Bug 1747215 - Building live images using livemedia-creator --no-virt with SELinux in permissive mode fails due to chpasswd crash
Summary: Building live images using livemedia-creator --no-virt with SELinux in permis...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: shadow-utils
Version: 31
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: openqa
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-29 23:43 UTC by Adam Williamson
Modified: 2019-09-17 02:18 UTC (History)
7 users (show)

Fixed In Version: shadow-utils-4.6-16.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-17 02:18:42 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Adam Williamson 2019-08-29 23:43:25 UTC 
There is a test in openQA which builds a live image. It tries to follow the way this is done for official live images as closely as possible, so it uses livemedia-creator --no-virt.

Until today I had it set to run with SELinux enabled but in permissive mode (the test runs 'setenforce Permissive' before attempting to build the image). This worked fine for F29 and F30, but it is failing for F31. I believe it crashes when handling this line:

rootpw --iscrypted --lock locked

The dbus log shows this:

INFO:anaconda.core.users:user account root locked
INFO:program:Running... chpasswd -R /mnt/sysroot -e
INFO:anaconda.threading:Thread Failed: AnaTaskThread-SetRootPasswordTask-1 (139662366213888)
ERROR:anaconda.modules.common.task.task:Thread AnaTaskThread-SetRootPasswordTask-1 has failed: Traceback (most recent call last):
  File "/usr/lib64/python3.7/site-packages/pyanaconda/threading.py", line 280, in run
    threading.Thread.run(self)
  File "/usr/lib64/python3.7/threading.py", line 870, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/lib64/python3.7/site-packages/pyanaconda/modules/common/task/task.py", line 95, in _task_run_callback
    self._set_result(self.run())
  File "/usr/lib64/python3.7/site-packages/pyanaconda/modules/users/installation.py", line 55, in run
    self._set_root_password()
  File "/usr/lib64/python3.7/site-packages/pyanaconda/modules/users/installation.py", line 61, in _set_root_password
    self._sysroot)
  File "/usr/lib64/python3.7/site-packages/pyanaconda/core/users.py", line 478, in set_root_password
    return set_user_password("root", password, is_crypted, lock, root)
  File "/usr/lib64/python3.7/site-packages/pyanaconda/core/users.py", line 463, in set_user_password
    raise OSError("Unable to set password for new user: status=%s" % proc.returncode)
OSError: Unable to set password for new user: status=-6

i.e. it calls `chpasswd -R /mnt/sysroot -e` but that fails. The *system* logs show us a bit more:

Aug 29 10:06:40 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[3677]: ADD_USER pid=3677 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:install_t:s0-s0:c0.c1023 msg='op=add-user acct="tcpdump" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success'
Aug 29 10:08:59 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[27603]: USER_AVC pid=27603 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:install_t:s0-s0:c0.c1023 msg='avc:  could not determine enforcing mode: No such file or directory
                                                                                       exe="/var/lib/mock/fedora-31-x86_64/root/usr/sbin/chpasswd" sauid=0 hostname=? addr=? terminal=?'
Aug 29 10:08:59 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[27603]: ANOM_ABEND auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:system_r:install_t:s0-s0:c0.c1023 pid=27603 comm="chpasswd" exe="/var/lib/mock/fedora-31-x86_64/root/usr/sbin/chpasswd" sig=6 res=1
Aug 29 10:09:00 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Created slice system-systemd\x2dcoredump.slice.
Aug 29 10:09:00 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@0-27604-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 29 10:09:00 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Process Core Dump (PID 27604/UID 0).
Aug 29 10:09:00 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com systemd-coredump[27605]: Resource limits disable core dumping for process 27603 (chpasswd).
Aug 29 10:09:00 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com systemd-coredump[27605]: Process 27603 (chpasswd) of user 0 dumped core.

which indicates SELinux is involved, and indeed, when I tested changing the test config so it boots with 'selinux=0' to disable SELinux entirely, the image creation succeeds. Hence assigning this to libselinux as an initial guess. bcl says this is something he'd consider a bug - we shouldn't have to disable SELinux entirely to build live images, it should work with SELinux in permissive mode, as indeed it does on F29 and F30.
Comment 1 Petr Lautrbach 2019-08-30 06:00:15 UTC 
It looks like this problem https://bugzilla.redhat.com/show_bug.cgi?id=1321375 It it's the same problem, it's core is explained in https://bugzilla.redhat.com/show_bug.cgi?id=1321375#c15

There was a suggestion that shadow-utils could ignore the SELinux call failure in the permissive mode, and there's also described workaround -  https://bugzilla.redhat.com/show_bug.cgi?id=1321375#c18
Comment 2 Petr Lautrbach 2019-08-30 13:20:04 UTC 
libselinux upstream does not recommend changes in libselinux as it could be hard not to break some other usecases and checks, and it would not be applicable on Android.

Therefore I'm looking into possibility to update chpasswd code in order not to do selinux checks when it's chroot'ed or something similar.

In the meantime, maybe 'echo -n root:tux | chroot /var/lib/machines/example/ chpasswd' could be used instead of 'chpasswd -R' as a pyworkaround in anaconda code.
Comment 3 Adam Williamson 2019-08-30 16:29:12 UTC 
Changing package to shadow-utils, then.
Comment 4 Petr Lautrbach 2019-08-30 19:39:05 UTC 
It looks like the patch could be simple:

diff --git a/src/chpasswd.c b/src/chpasswd.c
index e9d4b57..be4f145 100644
--- a/src/chpasswd.c
+++ b/src/chpasswd.c
@@ -458,6 +458,10 @@ int main (int argc, char **argv)
        (void) bindtextdomain (PACKAGE, LOCALEDIR);
        (void) textdomain (PACKAGE);
 
+#ifdef WITH_SELINUX
+       selinux_check_root ();
+#endif
+
        process_root_flag ("-R", argc, argv);
 
        process_flags (argc, argv);
@@ -476,10 +480,6 @@ int main (int argc, char **argv)
 
        check_perms ();
 
-#ifdef WITH_SELINUX
-       selinux_check_root ();
-#endif
-
 #ifdef USE_PAM
        if (!use_pam)
 #endif                         /* USE_PAM */


At least it works with a simple reproducer:

before:

^&^ echo -n "user:ahoj" | sudo src/chpasswd -R ~/tmp/my-root   

o_O echo $?                                                    
1

after:

^&^ echo -n "user:ahoj" | sudo src/chpasswd -R ~/tmp/my-root   

^&^ echo $?                                                    
0
Comment 5 Fedora Update System 2019-09-02 15:12:47 UTC 
FEDORA-2019-48e90f731c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-48e90f731c
Comment 6 Fedora Update System 2019-09-02 23:56:54 UTC 
shadow-utils-4.6-16.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-48e90f731c
Comment 7 Fedora Update System 2019-09-17 02:18:42 UTC 
shadow-utils-4.6-16.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.