Bug 1756972 - building Fedora 31 packages on Fedora 30 cause SELinux contexts to be unmapped
Summary: building Fedora 31 packages on Fedora 30 cause SELinux contexts to be unmapped
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: mock
Version: 30
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Suchý
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1761201 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-30 10:57 UTC by Sjoerd Mullender
Modified: 2019-11-17 04:26 UTC (History)
14 users (show)

Fixed In Version: mock-1.4.21-1.fc31 mock-1.4.21-1.fc30 mock-1.4.21-1.fc29 mock-1.4.21-1.el8 mock-1.4.21-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 04:15:14 UTC
Type: Bug


Attachments (Terms of Use)

Description Sjoerd Mullender 2019-09-30 10:57:04 UTC
Description of problem:
I'm not sure this is a problem in mock or systemd, but anyways, here goes.

When using mock to build Fedora 31 packages on a Fedora 30 system, at about the time that the Fedora 31 selinux packages get installed into the chroot environment, the Fedora 30 host starts logging these messages:

Sep 30 11:37:00 monetdb3.spin-off.cwi.nl kernel: SELinux:  Converting 2326 SID table entries...
Sep 30 11:37:00 monetdb3.spin-off.cwi.nl kernel: SELinux:  Context system_u:object_r:plymouthd_var_run_t:s0 became invalid (unmapped).
Sep 30 11:37:00 monetdb3.spin-off.cwi.nl kernel: SELinux:  Context system_u:object_r:nfsd_exec_t:s0 became invalid (unmapped).
Sep 30 11:37:00 monetdb3.spin-off.cwi.nl kernel: SELinux:  Context system_u:system_r:nfsd_t:s0 became invalid (unmapped).
[...]

After this, there are lots of AVC denied messages and services start dieing (e.g. httpd, mailman, and various others).

This does not happen when mock is called with --old-chroot, only when using (the default) --new-chroot (i.e. systemd-nspawn.

Version-Release number of selected component (if applicable):
mock-1.4.19-1.fc30.noarch
systemd-container-241-12.git1e19bcd.fc30.x86_64


How reproducible:
100%

Steps to Reproduce:
1.mock --root fedora-31-x86_64 --init --install selinux-policy-devel
2.
3.

Actual results:
Messages in the journal similar to the ones quoted above, AVC errors, failing services.

Expected results:
No AVC errors etc.

Additional info:

Comment 1 Pavel Raiskup 2019-10-08 10:59:00 UTC
Can you please check this happens also with mock v1.4.20?

Comment 2 Sjoerd Mullender 2019-10-08 11:25:53 UTC
I'm afraid it does:
Oct 08 13:16:21 localhost.localdomain kernel: SELinux:  Converting 2421 SID table entries...
Oct 08 13:16:21 localhost.localdomain kernel: SELinux:  Context system_u:object_r:plymouthd_var_lib_t:s0 became invalid (unmapped).
Oct 08 13:16:21 localhost.localdomain kernel: SELinux:  Context system_u:object_r:plymouthd_var_run_t:s0 became invalid (unmapped).
Oct 08 13:16:21 localhost.localdomain kernel: SELinux:  Context system_u:object_r:nfsd_exec_t:s0 became invalid (unmapped).
[...]

rpm -q mock says mock-1.4.20-1.fc30.noarch.

Comment 3 Pavel Raiskup 2019-10-08 12:05:17 UTC
Hmm, this just worked fine on my F30 box, even with mock v1.4.19.  Can you please
provide your configuration? Is there something specific on your host?

Comment 4 Sjoerd Mullender 2019-10-08 13:00:17 UTC
It even fails in a VM.  My desktop is XFCE.
Using libvirt and the Virtual Machine Manager entry in the menu I create a Fedora 30 instance (again XFCE), run it, install mock and then run the command in the Steps to Reproduce.  It doesn't matter if I first do "sudo usermod -a -G mock $USER" and login again (to be a member of the mock group).

Just to be sure, I just create a new VM using the Fedora-Everything-netinst-x86_64-30-1.2.iso image I had lying around.  Installed using the defaults mostly, except using English and installing the XFCE desktop.  After it came up, I logged in, ran "sudo dnf upgrade -y" (didn't do anything remotely relevant), then installed mock from updates-testing and tested.  Testing consisted of running the mock command (copy+paste from this bug report) in one window and running "journalctl -f" in another.  When the selinux-policy-minimum scriptlet was getting executed, journalctl started spewing the quoted messages.

Comment 5 Pavel Raiskup 2019-10-09 08:01:11 UTC
Ah, I was doing it wrong.  Thanks for your patience, indeed reproducible.

Comment 6 Pavel Raiskup 2019-10-09 14:10:18 UTC
Can you please try this, and provide feedback?
```
dnf copr enable praiskup/mock-fixes
dnf update mock
```

Once this finishes:
https://copr.fedorainfracloud.org/coprs/praiskup/mock-fixes/build/1051569/

You need mock-1.4.20-1.git.5.fe9bfeb.fc31.

Pull request (you can build on your own):
https://github.com/rpm-software-management/mock/pull/371

Comment 7 Sjoerd Mullender 2019-10-09 14:29:50 UTC
Seems to work.  No more nasty SELinux messages when the RPMs get installed.
I used mock-1.4.20-1.git.5.fe9bfeb.fc30.noarch (not fc31) since this was on a Fedora 30 VM, but of course installing the Fedora 31 environment.

Comment 8 Pavel Raiskup 2019-10-10 04:39:58 UTC
Thank you for confirmation.

Comment 9 Miro Hrončok 2019-10-13 17:46:24 UTC
*** Bug 1761201 has been marked as a duplicate of this bug. ***

Comment 10 Pavel Raiskup 2019-10-13 18:29:39 UTC
This issue is pretty serious; I'd vote for new mock release to get this fixed.

Comment 11 Miroslav Suchý 2019-10-15 09:32:11 UTC
*** Bug 1754807 has been marked as a duplicate of this bug. ***

Comment 12 Miroslav Suchý 2019-10-31 09:03:09 UTC
*** Bug 1767097 has been marked as a duplicate of this bug. ***

Comment 13 Sammy 2019-10-31 13:33:01 UTC
The recipe given in bug 1767097 solved that problem for me. This was for using mock on fc31 to build fc31 packages. Are we sure these are the same issues?

Comment 14 Markus Linnala 2019-10-31 13:34:48 UTC
I protest, #1767097 does not seem to be duplicate of this issue, more explanation at:
https://bugzilla.redhat.com/show_bug.cgi?id=1767097#c5

Comment 15 Miroslav Suchý 2019-11-01 08:04:17 UTC
I am pretty sure it is the same. See https://bugzilla.redhat.com/show_bug.cgi?id=1754807#c10 for the same symptomps. You can check nightly builds https://copr.fedorainfracloud.org/coprs/g/mock/mock/ if it fix your issue.

Comment 16 Fedora Update System 2019-11-01 14:16:02 UTC
FEDORA-2019-c6079af90e has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-c6079af90e

Comment 17 Fedora Update System 2019-11-01 14:16:05 UTC
FEDORA-2019-ad7ecf205b has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ad7ecf205b

Comment 18 Fedora Update System 2019-11-01 14:16:09 UTC
FEDORA-EPEL-2019-0549ec172d has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-0549ec172d

Comment 19 Fedora Update System 2019-11-01 14:16:11 UTC
FEDORA-EPEL-2019-3687ce895a has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-3687ce895a

Comment 20 Fedora Update System 2019-11-01 14:16:17 UTC
FEDORA-2019-755583cbdf has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-755583cbdf

Comment 21 Fedora Update System 2019-11-02 02:26:40 UTC
mock-1.4.21-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-c6079af90e

Comment 22 Fedora Update System 2019-11-02 02:38:55 UTC
mock-1.4.21-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-0549ec172d

Comment 23 Fedora Update System 2019-11-02 04:09:45 UTC
mock-1.4.21-1.el8 has been pushed to the Fedora EPEL 8 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-3687ce895a

Comment 24 Fedora Update System 2019-11-02 04:13:32 UTC
mock-1.4.21-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ad7ecf205b

Comment 25 Fedora Update System 2019-11-03 06:01:30 UTC
mock-1.4.21-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-755583cbdf

Comment 26 Fedora Update System 2019-11-05 04:15:14 UTC
mock-1.4.21-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Comment 27 Fedora Update System 2019-11-06 12:50:45 UTC
mock-1.4.21-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 28 Fedora Update System 2019-11-10 01:07:08 UTC
mock-1.4.21-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 29 Fedora Update System 2019-11-17 04:22:44 UTC
mock-1.4.21-1.el8 has been pushed to the Fedora EPEL 8 stable repository. If problems still persist, please make note of it in this bug report.

Comment 30 Fedora Update System 2019-11-17 04:26:27 UTC
mock-1.4.21-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.