2094683 – policycoreutils 3.4 appears to break setfiles in chroot

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2094683 - policycoreutils 3.4 appears to break setfiles in chroot

Summary: policycoreutils 3.4 appears to break setfiles in chroot

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	libselinux
Sub Component:
Version:	CentOS Stream
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Lautrbach
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-06-08 07:49 UTC by Ian Wienand
Modified:	2022-06-29 08:25 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-06-29 08:25:21 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-124615	0	None	None	None	2022-06-08 07:59:54 UTC

Description Ian Wienand 2022-06-08 07:49:58 UTC

We build 9-stream in a chroot environment ontop of a Debian Buster host using diskimage-builder 

Essentially we build up the 9-stream chroot environment then run

 $ sudo chroot <9-stream-chroot> /usr/sbin/setfiles -F /etc/selinux/targeted/contexts/files/file_contexts /

This started failing with a message like

 2022-06-08 06:48:09.313 | /usr/sbin/setfiles: Could not set context for /usr/include:  No such file or directory

for every single file.  I've run this under strace now and can see the following operations for each file

 73896 openat(AT_FDCWD, "/etc/hostname", O_RDONLY|O_EXCL|O_NOFOLLOW|O_PATH) = 3
 73896 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=1, ...}, AT_EMPTY_PATH) = 0
 73896 fgetxattr(3, "security.selinux", 0x55848464a2b0, 255) = -1 EBADF (Bad file descriptor)
 73896 fcntl(3, F_GETFL)                 = 0x220000 (flags O_RDONLY|O_NOFOLLOW|O_PATH)
 73896 getxattr("/proc/self/fd/3", "security.selinux", 0x55848464a2b0, 255) = -1 ENOENT (No such file or directory)
 73896 write(2, "/usr/sbin/setfiles: ", 20) = 20
 73896 write(2, "Could not set context for /etc/h"..., 68) = 68
 73896 close(3)                          = 0

Nothing has changed in our code in this time.  I haven't been able to roll back, but the last time this worked it seemed to be using [1]

 2022-06-06 22:34:01.894 | > Package python3-policycoreutils-3.3-5.el9.noarch is already installed.

but now (two days later) we are have python3-policycoreutils-3.4-1.el9.noarch (unfortunately this doesn't list in this log the policycoreutils package but I'm assuming it's all same build).

[1] https://docs.openstack.org/diskimage-builder/latest/
[2] https://opendev.org/openstack/diskimage-builder/src/branch/master/diskimage_builder/elements//rpm-distro/cleanup.d/99-selinux-fixfiles-restore#L95
[3] https://zuul.opendev.org/t/openstack/build/fc88b2a71c7146cf8a2bbc5334819c49/logs
[4] https://zuul.opendev.org/t/openstack/build/f52ad90b96254c37a13d9327efbf03b5/logs

Comment 1 Petr Lautrbach 2022-06-08 10:38:06 UTC

I believe this is already fixed in libselinux-3.4-2.el9 by this commit - https://gitlab.com/redhat/centos-stream/rpms/libselinux/-/commit/c68e490c94b21c6733eaa43aed9eba849b794a56

Comment 2 Petr Lautrbach 2022-06-08 10:41:09 UTC

https://kojihub.stream.centos.org/koji/buildinfo?buildID=21551

Comment 3 Petr Lautrbach 2022-06-08 10:52:59 UTC

# rpm -q libselinux
libselinux-3.4-1.el9.x86_64

# chroot /mnt/ /usr/sbin/setfiles -F /etc/selinux/targeted/contexts/files/file_contexts / 
/usr/sbin/setfiles: Could not set context for /:  No such file or directory
/usr/sbin/setfiles: Could not set context for /dev:  No such file or directory
/usr/sbin/setfiles: Could not set context for /dev/null:  No such file or directory
/usr/sbin/setfiles: Could not set context for /proc:  No such file or directory
/usr/sbin/setfiles: Could not set context for /run:  No such file or directory
...

# dnf update https://kojihub.stream.centos.org/kojifiles/packages/libselinux/3.4/2.el9/x86_64/libselinux-3.4-2.el9.x86_64.rpm https://kojihub.stream.centos.org/kojifiles/packages/libselinux/3.4/2.el9/x86_64/libselinux-utils-3.4-2.el9.x86_64.rpm https://kojihub.stream.centos.org/kojifiles/packages/libselinux/3.4/2.el9/x86_64/python3-libselinux-3.4-2.el9.x86_64.rpm


# chroot /mnt/ /usr/sbin/setfiles -F /etc/selinux/targeted/contexts/files/file_contexts /

# echo $?
0

Comment 4 Ian Wienand 2022-06-09 04:47:14 UTC

Thanks, I've pulled these updated packages and confirmed they work [1].  

How long until this makes it to the release repos?

[1] https://review.opendev.org/c/openstack/diskimage-builder/+/845189

Comment 5 Petr Lautrbach 2022-06-09 07:03:08 UTC

I have no idea. This one was built on Tue, 31 May 2022. I'd expect it's already available.

Comment 6 Ian Wienand 2022-06-09 23:46:14 UTC

Hrm, it seems it is not; as of this comment http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/ shows only 3.4-1 [1].  I'm still trying to figure out if there's periodic rebuilds or what; something about side-tags, maybe?  I'm sure somebody knows, finding that somebody is the hard part :)

[1] https://imgur.com/a/aZPMHrA

Comment 7 Ian Wienand 2022-06-09 23:56:28 UTC

Just for the record, further investigation shows some discussion of this recently in #centos-stream (don't think this channel is logged).  I guess the conclusion remains that it is unclear

<chandankumar> It is available 07th June compose
<arrfab> chandankumar: composes.stream.centos.org isn't the official mirror, which is mirror.stream.centos.org
<arrfab> so you have to wait for a composes to be "promoted" and so synced to mirror.stream.centos.org to make it to the other mirrors
...
<chandankumar> Any idea when it will be available?
<arrfab> chandankumar: no idea, but I guess bstinson will be able to answer that but when he'll be online and not now :)
<chandankumar> arrfab: ok, cool, will wait for bstinson :-)
...

Comment 8 Ian Wienand 2022-06-15 03:32:40 UTC

Additional request to see what's up with this @ https://lists.centos.org/pipermail/centos-devel/2022-June/120414.html

Comment 11 Petr Lautrbach 2022-06-29 08:25:21 UTC

http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/libselinux-3.4-2.el9.x86_64.rpm

Note You need to log in before you can comment on or make changes to this bug.