Bug 1906289 - rpm --initdb fails with error code 255
Summary: rpm --initdb fails with error code 255
Status: CLOSED DUPLICATE of bug 1901961
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 33
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2020-12-10 06:42 UTC by Rama McIntosh
Modified: 2021-01-19 16:52 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-01-04 12:17:49 UTC
Type: Bug

Attachments (Terms of Use)
SELinux denials which appeared in enforcing mode (26.30 KB, text/plain)
2020-12-10 09:33 UTC, Milos Malik
no flags Details
SELinux denials which appeared in permissive mode (18.00 KB, text/plain)
2020-12-10 09:35 UTC, Milos Malik
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1461313 0 high CLOSED Rebuilding of rpm db set wrong SELinux context 2021-06-09 05:38:49 UTC
Red Hat Bugzilla 1899548 0 medium CLOSED the rpmdb program triggers SELinux denials 2021-03-04 14:32:31 UTC
Red Hat Bugzilla 1901961 0 medium NEW New rpmdb policy prevents rpmdb --init --root <path> 2021-02-22 00:41:40 UTC

Description Rama McIntosh 2020-12-10 06:42:45 UTC
Description of problem:  rpm --initdb silently fails, no db is created.  I'm attempting to build qubes-os on Fedora but it fails initalizing the rpm databae.

Version-Release number of selected component (if applicable):
Fedora 33: rpm 4.16.0-5.fc33
Fedora 32: rpm 4.15.1-3.fc32.1

How reproducible:
Follow example here:  https://docs.fedoraproject.org/en-US/Fedora_Draft_Documentation/0.1/html/RPM_Guide/ch04s05s03.html

Steps to Reproduce:
1. mkdir /tmp/rpm
2. rpm --initdb --dbpath /tmp/rpm
3. echo $?
4. ls /tmp/rpm

Actual results:
rpm exit code is 255 and /tmp/rpm is empty

Expected results:
A new rpm databased should be in /tmp/rpm

Additional info:

Comment 1 Panu Matilainen 2020-12-10 09:04:42 UTC
The new selinux-policy is preventing both rpmdb from initializing a database in an arbitrary location and also from logging an error about it.

Comment 2 Milos Malik 2020-12-10 09:28:43 UTC
After removing the dontaudit rules, the Steps to Reproduce lead to several SELinux denials which will be attached. Here is a summary from audit2allow:

#============= rpmdb_t ==============
allow rpmdb_t net_conf_t:file { getattr open };
allow rpmdb_t nscd_var_run_t:dir search;
allow rpmdb_t passwd_file_t:file open;
allow rpmdb_t self:capability net_admin;
allow rpmdb_t sssd_var_lib_t:dir search;
allow rpmdb_t system_dbusd_var_run_t:dir search;

#!!!! This avc can be allowed using the boolean 'daemons_use_tty'
allow rpmdb_t user_devpts_t:chr_file { read write };
allow rpmdb_t user_tmp_t:dir { getattr search };

Comment 3 Milos Malik 2020-12-10 09:33:18 UTC
Created attachment 1738148 [details]
SELinux denials which appeared in enforcing mode

Comment 4 Milos Malik 2020-12-10 09:35:39 UTC
Created attachment 1738149 [details]
SELinux denials which appeared in permissive mode

Comment 5 Panu Matilainen 2020-12-10 09:55:32 UTC
The first half of that, ie the name services and network part, can (continue to) be ignored/denied. rpmdb doesn't actually need them for anything and in fact they should be gone entirely in rpm >= 4.16.1 when released.

Comment 6 Rama McIntosh 2020-12-12 14:01:52 UTC
Thanks everyone.   As this is a selinux issue, I'm able to continue to build qubes-os by using a boxes vm with `sudo setenforce 0` to work around selinux causing rpm to fail.    Dropping the priority to medium.

Thanks for the quick response.

Comment 7 Zdenek Pytela 2021-01-04 12:17:49 UTC

*** This bug has been marked as a duplicate of bug 1901961 ***

Note You need to log in before you can comment on or make changes to this bug.