Bug 2413314 - rpmbuild hardlinks are breaking selinux context
Summary: rpmbuild hardlinks are breaking selinux context
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: pcp
Version: rawhide
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: William Cohen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 2388198
TreeView+ depends on / blocked
 
Reported: 2025-11-07 09:13 UTC by Jan Kurik
Modified: 2026-01-27 07:13 UTC (History)
13 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-01-27 07:13:46 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jan Kurik 2025-11-07 09:13:35 UTC
In PCP we are using multiple copies of the same file to deal with a need to use the same file within different selinux contexts. Implementation of rpmbuild hardlinks breaks this as all the files are now hard-linked and thus use the same selinux context. This is causing AVCs and breaks some functionality due to lack of permissions to access those affected files.

IMO this is a consequence of https://fedoraproject.org/wiki/Changes/Hardlink_identical_files_in_packages_by_default (bz2388198)

Reproducible: Always

Steps to Reproduce:
1. Install pcp:
dnf install -y pcp
2. Check selinux context for /usr/bin/pm*ctl
ls -ilZ /usr/bin/pm*ctl
Actual Results:
Selinux context is the same for both files:
165678 -rwxr-xr-x. 2 root root system_u:object_r:pcp_pmlogger_exec_t:s0 53604 Oct 14 20:00 /usr/bin/pmiectl 
165678 -rwxr-xr-x. 2 root root system_u:object_r:pcp_pmlogger_exec_t:s0 53604 Oct 14 20:00 /usr/bin/pmlogctl

Expected Results:
Selinux context should be different for each file:
145091 -rwxr-xr-x. 1 root root system_u:object_r:pcp_pmie_exec_t:s0    53604 Oct 14 20:00 /usr/bin/pmiectl 
165529 -rwxr-xr-x. 1 root root system_u:object_r:pcp_pmlogger_exec_t:s0 53604 Oct 14 20:00 /usr/bin/pmlogctl

Comment 1 Zbigniew Jędrzejewski-Szmek 2025-11-07 10:03:10 UTC
$ target/debug/linkdupes --print-selinux-contexts /usr/bin/pmiectl /usr/bin/pmlogctl
/usr/bin/pmiectl → system_u:object_r:pcp_pmie_exec_t:s0
/usr/bin/pmlogctl → system_u:object_r:pcp_pmlogger_exec_t:s0

So those should not be hardlinked by linkdupes.
But I see that pcp has it's own selinux policy. So maybe in the buildroot
this policy is not installed and then this fails?

Yeah, in mock:
# linkdupes --print-selinux-contexts /usr/bin/pmiectl /usr/bin/pmlogctl
/usr/bin/pmiectl → system_u:object_r:bin_t:s0
/usr/bin/pmlogctl → system_u:object_r:bin_t:s0

If I then install pcp-selinux into this mock chroot, I get:
# linkdupes --print-selinux-contexts /usr/bin/pmiectl /usr/bin/pmlogctl
/usr/bin/pmiectl → system_u:object_r:pcp_pmie_exec_t:s0
/usr/bin/pmlogctl → system_u:object_r:pcp_pmlogger_exec_t:s0

So I think there are two choices for pcp:
1. add 'BuildRequires: pcp-selinux'
2. opt out of the hardlinking by adding '%undefine __os_install_post_hardlink'

Comment 2 Jan Kurik 2025-11-07 11:43:44 UTC
Thanks Zbigniew,

I passed the information to the upstream, for further discussion.
https://github.com/performancecopilot/pcp/pull/2404#issuecomment-3501739477

Comment 3 Zbigniew Jędrzejewski-Szmek 2026-01-26 21:14:28 UTC
Upstream issue was resolved Nov 9 2025. Can this be closed here?

Comment 4 Jan Kurik 2026-01-27 07:13:46 UTC
I am sorry Zbyszek for not updating this BZ.
Yes, the issue has been fixed in the PCP upstream () and can be closed.


Note You need to log in before you can comment on or make changes to this bug.