Bug 1906289 - rpm --initdb fails with error code 255
Summary: rpm --initdb fails with error code 255
Keywords:
Status: CLOSED DUPLICATE of bug 1901961
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 33
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-12-10 06:42 UTC by Rama McIntosh
Modified: 2021-01-19 16:52 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-01-04 12:17:49 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
SELinux denials which appeared in enforcing mode (26.30 KB, text/plain)
2020-12-10 09:33 UTC, Milos Malik 		no flags Details
SELinux denials which appeared in permissive mode (18.00 KB, text/plain)
2020-12-10 09:35 UTC, Milos Malik 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1461313 0 high CLOSED Rebuilding of rpm db set wrong SELinux context 2023-02-01 00:52:31 UTC
Red Hat Bugzilla 1899548 0 medium CLOSED the rpmdb program triggers SELinux denials 2021-03-04 14:32:31 UTC
Red Hat Bugzilla 1901961 0 medium CLOSED New rpmdb policy prevents rpmdb --init --root <path> 2023-09-15 01:31:24 UTC

Description Rama McIntosh 2020-12-10 06:42:45 UTC 
Description of problem:  rpm --initdb silently fails, no db is created.  I'm attempting to build qubes-os on Fedora but it fails initalizing the rpm databae.

Version-Release number of selected component (if applicable):
Fedora 33: rpm 4.16.0-5.fc33
Fedora 32: rpm 4.15.1-3.fc32.1

How reproducible:
Follow example here:  https://docs.fedoraproject.org/en-US/Fedora_Draft_Documentation/0.1/html/RPM_Guide/ch04s05s03.html


Steps to Reproduce:
1. mkdir /tmp/rpm
2. rpm --initdb --dbpath /tmp/rpm
3. echo $?
4. ls /tmp/rpm

Actual results:
rpm exit code is 255 and /tmp/rpm is empty

Expected results:
A new rpm databased should be in /tmp/rpm

Additional info:
Comment 1 Panu Matilainen 2020-12-10 09:04:42 UTC 
The new selinux-policy is preventing both rpmdb from initializing a database in an arbitrary location and also from logging an error about it.
Comment 2 Milos Malik 2020-12-10 09:28:43 UTC 
After removing the dontaudit rules, the Steps to Reproduce lead to several SELinux denials which will be attached. Here is a summary from audit2allow:

#============= rpmdb_t ==============
allow rpmdb_t net_conf_t:file { getattr open };
allow rpmdb_t nscd_var_run_t:dir search;
allow rpmdb_t passwd_file_t:file open;
allow rpmdb_t self:capability net_admin;
allow rpmdb_t sssd_var_lib_t:dir search;
allow rpmdb_t system_dbusd_var_run_t:dir search;

#!!!! This avc can be allowed using the boolean 'daemons_use_tty'
allow rpmdb_t user_devpts_t:chr_file { read write };
allow rpmdb_t user_tmp_t:dir { getattr search };
Comment 3 Milos Malik 2020-12-10 09:33:18 UTC 
Created attachment 1738148 [details]
SELinux denials which appeared in enforcing mode
Comment 4 Milos Malik 2020-12-10 09:35:39 UTC 
Created attachment 1738149 [details]
SELinux denials which appeared in permissive mode
Comment 5 Panu Matilainen 2020-12-10 09:55:32 UTC 
The first half of that, ie the name services and network part, can (continue to) be ignored/denied. rpmdb doesn't actually need them for anything and in fact they should be gone entirely in rpm >= 4.16.1 when released.
Comment 6 Rama McIntosh 2020-12-12 14:01:52 UTC 
Thanks everyone.   As this is a selinux issue, I'm able to continue to build qubes-os by using a boxes vm with `sudo setenforce 0` to work around selinux causing rpm to fail.    Dropping the priority to medium.

Thanks for the quick response.
Comment 7 Zdenek Pytela 2021-01-04 12:17:49 UTC 

*** This bug has been marked as a duplicate of bug 1901961 ***
Note You need to log in before you can comment on or make changes to this bug.