-
Notifications
You must be signed in to change notification settings - Fork 377
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sysusers.sh fails with enforcing SELinux #3227
Comments
This looks very much like a duplicate of #3186. Or is there anything that makes this distinct? |
OK, this is weird. The test case in #3186 succeeds in chrooting and then fails due to the empty chroot. Here we fail a step earlier. I wonder if dnf is not running the in same SELinunx context than RPM. |
Oh... the #3186 reproducer is with --noplugins, which means selinux context doesn't get set for files or scriptlet execution. Not sure what was my intention there, maybe it was even intentional to differentiate from SELinux issues, allegedly, but it's clearly more complicated than that. |
So, I don't really know if there are one, two or even more individual bugs in here. Lotsa moving parts for sure. I'm almost positive that selinux-policy will need tweaks to accommodate for the chroot usage we now do from the outside, but whether there are other things we need to do on our side I dunno. Maybe we should simply have a "just make it work" ticket 😄 (testing with mock and all that) |
Yup. The case above sets the chroot dir to
while without the selinux plugin it is
|
Yup, and without the plugin, scriptlets will run in a different context which will probably affect some domain transitions (or stuff) in the policy. |
Looks like useradd has sys_chroot capability and and groupadd just hasn't. Weird... |
Oh, nice digging. I had this nagging feeling that there's something odd about these errors, but that's it: user additions succeed, its just groups that fail. And, that explains a lot. |
So yep, this will need to be addressed in selinux-policy. The missing chroot capability in groupadd policy is seems like a simple oversight, it's not as if the chroot operation is the most common thing... |
Just like useradd, groupadd supports chroot operation, but for that to work it needs the sys_chroot capability, just like the useradd policy has (see commit 0651cc9). This is one of the roadblocks in making RPM sysusers feature fully functional: rpm-software-management/rpm#3227
Submitted a PR: fedora-selinux/selinux-policy#2316 |
Just like useradd, groupadd supports chroot operation, but for that to work it needs the sys_chroot capability, just like the useradd policy has (see commit 0651cc9). This is one of the roadblocks in making RPM sysusers feature fully functional: rpm-software-management/rpm#3227
Okay that got merged pretty swiftly, closing this. |
Tested on Fedora 39 with rpm from git master:
This is specific to the sysusers.sh script as using native systemd-sysusers does work even if SELinux is enabled.
I think this has to do with useradd/groupadd having their own confined policies under SELinux whereas systemd-sysusers is not, and so it'll need fixing in the selinux-policy rather than the script, just filing this here for information and as a reminder to file it on Fedora side.
The text was updated successfully, but these errors were encountered: