Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Building template in selinux-enabled DispVM fails #9219

Closed
marmarek opened this issue May 12, 2024 · 6 comments · Fixed by QubesOS/qubes-builder-rpm#135 · May be fixed by QubesOS/qubes-builder-rpm#133
Closed

Building template in selinux-enabled DispVM fails #9219

marmarek opened this issue May 12, 2024 · 6 comments · Fixed by QubesOS/qubes-builder-rpm#135 · May be fixed by QubesOS/qubes-builder-rpm#133
Labels
affects-4.2 This issue affects Qubes OS 4.2. C: builder Qubes Builder diagnosed Technical diagnosis has been performed (see issue comments). P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. pr submitted A pull request has been submitted for this issue. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.

Comments

@marmarek
Copy link
Member

How to file a helpful issue

Qubes OS release

R4.2

Brief summary

Building Fedora 40 template fails in DispVM that has SELinux enabled

Steps to reproduce

  1. Use qubes-builderv2
  2. Set executor to "qubes", and point at disposable template that has SELinux enabled
  3. ./qb -t fedora-40 template all

Expected behavior

Biuilding template works

Actual behavior

02:56:25,992 [executor:qubes:disp3769] output: + rpm '--define=_pkgverify_level all' '--define=_pkgverify_flags 0x0' --initdb --root=/builder/mnt
02:56:26,004 [executor:qubes:disp3769] output: error: can't create transaction lock on /builder/mnt/usr/lib/sysimage/rpm/.rpm.lock (Permission denied)

Switching to permissive work helps. Then I see this logged:

[2024-05-12 03:06:32] [   99.240452] audit: type=1400 audit(1715475992.850:248): avc:  denied  { open } for  pid=2705 comm="rpmdb" path="/builder/mnt/usr/lib/sysimage/rpm/.rpm.lock" dev="loop0p3" ino=261637 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file permissive=1
[2024-05-12 03:06:32] [   99.240500] audit: type=1300 audit(1715475992.850:248): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=6131554ec510 a2=42 a3=1a4 items=0 ppid=1763 pid=2705 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="rpmdb" exe="/usr/bin/rpmdb" subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null)
[2024-05-12 03:06:32] [   99.240552] audit: type=1327 audit(1715475992.850:248): proctitle=72706D6462002D2D726F6F743D2F6275696C6465722F6D6E74002D2D6578706F72746462
[2024-05-12 03:06:32] [   99.240573] audit: type=1400 audit(1715475992.850:249): avc:  denied  { lock } for  pid=2705 comm="rpmdb" path="/builder/mnt/usr/lib/sysimage/rpm/.rpm.lock" dev="loop0p3" ino=261637 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file permissive=1
@marmarek marmarek added T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists. C: builder Qubes Builder P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. labels May 12, 2024
@andrewdavidwong andrewdavidwong added needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. affects-4.2 This issue affects Qubes OS 4.2. labels May 12, 2024
@DemiMarie
Copy link

I think the problem is that the cache isn’t properly labeled. PR coming.

DemiMarie added a commit to DemiMarie/qubes-builder-rpm that referenced this issue May 13, 2024
@DemiMarie
Set SELinux contexts on just-extracted cache files
ef068c1 
This uses the contexts from the host, which won't be the same as those
of the distribution, but are guaranteed to be available and will
hopefully be similar.  Proper contexts will be set at the end of the
build.

Fixes: QubesOS/qubes-issues#9219
@DemiMarie DemiMarie mentioned this issue May 13, 2024
Open
@marmarek
Copy link
Member Author

I think the problem is that the cache isn’t properly labeled. PR coming.

I doubt it, the cached chroot was not involved. The failing rpm --initdb call happens on a freshly mounted empty filesystem. In fact, it can be easily reproduced without builder too:

$ getenforce 
Enforcing
$ truncate -s 100M test.img
$ mkfs.ext4 test.img
mke2fs 1.47.0 (5-Feb-2023)
Discarding device blocks: done
Creating filesystem with 102400 1k blocks and 25584 inodes
Filesystem UUID: a743b338-9004-45fb-8d4d-7fc52e761ae7
Superblock backups stored on blocks:
    8193, 24577, 40961, 57345, 73729

Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done

$ sudo mkdir /mnt/builder
$ sudo mount test.img /mnt/builder
$ sudo rpm --initdb --root=/mnt/builder 
error: can't create transaction lock on /mnt/builder/usr/lib/sysimage/rpm/.rpm.lock (Permission denied)

@DemiMarie
Copy link

This is definitely not a Qubes OS issue, then. I suspect it is either a bug in the script or an upstream issue. I recommend reporting this as a bug and asking for help from the Fedora developers.

@marmarek
Copy link
Member Author

I suspect it is a qubes-builder issue. Ideally, a template filesystem created this way should be appropriately labeled according to the loaded policy, instead of having unlabeled files that then rpmdb can't access.

@DemiMarie
Copy link

True, but this is still something that the Fedora developers would be better able to help with, since the issue doesn’t require Qubes OS to reproduce.

@marmarek
Copy link
Member Author

This actually gave me an idea:

mkdir -p /mnt/builder/usr/lib/sysimage/rpm
setfiles -r /mnt/builder /etc/selinux/targeted/contexts/files/file_contexts /mnt/builder

@andrewdavidwong andrewdavidwong added the pr submitted A pull request has been submitted for this issue. label May 13, 2024
@marmarek marmarek mentioned this issue May 27, 2024
Merged
@andrewdavidwong andrewdavidwong added diagnosed Technical diagnosis has been performed (see issue comments). and removed needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. labels May 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects-4.2 This issue affects Qubes OS 4.2. C: builder Qubes Builder diagnosed Technical diagnosis has been performed (see issue comments). P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. pr submitted A pull request has been submitted for this issue. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Projects
None yet
Milestone
No milestone
3 participants
@marmarek @DemiMarie @andrewdavidwong