Bug 1736803 - appliance-creator AVC denials in chroot
Summary: appliance-creator AVC denials in chroot
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: appliance-tools
Version: 31
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Neal Gompa
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: ARMTracker
TreeView+ depends on / blocked
 
Reported: 2019-08-02 05:05 UTC by Warren Togami
Modified: 2019-08-13 18:36 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Warren Togami 2019-08-02 05:05:38 UTC
Description of problem:
Since a recent version of Fedora appliance-creator or anything else that uses dnf within a chroot will fail with errors due to the host's selinux policy. "setenforce 0" allows it to work. Perhaps there is a less brute-force policy boolean than setting the entire host to permissive.

appliance-creator is probably better off testing if it would fail, and to bail out early with an informative error message.

This is one of several examples of common failures that can happen in a chroot.

type=AVC msg=audit(1564664309.906:922): avc:  denied  { entrypoint } for  pid=9190 comm="dnf" path="/usr/bin/bash" dev="nvme0n1p2" ino=651929 scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=1

Version-Release number of selected component (if applicable):
appliance-tools-009.0-5.fc30.noarch

Comment 1 Ben Cotton 2019-08-13 18:36:30 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.


Note You need to log in before you can comment on or make changes to this bug.