Skip to content

shadow_utils: make shadow --root work by fake permissive mode #1313

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
praiskup wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

shadow_utils: make shadow --root work by fake permissive mode #1313

praiskup wants to merge 1 commit into from
+22 −1

Conversation

@praiskup
Copy link
Member

@praiskup praiskup commented Feb 7, 2024

Fixes: #1285

@praiskup praiskup marked this pull request as draft February 7, 2024 08:53
@praiskup
Copy link
Member Author

praiskup commented Feb 7, 2024

While the use of --root is desired and safer than --prefix, I'm not convinced we want to apply the needed SELinux workaround. I'd rather wait till shadow-utils people tell us what to do about this.

@xsuchy
Copy link
Member

xsuchy commented Feb 7, 2024

This does not work for me. When I change it from host, then it is remounted. And it is read only, so I cannot change it from chroot neither.

@praiskup
Copy link
Member Author

praiskup commented Feb 7, 2024

Yes, Mock's selinux plugin has some hacks related to SELinux too, and we do recursive bind-mounts later:

mock/mock/py/mockbuild/mounts.py

Lines 228 to 231 in db64d46

BindMountPoint(srcpath=mount_point,
bindpath=host_path,
recursive=True,
options="nodev,noexec,nosuid,readonly,rprivate"),

The point of this hack is to prepare the enforce file right before shadow-utils (useradd, groupadd, etc.) are executed (from /usr/sbin on host).

@praiskup praiskup mentioned this pull request Feb 20, 2024
Open
praiskup
praiskup commented Oct 7, 2025
View reviewed changes
mock/py/mockbuild/shadow_utils.py
self._selinux_workaround_applied = True

def _execute_command(self, command, can_fail=False):
self._selinux_workaround()
Copy link
Member Author

@praiskup praiskup Oct 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When the fix from shadow-maint/shadow#1258 gets released, we no longer need the _selinux_workaround().

praiskup
praiskup commented Oct 7, 2025
View reviewed changes
mock/py/mockbuild/shadow_utils.py
# Tracking upstream bug https://github.com/shadow-maint/shadow/issues/897
if self.root.config['use_host_shadow_utils']:
do_with_status(command + ['--prefix', self.root.make_chroot_path()], raiseExc=not can_fail)
do_with_status(command + ['--root', self.root.make_chroot_path()], raiseExc=not can_fail)
Copy link
Member Author

@praiskup praiskup Oct 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

... but we'll have to continue using --prefix for older buildhosts (not targets, because we use shadow utils from host).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

blocked

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

We should do shadow-utils (e.g. useradd) with --root, not --prefix

2 participants

@praiskup @xsuchy