1221109 – [SELinux] [rpm] [kiwi] SELinux prevents RPM called by Kiwi from creating an image root/initialize the rpm database: can't create transaction lock

Bug 1221109 - [SELinux] [rpm] [kiwi] SELinux prevents RPM called by Kiwi from creating an image root/initialize the rpm database: can't create transaction lock

Summary: [SELinux] [rpm] [kiwi] SELinux prevents RPM called by Kiwi from creating an i...

Status:	RESOLVED FIXED

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Basesystem (show other bugs)
Version:	Current
Hardware:	Other openSUSE Tumbleweed

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Johannes Segitz
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-03-07 10:58 UTC by Marco Huenseler
Modified:	2024-06-06 10:40 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marco Huenseler 2024-03-07 10:58:12 UTC

Trying to create a new system image via Kiwi fails on openSUSE Tumbleweed 20240305:

# LC_ALL=C kiwi-ng --debug system build  --description=. --target-dir=../target
[ INFO    ]: 11:51:32 | Reading runtime config file: '/etc/kiwi.yml'
[ DEBUG   ]: 11:51:32 | EXEC: [mkdir -p /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build]
[ INFO    ]: 11:51:32 | Loading XML description
[ INFO    ]: 11:51:32 | Support for multiple markup descriptions available
[ INFO    ]: 11:51:33 | --> loaded ./livecd-tumbleweed-kde.kiwi
[ INFO    ]: 11:51:33 | --> Selected build type: iso
[ INFO    ]: 11:51:33 | --> Selected profiles: EFI
[ INFO    ]: 11:51:33 | Preparing new root system
[ INFO    ]: 11:51:33 | Setup root directory: /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root
[ DEBUG   ]: 11:51:33 | EXEC: [mkdir -p /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root]
[ DEBUG   ]: 11:51:33 | Check for extended attributes on /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root said: [Errno 61] No data available: '/home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root'
[ DEBUG   ]: 11:51:33 | EXEC: [rsync -a --ignore-existing /var/tmp/kiwi_root.g8de31zw/ /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root]
[ DEBUG   ]: 11:51:33 | EXEC: [cp /etc/resolv.conf /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/etc/resolv.conf.kiwi]
[ DEBUG   ]: 11:51:33 | EXEC: [ln -s -f resolv.conf.kiwi /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/etc/resolv.conf]
[ DEBUG   ]: 11:51:33 | EXEC: [cp /etc/hosts /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/etc/hosts.kiwi]
[ DEBUG   ]: 11:51:33 | EXEC: [ln -s -f hosts.kiwi /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/etc/hosts]
[ DEBUG   ]: 11:51:33 | EXEC: [cp /etc/sysconfig/proxy /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/etc/sysconfig/proxy.kiwi]
[ DEBUG   ]: 11:51:33 | EXEC: [ln -s -f proxy.kiwi /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/etc/sysconfig/proxy]
[ DEBUG   ]: 11:51:33 | EXEC: [mountpoint -q /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root]
[ DEBUG   ]: 11:51:33 | EXEC: [mount -n --bind /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root]
[ DEBUG   ]: 11:51:33 | EXEC: [mountpoint -q /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/proc]
[ DEBUG   ]: 11:51:33 | EXEC: [mount -n --bind /proc /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/proc]
[ DEBUG   ]: 11:51:33 | EXEC: [mountpoint -q /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/dev]
[ DEBUG   ]: 11:51:33 | EXEC: [mount -n --bind /dev /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/dev]
[ DEBUG   ]: 11:51:33 | EXEC: [mountpoint -q /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/sys]
[ DEBUG   ]: 11:51:33 | EXEC: [mount -n --bind /sys /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/sys]
[ DEBUG   ]: 11:51:33 | EXEC: [mountpoint -q /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/var/cache/kiwi]
[ DEBUG   ]: 11:51:33 | EXEC: [mount -n --bind /var/cache/kiwi /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/var/cache/kiwi]
[ DEBUG   ]: 11:51:33 | "rpmdb": in paths "/home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/usr/sbin:/home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/usr/bin:/home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/sbin:/home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/bin" exists: "False" mode match: not checked
[ DEBUG   ]: 11:51:33 | EXEC: [rpmdb --showrc]
[ DEBUG   ]: 11:51:33 | EXEC: [mkdir -p /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/usr/lib/rpm/macros.d]
[ DEBUG   ]: 11:51:33 | EXEC: [rpm --root /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root --initdb]
[ DEBUG   ]: 11:51:33 | EXEC: Failed with stderr: error: can't create transaction lock on /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/usr/lib/sysimage/rpm/.rpm.lock (Permission denied)
, stdout: (no output on stdout)
[ ERROR   ]: 11:51:33 | KiwiCommandError: rpm: stderr: error: can't create transaction lock on /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/usr/lib/sysimage/rpm/.rpm.lock (Permission denied)
, stdout: (no output on stdout)
[ INFO    ]: 11:51:33 | Cleaning up SystemPrepare instance
[ DEBUG   ]: 11:51:33 | EXEC: [mountpoint -q /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/var/cache/kiwi]
[ DEBUG   ]: 11:51:33 | EXEC: [mountpoint -q /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/var/cache/kiwi]
[ DEBUG   ]: 11:51:33 | EXEC: [umount -l /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/var/cache/kiwi]
[ DEBUG   ]: 11:51:33 | EXEC: [mountpoint -q /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/sys]
[ DEBUG   ]: 11:51:33 | EXEC: [mountpoint -q /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/sys]
[ DEBUG   ]: 11:51:33 | EXEC: [umount -l /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/sys]
[ DEBUG   ]: 11:51:33 | EXEC: [mountpoint -q /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/dev]
[ DEBUG   ]: 11:51:33 | EXEC: [mountpoint -q /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/dev]
[ DEBUG   ]: 11:51:33 | EXEC: [umount -l /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/dev]
[ DEBUG   ]: 11:51:33 | EXEC: [mountpoint -q /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/proc]
[ DEBUG   ]: 11:51:33 | EXEC: [mountpoint -q /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/proc]
[ DEBUG   ]: 11:51:33 | EXEC: [umount -l /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/proc]
[ DEBUG   ]: 11:51:33 | EXEC: [mountpoint -q /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root]
[ DEBUG   ]: 11:51:33 | EXEC: [mountpoint -q /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root]
[ DEBUG   ]: 11:51:33 | EXEC: [umount -l /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root]
[ DEBUG   ]: 11:51:33 | EXEC: [rmdir --ignore-fail-on-non-empty /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/var/cache/kiwi]
[ DEBUG   ]: 11:51:33 | EXEC: [rmdir --ignore-fail-on-non-empty /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/var/cache]
[ DEBUG   ]: 11:51:33 | EXEC: [rmdir --ignore-fail-on-non-empty /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/var]
[ DEBUG   ]: 11:51:33 | EXEC: [rm -f /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/etc/resolv.conf]
[ DEBUG   ]: 11:51:33 | EXEC: [rm -f /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/etc/hosts]
[ DEBUG   ]: 11:51:33 | EXEC: [rm -f /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/etc/sysconfig/proxy]
[ DEBUG   ]: 11:51:33 | EXEC: [rm -f /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/etc/resolv.conf.kiwi /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/etc/resolv.conf.sha /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/etc/hosts.kiwi /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/etc/hosts.sha /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/etc/sysconfig/proxy.kiwi /home/USERNAME/build/openSUSE:Factory:Live/livecd-tumbleweed-kde/target/build/image-root/etc/sysconfig/proxy.sha]



Apparently SELinux denies access:

# tail -n 10 /var/log/audit/audit.log
type=USER_MAC_STATUS msg=audit(1709808655.213:233): pid=1806 uid=498 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=setenforce lsm=selinux enforcing=1 res=1 exe="/usr/bin/dbus-daemon" sauid=498 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1709808662.716:234): pid=1827 uid=471 auid=4294967295 ses=4294967295 subj=system_u:system_r:nscd_t:s0 msg='avc:  op=setenforce lsm=selinux enforcing=1 res=1 exe="/usr/sbin/nscd" sauid=471 hostname=? addr=? terminal=?'
[...]
type=AVC msg=audit(1709808693.277:239): avc:  denied  { dac_read_search } for  pid=19629 comm="rpmdb" capability=2  scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tclass=capability permissive=0
type=AVC msg=audit(1709808693.277:240): avc:  denied  { dac_override } for  pid=19629 comm="rpmdb" capability=1  scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tclass=capability permissive=0
type=AVC msg=audit(1709808693.277:241): avc:  denied  { dac_read_search } for  pid=19629 comm="rpmdb" capability=2  scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tclass=capability permissive=0
type=AVC msg=audit(1709808693.277:242): avc:  denied  { dac_override } for  pid=19629 comm="rpmdb" capability=1  scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tclass=capability permissive=0

Temporarily setting SELinux to premissive fixes this and allows kiwi/rpm to initialize the database and successfully building the image.

Comment 1 Johannes Segitz 2024-03-11 09:47:20 UTC

This will likely need changes in the policy and in kiwi. I'll have a look

Comment 2 Johannes Segitz 2024-03-11 09:59:25 UTC

see https://github.com/OSInside/kiwi/issues/1891

The error messages you'll see depends also on where you build the image.

Comment 3 Marco Huenseler 2024-03-13 13:59:26 UTC

Thanks for the reply! Somehow I overlooked the bug report and even the documentation page (which seem to exactly match this problem).

However, it's probably good that it's also documented as a bug. I think this is a valid problem and an action that should work in principle.

From my (granted, very superficial) understanding of SELinux it should be possible to fix this however if kiwi set (and was allowed to do this) an appropriate label on the target directory and changes the context of its rpm/zypper calls to a to-be-created one. Is that right?

Anyway, since there's an easy workaround and seems to be quite a bit of work I see that this is obviously not a top priority.

Thanks again!

Comment 4 Johannes Segitz 2024-03-15 08:46:28 UTC

Welcome :)

I want to create a custom, unconfined type for kiwi to prevent transitions in specific other types (as with rpm). Given the special nature of kiwi requires it to be able to create arbitrary filesystems, so unconfined makes sense here

Comment 5 Johannes Segitz 2024-03-15 15:01:22 UTC

Can you please give the policy in https://build.opensuse.org/package/show/home:jsegitz:branches:security:SELinux/selinux-policy a try? I added a small kiwi module. You might have to relabel your system before it works.

Comment 6 Johannes Segitz 2024-03-20 16:17:07 UTC

I tested this and for me this works fine. I'll add this into our git, but I you could give it a test run this would be nice. Thanks

Comment 7 Marco Huenseler 2024-04-15 16:13:17 UTC

Thanks for your efforts!

I installed selinux-policy and selinux-policy-targeted and successfully built an image (without any further workarounds).

Comment 8 Johannes Segitz 2024-04-16 05:55:04 UTC

Thank you for testing this. This is in our next policy, so closing the bug