I’ve just upgraded my Fedora 43 to Fedora 44.
If I try to run sudo rpm --rebuilddb (as suggested in the upgrade instructions) it triggers SELinux that blockas two operations:
Quote from the details:
SELinux is preventing rpmdb from using the dac_override capability.
SELinux is preventing rpmdb from using the dac_read_search capability.
How to run sudo rpm --rebuilddb properly?
A little further down in the upgrade doc is the relabel command. If you havn’t already done it, run it. If you have already relabled post-upgrade, then re-run it again and try to rebuild the rpm database.
After upgrades, I always do the relabel and 50/50 chance I remember to rebuild the rpm db. I have been bitten in the past with incorrect SELinux labels post-upgrade.
Best of luck!
I did run sudo fixfiles -B onboot previously and I did run it now again plus reboot. Unfortunately it didn’t help.
In most cases that optional command to rebuild the rpm db is totally unnecessary. While you are certainly free to do so, most users never need that command.
The restorecon command will do a full relabel of everything in the system according to the desired selinux context if it is run as sudo restorecon -r -vv / and given time to complete. Using the -vv option will provide information about changes being done for you, and the -r option tells it to recursively descend the directory tree. Use man restorecon to see the details of how to use that command and what it does.
You also could use sudo setenforce 0 to temporarily switch selinux to permissive mode, and it would return to enforcing with a reboot or manually with sudo setenforce 1
Unfortunately neither sudo restorecon -r -vv / nor sudo setenforce 0 did help. I also tried sudo fixfiles -M -B onboot and reboot but the result was the same - sudo rpm --rebuilddb triggers two SELinux preventions.
Using sudo setenforce 0 before using sudo rpm --rebuilddb should change those messages from blocking the command to a warning that allows the rpm command to complete in spite of the warnings.
Note that rpm --rebuilddb is obsoleted and should be done as sudo rpmdb --rebuilddb
The command man rpm shows --rebuilddb as
Obsolete compatibility aliases
These are obsolete popt(3) aliases for backwards compatibility only, and their use is discouraged.
--initdb, --rebuilddb, --verifydb
See rpmdb(8).
and man rpmdb shows several additional suggestions, including the --verifydb option which points back to rpm --verify -a.
@rosti this look relevant:
What is your SELinux status? Here’s mine:
sudo sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 35
I checked my audit logs and found:
sudo ausearch -c 'rpmdb' --raw
type=AVC msg=audit(1777159203.266:632): avc: denied { dac_read_search } for pid=19877 comm="rpmdb" capability=2 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tclass=capability permissive=1
type=AVC msg=audit(1777606673.397:1174): avc: denied { dac_read_search } for pid=71140 comm="rpmdb" capability=2 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tclass=capability permissive=1
Which was around when I upgraded (04/30 ish) from Fedora 42 to Fedora 43 and ran sudo rpm –rebuilddb.
I am in permissive mode, and I generally ignore SELinux Troubleshooter…
I guess if it’s buggin you, create a local policy and install it?
Best of luck!
Using
sudo setenforce 0before usingsudo rpm --rebuilddbshould change those messages from blocking the command to a warning that allows the rpm command to complete in spite of the warnings.
But actually it only changes which capabilities are blocked. Before sudo setenforce 0 SELinux blocks two capabilities: dac_read_search and dac_override. After sudo setenforce 0 SELinux blocks only one capability: dac_read_search.
Note that
rpm --rebuilddbis obsoleted and should be done assudo rpmdb --rebuilddb
Yes and SELinux always blocks rpmdb, i.e. sudo rpm --rebuilddb calls sudo rpmdb --rebuilddb. And it blocks it in both cases of --rebuilddb and --verifydb with exacly the same sets of blocked capabilities, as described above.
BTW neither rpm nor rpmdb prints any error message in the terminal. Only SELinux Alert Browser is poping-up in the try bar of my Cinnamon DE. And I always delete those alerts between different runs of rpm or rpmdb.
Indeed, seems to be relevant. In my case the dac_read_search capability is always blocked from rpmdb and the dac_override is blocked only in Enforcing mode.
I will report my problem in that GitHub issue. Thank you.
In enforcing mode, the rpmdb is terminated before in can run the dac_override.
I found that there is a difference between
sudo rpm --rebuilddb
and
su -
rpm --rebuilddb