• change of exit code during transition from mockchain to mock --chain
  • support run in Fedora Toolbox (otaylor@fishsoup.net)
  • add cheat sheet
  • Adding tool for parsing build.log (sisi.chlupova@gmail.com)
  • load secondary groups [#1264005]
  • pass --allowerasing by default to DNF [GH#251]
  • make include() functional for --chain [GH#263]
  • Removing buildstderr from log - configurable via _mock_stderr_line_prefix (sisi.chlupova@gmail.com)
  • Fixup: Use rpm -qa --root instead of running rpm -qa in chroot (miro@hroncok.cz)
  • DynamicBuildrequires: Detect when no new packages were installed (miro@hroncok.cz)
  • Allow more loop devices (sisi.chlupova@gmail.com)
  • Fix binary locations in /bin for split-usr setups (bero@lindev.ch)
  • describe behaviour of resultdir together with --chain [GH#267]
  • repeat dynamic requires if needed [GH#276]
  • Fix compatibility with pre-4.15 RPM versions with DynamicBuildRequires (i.gnatenko.brain@gmail.com)
  • Enable dynamic BuildRequires by default (i.gnatenko.brain@gmail.com)
  • bootstrap: independent network configuration (praiskup@redhat.com)
  • Update the man page about ~/.config/mock/FOO.cfg (miro@hroncok.cz)
  • explicitely convert releasever to string [GH#270]
  • grant anyone access to bind-mounted /etc/resolv.conf (praiskup@redhat.com)
  • -r FOO will try to read first ~/.mock/FOO.cfg if exists
  • enhance man page of mock about --chain
  • bash completion for --chain
  • respect use_host_resolv config even with use_nspawn (praiskup@redhat.com)
  • Fix crash on non-ascii dnf log messages (bkorren@redhat.com)
  • add deprecation warning to mockchain
  • replace mockchain with mock --chain command (necas.marty@gmail.com)
  • switch to python3 on el7 (msuchy@redhat.com)

  • disable updates-modulare repos for now

  • buildrequire systemd-srpm-macros to get _sysusersdir
  • removed info about metadata expire (khoidinhtrinh@gmail.com)
  • added updates-modular to 29 and 30 (khoidinhtrinh@gmail.com)
  • replace groupadd using sysusers.d
  • core-configs: epel-7 profiles to use mirrorlists (praiskup@redhat.com)
  • EOL Fedora 28
  • do not protect packages in chroot [GH#286]
  • Fix value for dist for OpenMandriva 4.0 configs (ngompa13@gmail.com)
  • Add initial OpenMandriva distribution targets (ngompa13@gmail.com)

This update has been submitted for testing by msuchy.

11 months ago

This update's test gating status has been changed to 'waiting'.

11 months ago

This update's test gating status has been changed to 'ignored'.

11 months ago

This update has been pushed to testing.

11 months ago
User Icon churchyard commented & provided feedback 11 months ago
karma
$ mock -r fedora-rawhide-x86_64 --enablerepo=local init
...

(AVC denial notification when installing packages)

$ sealert -l '*'
...
SELinux is preventing dnf from entrypoint access on the file /usr/bin/bash.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/usr/bin/bash default label should be shell_exec_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /usr/bin/bash

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that dnf should be allowed entrypoint access on the bash file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dnf' --raw | audit2allow -M my-dnf
# semodule -X 300 -i my-dnf.pp


Additional Information:
Source Context                unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:object_r:mock_var_lib_t:s0
Target Objects                /usr/bin/bash [ file ]
Source                        dnf
Source Path                   dnf
Port                          <Unknown>
Host                          carbon
Source RPM Packages           
Target RPM Packages           bash-5.0.7-1.fc30.x86_64
Policy RPM                    selinux-policy-3.14.3-41.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     carbon
Platform                      Linux carbon 5.1.19-300.fc30.x86_64 #1 SMP Mon Jul
                              22 16:32:45 UTC 2019 x86_64 x86_64
Alert Count                   4
First Seen                    2019-08-10 15:51:55 CEST
Last Seen                     2019-08-10 15:52:09 CEST
Local ID                      7e4896a3-a0f7-41a8-b8a5-ac7622bf68c5

Raw Audit Messages
type=AVC msg=audit(1565445129.101:549): avc:  denied  { entrypoint } for  pid=30796 comm="dnf" path="/usr/bin/bash" dev="dm-1" ino=1728912 scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=file permissive=0


Hash: dnf,rpm_script_t,mock_var_lib_t,file,entrypoint

SELinux is preventing groupadd from read access on the lnk_file run.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that groupadd should be allowed read access on the run lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'groupadd' --raw | audit2allow -M my-groupadd
# semodule -X 300 -i my-groupadd.pp


Additional Information:
Source Context                unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c102
                              3
Target Context                unconfined_u:object_r:mock_var_lib_t:s0
Target Objects                run [ lnk_file ]
Source                        groupadd
Source Path                   groupadd
Port                          <Unknown>
Host                          carbon
Source RPM Packages           
Target RPM Packages           filesystem-3.10-1.fc30.x86_64
Policy RPM                    selinux-policy-3.14.3-41.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     carbon
Platform                      Linux carbon 5.1.19-300.fc30.x86_64 #1 SMP Mon Jul
                              22 16:32:45 UTC 2019 x86_64 x86_64
Alert Count                   12
First Seen                    2019-08-10 15:46:58 CEST
Last Seen                     2019-08-10 15:57:42 CEST
Local ID                      c73a2255-ca38-4478-90f1-89e6386c8b9d

Raw Audit Messages
type=AVC msg=audit(1565445462.986:646): avc:  denied  { read } for  pid=2278 comm="groupadd" name="run" dev="dm-1" ino=1710665 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=lnk_file permissive=0


Hash: groupadd,groupadd_t,mock_var_lib_t,lnk_file,read

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

11 months ago
User Icon churchyard commented & provided feedback 11 months ago

It seems that mock otherwise works. Not sure if the denials are important or not.

User Icon lbalhar commented & provided feedback 11 months ago
karma

Works for me very well.

User Icon churchyard commented & provided feedback 11 months ago
karma

OK, so mock -r fedora-rawhide-x86_64 init && mock -r fedora-rawhide-x86_64 remove '*rpm-macros' fails with:

  Running scriptlet: binutils-2.32-23.fc31.x86_64                                                                                                                                                                          22/53 
error: failed to exec scriptlet interpreter /bin/sh: Permission denied
error: %preun(binutils-2.32-23.fc31.x86_64) scriptlet failed, exit status 127

Error in PREUN scriptlet in rpm package binutils
  Erasing          : libssh-config-0.9.0-6.fc31.noarch                                                                                                                                                                     23/53 
error: binutils-2.32-23.fc31.x86_64: erase failed
*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that dnf should be allowed entrypoint access on the bash file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dnf' --raw | audit2allow -M my-dnf
# semodule -X 300 -i my-dnf.pp


Additional Information:
Source Context                unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:object_r:mock_var_lib_t:s0
Target Objects                /usr/bin/bash [ file ]
Source                        dnf
Source Path                   dnf
Port                          <Unknown>
Host                          carbon
Source RPM Packages           
Target RPM Packages           bash-5.0.7-1.fc30.x86_64
Policy RPM                    selinux-policy-3.14.3-41.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     carbon
Platform                      Linux carbon 5.1.19-300.fc30.x86_64 #1 SMP Mon Jul
                              22 16:32:45 UTC 2019 x86_64 x86_64
Alert Count                   17
First Seen                    2019-08-10 15:51:55 CEST
Last Seen                     2019-08-11 11:15:31 CEST
Local ID                      7e4896a3-a0f7-41a8-b8a5-ac7622bf68c5

Raw Audit Messages
type=AVC msg=audit(1565514931.596:907): avc:  denied  { entrypoint } for  pid=2114 comm="dnf" path="/usr/bin/bash" dev="dm-1" ino=1727060 scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=file permissive=0


Hash: dnf,rpm_script_t,mock_var_lib_t,file,entrypoint

With selinux enabled and this mock version. Works fine with previous mock version (from stable).

This update's test gating status has been changed to 'greenwave_failed'.

11 months ago

This update's test gating status has been changed to 'ignored'.

11 months ago

praiskup edited this update.

11 months ago
User Icon praiskup commented & provided feedback 11 months ago

I disabled the autopush on time, fyi. It seems like we could break copr/koji builders by this.

User Icon decathorpe commented & provided feedback 11 months ago
karma

It looks like all (?) RPM scriptlets fail to run because SELinux blocks access to /usr/bin/bash.

Running clean --scrub all makes it work once, but subsequent runs without running clean --scrub all inbetween fail.

User Icon eclipseo commented & provided feedback 11 months ago
karma

My chroots have all CCache enabled and it fails with:

Running transaction
  Preparing        :                                                                                       1/1 
  Running scriptlet: ccache-3.7.1-2.fc31.x86_64                                                            1/1 
error: failed to exec scriptlet interpreter /bin/sh: Permission denied
error: %prein(ccache-3.7.1-2.fc31.x86_64) scriptlet failed, exit status 127

Error in PREIN scriptlet in rpm package ccache
  Verifying        : ccache-3.7.1-2.fc31.x86_64                                                            1/1 

Failed:
  ccache-3.7.1-2.fc31.x86_64

I've got failure with dnf, useradd and groupadd when installing packages in the chroot.

User Icon carlwgeorge commented & provided feedback 11 months ago
karma

Same as other, this update causes SELinux denials that prevent scriptlets in the chroot from running.

This update has been obsoleted.

11 months ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
low
Karma
-3
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
11 months ago
in testing
11 months ago
modified
11 months ago
BZ#1264005 when dropping privileges secondary user groups are not loaded
0
0

Automated Test Results