• change of exit code during transition from mockchain to mock --chain
  • support run in Fedora Toolbox (otaylor@fishsoup.net)
  • add cheat sheet
  • Adding tool for parsing build.log (sisi.chlupova@gmail.com)
  • load secondary groups [#1264005]
  • pass --allowerasing by default to DNF [GH#251]
  • make include() functional for --chain [GH#263]
  • Removing buildstderr from log - configurable via _mock_stderr_line_prefix (sisi.chlupova@gmail.com)
  • Fixup: Use rpm -qa --root instead of running rpm -qa in chroot (miro@hroncok.cz)
  • DynamicBuildrequires: Detect when no new packages were installed (miro@hroncok.cz)
  • Allow more loop devices (sisi.chlupova@gmail.com)
  • Fix binary locations in /bin for split-usr setups (bero@lindev.ch)
  • describe behaviour of resultdir together with --chain [GH#267]
  • repeat dynamic requires if needed [GH#276]
  • Fix compatibility with pre-4.15 RPM versions with DynamicBuildRequires (i.gnatenko.brain@gmail.com)
  • Enable dynamic BuildRequires by default (i.gnatenko.brain@gmail.com)
  • bootstrap: independent network configuration (praiskup@redhat.com)
  • Update the man page about ~/.config/mock/FOO.cfg (miro@hroncok.cz)
  • explicitely convert releasever to string [GH#270]
  • grant anyone access to bind-mounted /etc/resolv.conf (praiskup@redhat.com)
  • -r FOO will try to read first ~/.mock/FOO.cfg if exists
  • enhance man page of mock about --chain
  • bash completion for --chain
  • respect use_host_resolv config even with use_nspawn (praiskup@redhat.com)
  • Fix crash on non-ascii dnf log messages (bkorren@redhat.com)
  • add deprecation warning to mockchain
  • replace mockchain with mock --chain command (necas.marty@gmail.com)
  • switch to python3 on el7 (msuchy@redhat.com)

  • disable updates-modulare repos for now

  • buildrequire systemd-srpm-macros to get _sysusersdir
  • removed info about metadata expire (khoidinhtrinh@gmail.com)
  • added updates-modular to 29 and 30 (khoidinhtrinh@gmail.com)
  • replace groupadd using sysusers.d
  • core-configs: epel-7 profiles to use mirrorlists (praiskup@redhat.com)
  • EOL Fedora 28
  • do not protect packages in chroot [GH#286]
  • Fix value for dist for OpenMandriva 4.0 configs (ngompa13@gmail.com)
  • Add initial OpenMandriva distribution targets (ngompa13@gmail.com)

This update has been submitted for testing by msuchy.

7 months ago

This update's test gating status has been changed to 'waiting'.

7 months ago

This update's test gating status has been changed to 'ignored'.

7 months ago

This update has been pushed to testing.

7 months ago
User Icon churchyard commented & provided feedback 7 months ago
karma
$ mock -r fedora-rawhide-x86_64 --enablerepo=local init
...

(AVC denial notification when installing packages)

$ sealert -l '*'
...
SELinux is preventing dnf from entrypoint access on the file /usr/bin/bash.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/usr/bin/bash default label should be shell_exec_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /usr/bin/bash

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that dnf should be allowed entrypoint access on the bash file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dnf' --raw | audit2allow -M my-dnf
# semodule -X 300 -i my-dnf.pp


Additional Information:
Source Context                unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:object_r:mock_var_lib_t:s0
Target Objects                /usr/bin/bash [ file ]
Source                        dnf
Source Path                   dnf
Port                          <Unknown>
Host                          carbon
Source RPM Packages           
Target RPM Packages           bash-5.0.7-1.fc30.x86_64
Policy RPM                    selinux-policy-3.14.3-41.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     carbon
Platform                      Linux carbon 5.1.19-300.fc30.x86_64 #1 SMP Mon Jul
                              22 16:32:45 UTC 2019 x86_64 x86_64
Alert Count                   4
First Seen                    2019-08-10 15:51:55 CEST
Last Seen                     2019-08-10 15:52:09 CEST
Local ID                      7e4896a3-a0f7-41a8-b8a5-ac7622bf68c5

Raw Audit Messages
type=AVC msg=audit(1565445129.101:549): avc:  denied  { entrypoint } for  pid=30796 comm="dnf" path="/usr/bin/bash" dev="dm-1" ino=1728912 scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=file permissive=0


Hash: dnf,rpm_script_t,mock_var_lib_t,file,entrypoint

SELinux is preventing groupadd from read access on the lnk_file run.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that groupadd should be allowed read access on the run lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'groupadd' --raw | audit2allow -M my-groupadd
# semodule -X 300 -i my-groupadd.pp


Additional Information:
Source Context                unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c102
                              3
Target Context                unconfined_u:object_r:mock_var_lib_t:s0
Target Objects                run [ lnk_file ]
Source                        groupadd
Source Path                   groupadd
Port                          <Unknown>
Host                          carbon
Source RPM Packages           
Target RPM Packages           filesystem-3.10-1.fc30.x86_64
Policy RPM                    selinux-policy-3.14.3-41.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     carbon
Platform                      Linux carbon 5.1.19-300.fc30.x86_64 #1 SMP Mon Jul
                              22 16:32:45 UTC 2019 x86_64 x86_64
Alert Count                   12
First Seen                    2019-08-10 15:46:58 CEST
Last Seen                     2019-08-10 15:57:42 CEST
Local ID                      c73a2255-ca38-4478-90f1-89e6386c8b9d

Raw Audit Messages
type=AVC msg=audit(1565445462.986:646): avc:  denied  { read } for  pid=2278 comm="groupadd" name="run" dev="dm-1" ino=1710665 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=lnk_file permissive=0


Hash: groupadd,groupadd_t,mock_var_lib_t,lnk_file,read

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

7 months ago
User Icon churchyard commented & provided feedback 7 months ago

It seems that mock otherwise works. Not sure if the denials are important or not.

User Icon lbalhar commented & provided feedback 7 months ago
karma

Works for me very well.

User Icon churchyard commented & provided feedback 7 months ago
karma

OK, so mock -r fedora-rawhide-x86_64 init && mock -r fedora-rawhide-x86_64 remove '*rpm-macros' fails with:

  Running scriptlet: binutils-2.32-23.fc31.x86_64                                                                                                                                                                          22/53 
error: failed to exec scriptlet interpreter /bin/sh: Permission denied
error: %preun(binutils-2.32-23.fc31.x86_64) scriptlet failed, exit status 127

Error in PREUN scriptlet in rpm package binutils
  Erasing          : libssh-config-0.9.0-6.fc31.noarch                                                                                                                                                                     23/53 
error: binutils-2.32-23.fc31.x86_64: erase failed
*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that dnf should be allowed entrypoint access on the bash file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dnf' --raw | audit2allow -M my-dnf
# semodule -X 300 -i my-dnf.pp


Additional Information:
Source Context                unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:object_r:mock_var_lib_t:s0
Target Objects                /usr/bin/bash [ file ]
Source                        dnf
Source Path                   dnf
Port                          <Unknown>
Host                          carbon
Source RPM Packages           
Target RPM Packages           bash-5.0.7-1.fc30.x86_64
Policy RPM                    selinux-policy-3.14.3-41.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     carbon
Platform                      Linux carbon 5.1.19-300.fc30.x86_64 #1 SMP Mon Jul
                              22 16:32:45 UTC 2019 x86_64 x86_64
Alert Count                   17
First Seen                    2019-08-10 15:51:55 CEST
Last Seen                     2019-08-11 11:15:31 CEST
Local ID                      7e4896a3-a0f7-41a8-b8a5-ac7622bf68c5

Raw Audit Messages
type=AVC msg=audit(1565514931.596:907): avc:  denied  { entrypoint } for  pid=2114 comm="dnf" path="/usr/bin/bash" dev="dm-1" ino=1727060 scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=file permissive=0


Hash: dnf,rpm_script_t,mock_var_lib_t,file,entrypoint

With selinux enabled and this mock version. Works fine with previous mock version (from stable).

This update's test gating status has been changed to 'greenwave_failed'.

7 months ago

This update's test gating status has been changed to 'ignored'.

7 months ago

praiskup edited this update.

7 months ago
User Icon praiskup commented & provided feedback 7 months ago

I disabled the autopush on time, fyi. It seems like we could break copr/koji builders by this.

User Icon decathorpe commented & provided feedback 7 months ago
karma

It looks like all (?) RPM scriptlets fail to run because SELinux blocks access to /usr/bin/bash.

Running clean --scrub all makes it work once, but subsequent runs without running clean --scrub all inbetween fail.

User Icon eclipseo commented & provided feedback 7 months ago
karma

My chroots have all CCache enabled and it fails with:

Running transaction
  Preparing        :                                                                                       1/1 
  Running scriptlet: ccache-3.7.1-2.fc31.x86_64                                                            1/1 
error: failed to exec scriptlet interpreter /bin/sh: Permission denied
error: %prein(ccache-3.7.1-2.fc31.x86_64) scriptlet failed, exit status 127

Error in PREIN scriptlet in rpm package ccache
  Verifying        : ccache-3.7.1-2.fc31.x86_64                                                            1/1 

Failed:
  ccache-3.7.1-2.fc31.x86_64

I've got failure with dnf, useradd and groupadd when installing packages in the chroot.

User Icon carlwgeorge commented & provided feedback 7 months ago
karma

Same as other, this update causes SELinux denials that prevent scriptlets in the chroot from running.

This update has been obsoleted.

7 months ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
low
Karma
-3
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Dates
submitted
7 months ago
in testing
7 months ago
modified
7 months ago
BZ#1264005 when dropping privileges secondary user groups are not loaded
0
0

Automated Test Results