Bug 2061141 - rpm --rebuilddb issue with /usr/lib/sysimage
Summary: rpm --rebuilddb issue with /usr/lib/sysimage
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 36
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedFreezeException
: 2061211 (view as bug list)
Depends On:
Blocks: F36BetaFreezeException 2042099
TreeView+ depends on / blocked
 
Reported: 2022-03-06 07:27 UTC by Alessio
Modified: 2022-03-29 16:19 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-36.5-1.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-24 19:34:06 UTC
Type: Bug
Embargoed:
alciregi: fedora_prioritized_bug?


Attachments (Terms of Use)

Description Alessio 2022-03-06 07:27:34 UTC
Fresh install of Fedora Workstation 36

$ sudo rpm --rebuilddb

error: failed to create directory /usr/lib/sysimage/rpmrebuilddb.28807: Permission denied

journalctl content:

mar 06 08:11:44 audit[28807]: AVC avc:  denied  { write } for  pid=28807 comm="rpmdb" name="sysimage" dev="dm-0" ino=5209 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0


Disabling selinux, such command works.

Re-enabling selinux, and issuing the command, lead to:

error: can't create transaction lock on /usr/lib/sysimage/rpm/.rpm.lock (No such file or directory)

mar 06 08:26:36 audit[29040]: AVC avc:  denied  { write } for  pid=29040 comm="rpmdb" name="rpm" dev="dm-0" ino=225142 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=dir permissive=0





rpm-plugin-selinux-4.17.0-9.fc36.x86_64
selinux-policy-36.3-1.fc36.noarch
selinux-policy-targeted-36.3-1.fc36.noarch

Comment 1 Alessio 2022-03-12 11:06:24 UTC
I think that this is not a critical issue, but, as I can imagine, since it involves this Fedora 36 ChangeSet https://fedoraproject.org/wiki/Changes/RelocateRPMToUsr, it should be addressed before the release.

Comment 2 Zdenek Pytela 2022-03-14 11:58:33 UTC
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/1107

Comment 3 Zdenek Pytela 2022-03-14 12:02:35 UTC
*** Bug 2061211 has been marked as a duplicate of this bug. ***

Comment 4 Fedora Blocker Bugs Application 2022-03-20 21:37:28 UTC
Proposed as a Freeze Exception for 36-beta by Fedora user ngompa using the blocker tracking app because:

 This bug has a potential to cause problems with upgrades to F36 and it would be good to have this fix in now. selinux-policy-36.5 exists upstream with a fix that just needs to be built and shipped.

Comment 5 Fedora Update System 2022-03-21 11:10:03 UTC
FEDORA-2022-b0805acc47 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-b0805acc47

Comment 6 Fedora Update System 2022-03-21 15:50:01 UTC
FEDORA-2022-b0805acc47 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-b0805acc47`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-b0805acc47

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Chris Murphy 2022-03-21 17:32:46 UTC
I just did a clean install of f35, updated it, then rand dnf system upgrade to f36.

$ journalctl -b | grep AVC
Mar 21 11:21:56 fedora audit[585]: AVC avc:  denied  { read } for  pid=585 comm="systemd-sysctl" name="suid_dumpable" dev="proc" ino=15715 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
Mar 21 11:21:56 fedora audit[585]: AVC avc:  denied  { read } for  pid=585 comm="systemd-sysctl" name="suid_dumpable" dev="proc" ino=15715 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
Mar 21 11:21:56 fedora audit[585]: AVC avc:  denied  { read } for  pid=585 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=15735 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
Mar 21 11:21:56 fedora audit[585]: AVC avc:  denied  { read } for  pid=585 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=15735 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
Mar 21 11:21:56 fedora audit[585]: AVC avc:  denied  { read } for  pid=585 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=15736 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
Mar 21 11:21:56 fedora audit[585]: AVC avc:  denied  { read } for  pid=585 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=15736 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
$ rpm -q selinux-policy
selinux-policy-36.3-1.fc36.noarch

# ls -l /var/lib/rpm
lrwxrwxrwx. 1 root root 26 Mar 21 11:22 /var/lib/rpm -> ../../usr/lib/sysimage/rpm

# ls -la /usr/lib/sysimage/rpm/
total 51144
drwxr-xr-x. 1 root root       88 Mar 21 11:21 .
drwxr-xr-x. 1 root root        6 Mar 21 11:22 ..
-rw-r--r--. 1 root root 52338688 Mar 21 11:22 rpmdb.sqlite
-rw-r--r--. 1 root root    32768 Mar 21 11:23 rpmdb.sqlite-shm
-rw-r--r--. 1 root root        0 Mar 21 11:22 rpmdb.sqlite-wal

# journalctl -b | grep rpmdb
Mar 21 11:21:56 fedora systemd[1]: unit_file_build_name_map: normal unit file: /usr/lib/systemd/system/rpmdb-migrate.service
Mar 21 11:21:56 fedora systemd[1]: unit_file_build_name_map: normal unit file: /usr/lib/systemd/system/rpmdb-rebuild.service
Mar 21 11:21:56 fedora systemd[1]: rpmdb-migrate.service: Installed new job rpmdb-migrate.service/start as 247
Mar 21 11:21:56 fedora systemd[1]: rpmdb-rebuild.service: Installed new job rpmdb-rebuild.service/start as 219
Mar 21 11:21:56 fedora systemd-tmpfiles[588]: Entry "/var/lib/dnf/rpmdb_lock.pid" does not match any include prefix, skipping.
Mar 21 11:21:57 fedora systemd[1]: basic.target: starting held back, waiting for: rpmdb-migrate.service
Mar 21 11:21:58 fedora systemd-tmpfiles[692]: Running remove action for entry r /var/lib/dnf/rpmdb_lock.pid
Mar 21 11:21:58 fedora systemd-tmpfiles[692]: Running create action for entry r /var/lib/dnf/rpmdb_lock.pid
Mar 21 11:21:58 fedora systemd[1]: basic.target: starting held back, waiting for: rpmdb-migrate.service
Mar 21 11:21:58 fedora systemd[1]: basic.target: starting held back, waiting for: rpmdb-migrate.service
Mar 21 11:21:58 fedora systemd[1]: basic.target: starting held back, waiting for: rpmdb-migrate.service
Mar 21 11:21:58 fedora systemd[1]: rpmdb-migrate.service: ConditionPathExists=/var/lib/rpm/.migratedb succeeded.
Mar 21 11:21:58 fedora systemd[1]: rpmdb-migrate.service: Passing 0 fds to service
Mar 21 11:21:58 fedora systemd[1]: rpmdb-migrate.service: About to execute /usr/lib/rpm/rpmdb_migrate
Mar 21 11:21:58 fedora systemd[1]: rpmdb-migrate.service: Forked /usr/lib/rpm/rpmdb_migrate as 725
Mar 21 11:21:58 fedora systemd[1]: rpmdb-migrate.service: Changed dead -> start
Mar 21 11:21:58 fedora systemd[1]: Starting rpmdb-migrate.service - RPM database migration to /usr...
Mar 21 11:21:58 fedora systemd[725]: rpmdb-migrate.service: Executing: /usr/lib/rpm/rpmdb_migrate
Mar 21 11:21:58 fedora systemd[1]: rpmdb-rebuild.service: ConditionPathExists=/usr/lib/sysimage/rpm/.rebuilddb failed.
Mar 21 11:21:58 fedora systemd[1]: rpmdb-rebuild.service: Starting requested but condition failed. Not starting unit.
Mar 21 11:21:58 fedora systemd[1]: rpmdb-rebuild.service: Job 219 rpmdb-rebuild.service/start finished, result=done
Mar 21 11:21:58 fedora systemd[1]: rpmdb-rebuild.service - RPM database rebuild was skipped because of a failed condition check (ConditionPathExists=/usr/lib/sysimage/rpm/.rebuilddb).
Mar 21 11:21:58 fedora systemd[1]: basic.target: starting held back, waiting for: rpmdb-migrate.service
Mar 21 11:21:58 fedora systemd[1]: basic.target: starting held back, waiting for: rpmdb-migrate.service
Mar 21 11:22:00 fedora rpmdb_migrate[735]: removed '/var/lib/rpm/rpmdb.sqlite'
Mar 21 11:22:00 fedora rpmdb_migrate[735]: removed '/var/lib/rpm/rpmdb.sqlite-shm'
Mar 21 11:22:00 fedora rpmdb_migrate[735]: removed '/var/lib/rpm/rpmdb.sqlite-wal'
Mar 21 11:22:00 fedora rpmdb_migrate[735]: removed '/var/lib/rpm/.migratedb'
Mar 21 11:22:00 fedora rpmdb_migrate[735]: removed '/var/lib/rpm/.rpm.lock'
Mar 21 11:22:00 fedora rpmdb_migrate[735]: removed directory '/var/lib/rpm'
Mar 21 11:22:00 fedora rpmdb_migrate[736]: '/var/lib/rpm' -> '../../usr/lib/sysimage/rpm'
Mar 21 11:22:00 fedora systemd[1]: Received SIGCHLD from PID 725 (rpmdb_migrate).
Mar 21 11:22:00 fedora systemd[1]: Child 725 (rpmdb_migrate) died (code=exited, status=0/SUCCESS)
Mar 21 11:22:00 fedora systemd[1]: rpmdb-migrate.service: Child 725 belongs to rpmdb-migrate.service.
Mar 21 11:22:00 fedora systemd[1]: rpmdb-migrate.service: Main process exited, code=exited, status=0/SUCCESS (success)
Mar 21 11:22:00 fedora systemd[1]: rpmdb-migrate.service: Deactivated successfully.
Mar 21 11:22:00 fedora systemd[1]: rpmdb-migrate.service: Service will not restart (restart setting)
Mar 21 11:22:00 fedora systemd[1]: rpmdb-migrate.service: Changed start -> dead
Mar 21 11:22:00 fedora systemd[1]: varlink-62: Sending message: {"parameters":{"cgroups":[{"mode":"auto","path":"/system.slice/rpmdb-migrate.service","property":"ManagedOOMSwap"},{"mode":"auto","path":"/system.slice/rpmdb-migrate.service","property":"ManagedOOMMemoryPressure"}]},"continues":true}
Mar 21 11:22:00 fedora systemd[1]: rpmdb-migrate.service: Failed to delete cgroup entry from LSM BPF map: No such file or directory
Mar 21 11:22:00 fedora systemd[1]: rpmdb-migrate.service: Job 247 rpmdb-migrate.service/start finished, result=done
Mar 21 11:22:00 fedora systemd[1]: Finished rpmdb-migrate.service - RPM database migration to /usr.
Mar 21 11:22:00 fedora systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/rpmdb_2dmigrate_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=50 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
Mar 21 11:22:00 fedora systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/rpmdb_2dmigrate_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=51 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
Mar 21 11:22:00 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpmdb-migrate comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Mar 21 11:22:00 fedora audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpmdb-migrate comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Mar 21 11:22:00 fedora systemd[1]: rpmdb-migrate.service: Consumed 964ms CPU time.
Mar 21 11:22:00 fedora systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/rpmdb_2dmigrate_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=53 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
Mar 21 11:22:00 fedora systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/rpmdb_2dmigrate_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=54 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
Mar 21 11:22:00 fedora systemd[1]: rpmdb-migrate.service: Control group is empty.
Mar 21 11:22:00 fedora systemd-oomd[697]: oomd: New incoming message: {"parameters":{"cgroups":[{"mode":"auto","path":"/system.slice/rpmdb-migrate.service","property":"ManagedOOMSwap"},{"mode":"auto","path":"/system.slice/rpmdb-migrate.service","property":"ManagedOOMMemoryPressure"}]},"continues":true}

Comment 8 Geoffrey Marr 2022-03-21 18:08:15 UTC
Discussed during the 2022-03-21 blocker review meeting: [0]

The decision to classify this bug as an "AcceptedFreezeException (Beta)" was made as it is a noticeable issue that cannot be fixed with an update.

[0] https://meetbot.fedoraproject.org/fedora-blocker-review/2022-03-21/f36-blocker-review.2022-03-21-16.01.txt

Comment 9 Fedora Update System 2022-03-21 23:02:43 UTC
FEDORA-2022-c564d315fc has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-c564d315fc

Comment 10 Neal Gompa 2022-03-21 23:04:12 UTC
Bleh, wrong bug...

Comment 11 Fedora Update System 2022-03-24 19:34:06 UTC
FEDORA-2022-b0805acc47 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.