omejzlik
October 24, 2022, 7:18pm
1
Hi,
I have an odd issue.https://pagure.io/fedora-kickstarts.git
git clone https://pagure.io/fedora-kickstarts.git
cd fedora-kickstarts/
git checkout -b f35 origin/f35
ksflatten --config fedora-live-workstation.ks -o flat-fedora-live.ks
FEDORA_VER=35
WORKDIR="/home/$USER/test"
mock -r fedora-"${FEDORA_VER}"-x86_64 --rootdir "$WORKDIR" --init
mock -r fedora-"${FEDORA_VER}"-x86_64 --rootdir "$WORKDIR" --install lorax-lmc-novirt grub2-tools-minimal vim-minimal pykickstart coreutils
cp ./flat-fedora-live.ks "$WORKDIR"/builddir
mock -r fedora-"${FEDORA_VER}"-x86_64 --rootdir "$WORKDIR" --isolation=simple --enable-network --shell "livemedia-creator --ks flat-fedora-live.ks --nomacboot --no-virt --anaconda-arg='--nosave=all' --make-iso --iso-only --iso-name Fedora-${FEDORA_VER}-x86_64.iso --project Fedora-Live --volid Fedora-${FEDORA_VER} --releasever ${FEDORA_VER} --resultdir /tmp/fedora-iso"
This is what the selinux context looks like when I run the iso:
$ ls -Z /usr/sbin
unconfined_u:object_r:bin_t:s0 abrt-auto-reporting
unconfined_u:object_r:abrt_exec_t:s0 abrtd
This is what it looks like on a downloaded live iso from fedora website:
$ ls -Z /usr/sbin/
system_u:object_r:bin_t:s0 abrt-auto-reporting
system_u:object_r:abrt_exec_t:s0 abrtd
Any idea why this is?
vwbusguy
October 24, 2022, 10:53pm
2
Is the “selinux-autorelabel” service enabled/running as part of your kickstart setup?
1 Like
omejzlik
October 25, 2022, 8:54am
3
Both the systems the downloaded one with correct selinux and the one I built produce the same output:
$ systemctl list-unit-files | grep selinux
selinux-autorelabel-mark.service enabled enabled
selinux-autorelabel.service static -
selinux-check-proper-disable.service disabled disabled
selinux-autorelabel.target static -
$ systemctl status selinux-autorelabel
â—‹ selinux-autorelabel.service - Relabel all filesystems
Loaded: loaded (/usr/lib/systemd/system/selinux-autorelabel.service; static)
Active: inactive (dead)
Static services can not be disabled on top of that.
omejzlik
October 25, 2022, 2:00pm
4
Building the same iso from the same kickstart file with livecd-creator produces a system with correct selinux:
sudo su
setenforce 0
livecd-creator --verbose --config ./flat-fedora-live.ks --fslabel=Image-Label --cache =/var/cache/live
setenforce 1
This results in this:
$ ls -Z /usr/sbin
system_u:object_r:bin_t:s0 abrt-auto-reporting
system_u:object_r:abrt_exec_t:s0 abrtd
Any idea why the lorax livemedia-creator does not do the same?
ledeni
October 27, 2022, 9:29am
5
I don’t see that you set setenforce 0 to first set of commands and If your system is using SELinux, it needs to be set to Permissive mode while running lorax.
omejzlik
October 27, 2022, 10:30am
6
I tested it:
$ sudo setenforce 0
[sudo] password for ...:
$ getenforce
Permissive
FEDORA_VER=35
WORKDIR="/home/$USER/test"
mock -r fedora-"${FEDORA_VER}"-x86_64 --rootdir "$WORKDIR" --init
mock -r fedora-"${FEDORA_VER}"-x86_64 --rootdir "$WORKDIR" --install lorax-lmc-novirt grub2-tools-minimal vim-minimal pykickstart coreutils
cp ./flat-fedora-live.ks "$WORKDIR"/builddir
mock -r fedora-"${FEDORA_VER}"-x86_64 --rootdir "$WORKDIR" --isolation=simple --enable-network --shell "livemedia-creator --ks flat-fedora-live.ks --nomacboot --no-virt --anaconda-arg='--nosave=all' --make-iso --iso-only --iso-name Fedora-${FEDORA_VER}-x86_64.iso --project Fedora-Live --volid Fedora-${FEDORA_VER} --releasever ${FEDORA_VER} --resultdir /tmp/fedora-iso"
sudo setenforce 1
Still the same wrong selinux context result.
I am not sure the permissive mode is still a requirement or whether it affects lorax when it is running inside mock.
vwbusguy
October 28, 2022, 7:01pm
7
It doesn’t sound like SELinux running on the build machine is the issue here, but if it were, you’d see AVC denials show up with journalctl when it’s running. If it’s not, then I definitely suggest turning it back on to enforcing.
What filesystem is mock running on?
omejzlik
October 28, 2022, 9:57pm
8
No denials show up in the log.
1 Like