Description of problem: I'm not sure this is a problem in mock or systemd, but anyways, here goes. When using mock to build Fedora 31 packages on a Fedora 30 system, at about the time that the Fedora 31 selinux packages get installed into the chroot environment, the Fedora 30 host starts logging these messages: Sep 30 11:37:00 monetdb3.spin-off.cwi.nl kernel: SELinux: Converting 2326 SID table entries... Sep 30 11:37:00 monetdb3.spin-off.cwi.nl kernel: SELinux: Context system_u:object_r:plymouthd_var_run_t:s0 became invalid (unmapped). Sep 30 11:37:00 monetdb3.spin-off.cwi.nl kernel: SELinux: Context system_u:object_r:nfsd_exec_t:s0 became invalid (unmapped). Sep 30 11:37:00 monetdb3.spin-off.cwi.nl kernel: SELinux: Context system_u:system_r:nfsd_t:s0 became invalid (unmapped). [...] After this, there are lots of AVC denied messages and services start dieing (e.g. httpd, mailman, and various others). This does not happen when mock is called with --old-chroot, only when using (the default) --new-chroot (i.e. systemd-nspawn. Version-Release number of selected component (if applicable): mock-1.4.19-1.fc30.noarch systemd-container-241-12.git1e19bcd.fc30.x86_64 How reproducible: 100% Steps to Reproduce: 1.mock --root fedora-31-x86_64 --init --install selinux-policy-devel 2. 3. Actual results: Messages in the journal similar to the ones quoted above, AVC errors, failing services. Expected results: No AVC errors etc. Additional info:
Can you please check this happens also with mock v1.4.20?
I'm afraid it does: Oct 08 13:16:21 localhost.localdomain kernel: SELinux: Converting 2421 SID table entries... Oct 08 13:16:21 localhost.localdomain kernel: SELinux: Context system_u:object_r:plymouthd_var_lib_t:s0 became invalid (unmapped). Oct 08 13:16:21 localhost.localdomain kernel: SELinux: Context system_u:object_r:plymouthd_var_run_t:s0 became invalid (unmapped). Oct 08 13:16:21 localhost.localdomain kernel: SELinux: Context system_u:object_r:nfsd_exec_t:s0 became invalid (unmapped). [...] rpm -q mock says mock-1.4.20-1.fc30.noarch.
Hmm, this just worked fine on my F30 box, even with mock v1.4.19. Can you please provide your configuration? Is there something specific on your host?
It even fails in a VM. My desktop is XFCE. Using libvirt and the Virtual Machine Manager entry in the menu I create a Fedora 30 instance (again XFCE), run it, install mock and then run the command in the Steps to Reproduce. It doesn't matter if I first do "sudo usermod -a -G mock $USER" and login again (to be a member of the mock group). Just to be sure, I just create a new VM using the Fedora-Everything-netinst-x86_64-30-1.2.iso image I had lying around. Installed using the defaults mostly, except using English and installing the XFCE desktop. After it came up, I logged in, ran "sudo dnf upgrade -y" (didn't do anything remotely relevant), then installed mock from updates-testing and tested. Testing consisted of running the mock command (copy+paste from this bug report) in one window and running "journalctl -f" in another. When the selinux-policy-minimum scriptlet was getting executed, journalctl started spewing the quoted messages.
Ah, I was doing it wrong. Thanks for your patience, indeed reproducible.
Can you please try this, and provide feedback? ``` dnf copr enable praiskup/mock-fixes dnf update mock ``` Once this finishes: https://copr.fedorainfracloud.org/coprs/praiskup/mock-fixes/build/1051569/ You need mock-1.4.20-1.git.5.fe9bfeb.fc31. Pull request (you can build on your own): https://github.com/rpm-software-management/mock/pull/371
Seems to work. No more nasty SELinux messages when the RPMs get installed. I used mock-1.4.20-1.git.5.fe9bfeb.fc30.noarch (not fc31) since this was on a Fedora 30 VM, but of course installing the Fedora 31 environment.
Thank you for confirmation.
*** Bug 1761201 has been marked as a duplicate of this bug. ***
This issue is pretty serious; I'd vote for new mock release to get this fixed.
*** Bug 1754807 has been marked as a duplicate of this bug. ***
*** Bug 1767097 has been marked as a duplicate of this bug. ***
The recipe given in bug 1767097 solved that problem for me. This was for using mock on fc31 to build fc31 packages. Are we sure these are the same issues?
I protest, #1767097 does not seem to be duplicate of this issue, more explanation at: https://bugzilla.redhat.com/show_bug.cgi?id=1767097#c5
I am pretty sure it is the same. See https://bugzilla.redhat.com/show_bug.cgi?id=1754807#c10 for the same symptomps. You can check nightly builds https://copr.fedorainfracloud.org/coprs/g/mock/mock/ if it fix your issue.
FEDORA-2019-c6079af90e has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-c6079af90e
FEDORA-2019-ad7ecf205b has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ad7ecf205b
FEDORA-EPEL-2019-0549ec172d has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-0549ec172d
FEDORA-EPEL-2019-3687ce895a has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-3687ce895a
FEDORA-2019-755583cbdf has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-755583cbdf
mock-1.4.21-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-c6079af90e
mock-1.4.21-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-0549ec172d
mock-1.4.21-1.el8 has been pushed to the Fedora EPEL 8 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-3687ce895a
mock-1.4.21-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ad7ecf205b
mock-1.4.21-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-755583cbdf
mock-1.4.21-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
mock-1.4.21-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
mock-1.4.21-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
mock-1.4.21-1.el8 has been pushed to the Fedora EPEL 8 stable repository. If problems still persist, please make note of it in this bug report.
mock-1.4.21-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.