This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .
Bug 2208282 - RPM's %post script doesn't handle invocation with --root flag properly [NEEDINFO]
Summary: RPM's %post script doesn't handle invocation with --root flag properly
Keywords:
Status: CLOSED MIGRATED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.7
Hardware: Unspecified
OS: Linux
medium
urgent
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-05-18 13:29 UTC by Thomas Jones
Modified: 2023-08-16 17:30 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-16 17:30:28 UTC
Type: Bug
Target Upstream Version:
Embargoed:
vmojzis: needinfo? (redhat)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker   RHEL-1389 0 None None None 2023-08-16 17:30:27 UTC
Red Hat Issue Tracker RHELPLAN-157636 0 None None None 2023-05-18 13:30:28 UTC

Description Thomas Jones 2023-05-18 13:29:44 UTC 
Description of problem:

We leverage a VM-creation process that builds VMs into a chrooted environment. As part of this process, we invoke package-installation by passing the --root flag to dnf. The selinux-policy RPM's %post script seems to not properly handle this usage-scenario. As a result, it both tests for an existing /etc/selinux/config file and, if it tries to create a new one, it does so in the environment's real root rather than the chroot location


Version-Release number of selected component (if applicable):

Presumably all 8.x versions up through at least selinux-policy-3.14.3-117.el8.noarch

How reproducible:

Steps to Reproduce:
1. Execute an installation by passing a chroot-location to dnf with the `--root` flag 
2. Execute a find within the chroot-location to look for the ${CHROOT}/etc/selinux/config file (or simply any file under the CHROOT that might contain ^SELINUX=
3. Get a null result from the find

Actual results:

Get a null result from the find

Expected results:

${CHROOT}/etc/selinux/config SHOULD exist

Additional info:

In looking at the RPM's %post script:

~~~
postinstall scriptlet (using /bin/sh):
if [ ! -s /etc/selinux/config ]; then
#
#     New install so we will default to targeted policy
#
echo "
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

" > /etc/selinux/config

     ln -sf ../selinux/config /etc/sysconfig/selinux
     restorecon /etc/selinux/config 2> /dev/null || :
else
     . /etc/selinux/config
fi
exit 0
~~~

It looks like there's no logic in the script to "understand" that the locations should be adjusted if the --root flag has been passed to dnf.
Comment 1 Thomas Jones 2023-05-18 13:50:52 UTC 
Side note: I *did* look at the man page for RPM and it *claims*

   --root DIRECTORY
           Use the file system tree rooted at DIRECTORY for all operations.  Note that this means the database
           within DIRECTORY will be used for dependency checks and any scriptlet(s) (e.g. %post if installing,
           or %prep if building, a package) will be run after a chroot(2) to DIRECTORY.

However, the behavior I'm seeing seems to indicate that that chroot-before-post isn't actually happening (as noted, the relevant files don't exist in the chroot after the RPM completes its installation)
Note You need to log in before you can comment on or make changes to this bug.