Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem with RPM command on F41 #2415

Open
Tiagoquix opened this issue Oct 31, 2024 · 7 comments
Open

Problem with RPM command on F41 #2415

Tiagoquix opened this issue Oct 31, 2024 · 7 comments

Comments

@Tiagoquix
Copy link

Versions installed:

rpm-plugin-selinux.x86_64                         4.20.0-1.fc41                      <unknown>
selinux-policy.noarch                             41.24-1.fc41                       <unknown>
selinux-policy-targeted.noarch                    41.24-1.fc41                       <unknown>

When running sudo rpm --rebuilddb (from https://docs.fedoraproject.org/en-US/quick-docs/upgrading-fedora-offline/#sect-rebuilding-rpm-database), the following errors occur:

SELinux is preventing rpmdb from using the dac_read_search capability.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that rpmdb should have the dac_read_search capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rpmdb' --raw | audit2allow -M my-rpmdb
# semodule -X 300 -i my-rpmdb.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability ]
Source                        rpmdb
Source Path                   rpmdb
Port                          <Unknown>
Host                          fedora
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-41.24-1.fc41.noarch
Local Policy RPM              selinux-policy-targeted-41.24-1.fc41.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora
Platform                      Linux fedora 6.11.5-300.fc41.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Tue Oct 22 20:11:15 UTC 2024
                              x86_64
Alert Count                   2
First Seen                    2024-10-30 23:19:37 -03
Last Seen                     2024-10-30 23:21:14 -03
Local ID                      62109920-2445-41e7-88a8-8a6a307bda64

Raw Audit Messages
type=AVC msg=audit(1730341274.858:1384): avc:  denied  { dac_read_search } for  pid=50232 comm="rpmdb" capability=2  scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tclass=capability permissive=0


Hash: rpmdb,rpmdb_t,rpmdb_t,capability,dac_read_search

SELinux is preventing rpmdb from using the dac_override capability.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that rpmdb should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rpmdb' --raw | audit2allow -M my-rpmdb
# semodule -X 300 -i my-rpmdb.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability ]
Source                        rpmdb
Source Path                   rpmdb
Port                          <Unknown>
Host                          fedora
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-41.24-1.fc41.noarch
Local Policy RPM              selinux-policy-targeted-41.24-1.fc41.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora
Platform                      Linux fedora 6.11.5-300.fc41.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Tue Oct 22 20:11:15 UTC 2024
                              x86_64
Alert Count                   2
First Seen                    2024-10-30 23:19:37 -03
Last Seen                     2024-10-30 23:21:14 -03
Local ID                      453b82f5-7822-4d18-886a-c6f033efbe70

Raw Audit Messages
type=AVC msg=audit(1730341274.858:1385): avc:  denied  { dac_override } for  pid=50232 comm="rpmdb" capability=1  scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tclass=capability permissive=0


Hash: rpmdb,rpmdb_t,rpmdb_t,capability,dac_override
@Tiagoquix Tiagoquix changed the title Problem with RPM command Problem with RPM command on F41 Oct 31, 2024
@zpytela
Copy link
Contributor

zpytela commented Nov 8, 2024

@Tiagoquix dac_* capabilities indicate a problem with DAC permissions. Can you enable full auditing and provide more details?

https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing

@Tiagoquix
Copy link
Author

@zpytela Yes. There you go:

Output of sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today: https://0.jaegers.net/?9401f113b1f09cfe#Rz61TA88KWscUAsdvNwH8wyN6fmKoq83urgZRFLsn1S

Output of new first SELinux alert: https://0.jaegers.net/?859104c49f7bfd7f#4ccY5LrqiW1DQuS6bNmEtsDc46FFNWgtUr4AqZu4ACqJ

Outpuf of new second SELinux alert: https://0.jaegers.net/?d855e1b8887243f6#GACCEq7PxpEDr7gKzf5s1B2YFN98XBXR1u41WpjFPGgb

@zpytela
Copy link
Contributor

zpytela commented Nov 9, 2024

Some directory in the file path is inaccessible, check with this command:
ls -ld / /root /root/.config /root/.config/rpm

@Tiagoquix
Copy link
Author

This is what I get: https://0.jaegers.net/?d1ef6dc52beefee7#HF4pPRWcm4tGD4VSahoYah5HQjp3JDtpuAPVx3DputVS

@zpytela
Copy link
Contributor

zpytela commented Nov 9, 2024

Well, I followed uid=root, but it may well be this user's home directory given cwd=/home/tiagoquix

@Tiagoquix
Copy link
Author

Tiagoquix commented Nov 9, 2024
edited
Loading

Same results for home folder (only ~/.config/rpm doesn't exist). The rpm command is run as sudo, that's why it's root.

Please let me know if I can help you any further.

@zpytela
Copy link
Contributor

zpytela commented Nov 25, 2024

The problem can be in any directory in the path, usually /home. Needs to be clarified with rpm folks, may be an issue with the new rpm version. I've filed rpm-software-management/rpm#3468

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zpytela @Tiagoquix