec generates an rpm with the right dependencies. rpm-build's internal dependency generator will call elfutils directly. This way of doing it generally works correctly, as shown by echo /usr/sbin/seunshare | /usr/lib/rpm/elfdeps --requires It seems like it for some reason doesn't work inside rpm ... or that there is something else wrong ... It's just a stupid bug in rpm, incidentally I just spotted it two days ago: http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=87d9e3c4adac92ff544440dd1239a4ae4fe05bb4 Fixed in rawhide now (rpm-4.9.1.2-6.fc17), but both f16 and f15 will need updates too. rpm-4.9.1.2-5.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/rpm-4.9.1.2-5.fc16 rpm-4.9.1.2-4.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/rpm-4.9.1.2-4.fc15 Package rpm-4.9.1.2-5.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing rpm-4.9.1.2-5.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-1504/rpm-4.9.1.2-5.fc16 then log in and leave karma (feedback). rpm-4.9.1.2-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. rpm-4.9.1.2-4.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |