Hi,
I recently noticed some problems when building packages for rawhide with mock. The mock logs have a log of these:
/sbin/ldconfig: Can't create temporary cache file /etc/ld.so.cache~: Permission denied error: %postun(glibc-2.6-4.i686) scriptlet failed, exit status 1
The audit messages look like this:
avc: denied { read } for comm="ldconfig" dev=sda2 egid=502 euid=0 exe="/sbin/ldconfig" exit=-13 fsgid=502 fsuid=0 gid=502 items=0 name="lib" pid=4247 scontext=user_u:system_r:ldconfig_t:s0 sgid=502 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=dir tcontext=user_u:object_r:var_lib_t:s0 tty=(none) uid=0
avc: denied { write } for comm="ldconfig" dev=sda2 egid=502 euid=0 exe="/sbin/ldconfig" exit=-13 fsgid=502 fsuid=0 gid=502 items=0 name="etc" pid=4247 scontext=user_u:system_r:ldconfig_t:s0 sgid=502 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=dir tcontext=user_u:object_r:var_lib_t:s0 tty=(none) uid=0
I'm guessing this has to do with the contexts on etc:
$ ll -dZ /etc/ /var/lib/mock/fedora-development-i386/root/etc/ drwxr-xr-x root root system_u:object_r:etc_t /etc/ drwxrwsr-x build mock user_u:object_r:var_lib_t /var/lib/mock/fedora-development-i386/root/etc/
Is this something that needs to be fixed in mock or in the selinux policy?
Thanks,
Todd Zullinger wrote:
Hi,
I recently noticed some problems when building packages for rawhide with mock. The mock logs have a log of these:
/sbin/ldconfig: Can't create temporary cache file /etc/ld.so.cache~: Permission denied error: %postun(glibc-2.6-4.i686) scriptlet failed, exit status 1
The audit messages look like this:
avc: denied { read } for comm="ldconfig" dev=sda2 egid=502 euid=0 exe="/sbin/ldconfig" exit=-13 fsgid=502 fsuid=0 gid=502 items=0 name="lib" pid=4247 scontext=user_u:system_r:ldconfig_t:s0 sgid=502 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=dir tcontext=user_u:object_r:var_lib_t:s0 tty=(none) uid=0
avc: denied { write } for comm="ldconfig" dev=sda2 egid=502 euid=0 exe="/sbin/ldconfig" exit=-13 fsgid=502 fsuid=0 gid=502 items=0 name="etc" pid=4247 scontext=user_u:system_r:ldconfig_t:s0 sgid=502 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=dir tcontext=user_u:object_r:var_lib_t:s0 tty=(none) uid=0
I'm guessing this has to do with the contexts on etc:
$ ll -dZ /etc/ /var/lib/mock/fedora-development-i386/root/etc/ drwxr-xr-x root root system_u:object_r:etc_t /etc/ drwxrwsr-x build mock user_u:object_r:var_lib_t /var/lib/mock/fedora-development-i386/root/etc/
Is this something that needs to be fixed in mock or in the selinux policy?
Is your buildsys also running on rawhide?
Are you not using the mock policy module from http://fedoraproject.org/wiki/PackageMaintainers/MockTricks ?
Paul.
Paul Howarth wrote:
Is your buildsys also running on rawhide?
No, sorry for not including the details. I'm running F7 and building packages in mock for rawhide. I haven't tested whether building packages for F7 or another version causes this as well, since noticing it. It just started happening recently, AFAICT. I'll have to test a few more packages and see if they all cause it. (It may require the mock chroot to be updated, though the way rawhide churns that should happen on a daily basis. :)
Are you not using the mock policy module from http://fedoraproject.org/wiki/PackageMaintainers/MockTricks ?
No, I'm not. I hadn't noticed a need to use the mock module previously. Thanks for pointing it out though. Is it likely to be necessary in most cases?
I've built packages for rawhide in mock on F7 previously without needing the module or getting these errors. The apparent change in behavior seemed like a possible indication of some other problem.
Thanks,
On Mon, 6 Aug 2007 14:10:46 -0400 Todd Zullinger tmz@pobox.com wrote:
Paul Howarth wrote:
Is your buildsys also running on rawhide?
No, sorry for not including the details. I'm running F7 and building packages in mock for rawhide. I haven't tested whether building packages for F7 or another version causes this as well, since noticing it. It just started happening recently, AFAICT. I'll have to test a few more packages and see if they all cause it. (It may require the mock chroot to be updated, though the way rawhide churns that should happen on a daily basis. :)
Are you not using the mock policy module from http://fedoraproject.org/wiki/PackageMaintainers/MockTricks ?
No, I'm not. I hadn't noticed a need to use the mock module previously. Thanks for pointing it out though. Is it likely to be necessary in most cases?
I've built packages for rawhide in mock on F7 previously without needing the module or getting these errors. The apparent change in behavior seemed like a possible indication of some other problem.
I wrote the module back in FC5 times when SELinux prevented builds of mono-based packages in mock with the default setup, and it's "just worked" ever since. I'm building packages for rawhide in mock on an F7 host and I'm not seeing these issues, so I think it's worth a try. SELinux and chroots don't mix terribly well really, at least for large chroots like mock uses.
Paul.
selinux@lists.fedoraproject.org