SELinux error from Qubes builder

Qurious · May 8, 2021, 3:08am

SElinux error from Qubes builder

Hi.

I tried to build Qubes OS on a computer with Fedora 34 XFCE desktop (not Qubes OS) today. Following the official documentation, I cloned the master branch (9bd3fae). SELinux complained after I ran make qubes:

Currently installed dependencies

[<username@hostname> qubes-builder]$ make qubes
Currently installed dependencies:
createrepo_c-0.17.1-1.fc34.x86_64
debootstrap-1.0.123-1.fc33.noarch
devscripts-2.21.1-1.fc34.x86_64
dpkg-dev-1.20.7.1-1.fc34.noarch
git-2.31.1-3.fc34.x86_64
perl-Digest-MD5-2.58-2.fc34.x86_64
perl-Digest-SHA-6.02-459.fc34.x86_64
python3-pyyaml-5.4.1-2.fc34.x86_64
python3-sh-1.14.1-2.fc34.noarch
rpm-build-4.16.1.3-1.fc34.x86_64
rpmdevtools-9.3-4.fc34.noarch
wget-1.21.1-3.fc34.x86_64

Preparing fc32 build environment

make[1]: Entering directory '<xyz>/qubes-builder'
[sudo] password for <username>:
-> Preparing fc32 build environment
-> Initializing RPM database...

Permission error

error: can't create transaction lock on 
    <xyz>/qubes-builder/chroot-dom0-fc32/var/lib/rpm/.rpm.lock (Permission denied)
make[1]: *** [
    <xyz>/qubes-builder/qubes-src/builder-rpm/Makefile-legacy.rpmbuilder:37: 
        <xyz>/qubes-builder/chroot-dom0-fc32/home/user/.prepared_base
]
Error 1
make[1]: Leaving directory '<xyz>'
make: *** [Makefile:266: vmm-xen-dom0] Error 1

The "SELinux Alert Browser" GUI showed two errors

+--------------------------------------+
| SELinux has detected a problem (1/2) |
+--------------------------------------+
      The source process: rpmdb
Attempted of this access: dac_read_search
      On this capability:

+--------------------------------------+
| SELinux has detected a problem (2/2) |
+--------------------------------------+
      The source process: rpmdb
Attempted of this access: dac_override
      On this capability:

Tracking the error

The “SELinux Alert Browser” suggested me to track and recreate the SELinux error by:

auditctl -w /etc/shadow -p w
ausearch -m avc -ts recent

The commands showed the recent SELinux violation:

----
type=AVC
msg=audit(<...>:614):
    avc: denied { dac_read_search } for
        pid=2446
        comm="rpmdb"
        capability=2
        scontext=
            unconfined_u:unconfined_r:rpmdb_t:
            s0-s0:c0.c1023
        tcontext=
            unconfined_u:unconfined_r:rpmdb_t:
            s0-s0:c0.c1023
        tclass=capability
        permissive=0

----
type=AVC
msg=audit(<...>:615):
    avc: denied { dac_override } for
        pid=2446
        comm="rpmdb"
        capability=1
        scontext=
            unconfined_u:unconfined_r:rpmdb_t:
            s0-s0:c0.c1023
        tcontext=
            unconfined_u:unconfined_r:rpmdb_t:
            s0-s0:c0.c1023
        tclass=capability
        permissive=0

Related Issue (?)

Issue #6376 looks similar but that issue doesn’t describe the exact SELinux error.

The “Qubes community” discourse site has a similar unanswered post on Feb 9.

Question

How to fix the SELinux error? I know nearly nothing about SELinux.