Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-65599

Leapp fails while running "su - -c update-ca-trust" exit code 127 with fapolicy enabled [rhel-8]

XMLWordPrintable

    • No
    • Moderate
    • rhel-sst-upgrades
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      After running leapp upgrade, I got following error in /var/log/leapp/leapp-report.

      Risk Factor: high (error)
Title: Actor target_userspace_creator unexpectedly terminated with exit code: 1
Summary: Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/leapp/repository/actor_definition.py", line 74, in _do_run
    actor_instance.run(*args, **kwargs)
  File "/usr/lib/python3.6/site-packages/leapp/actors/__init__.py", line 289, in run
    self.process(*args)
  File "/etc/leapp/repos.d/system_upgrade/common/actors/targetuserspacecreator/actor.py", line 58, in process
    userspacegen.perform()
  File "/usr/lib/python3.6/site-packages/leapp/utils/deprecation.py", line 42, in process_wrapper
    return target_item(*args, **kwargs)
  File "/etc/leapp/repos.d/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py", line 1246, in perform
    _create_target_userspace(context, indata, indata.packages, indata.files, target_repoids)
  File "/etc/leapp/repos.d/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py", line 1108, in _create_target_userspace
    _prep_repository_access(context, target_path)
  File "/etc/leapp/repos.d/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py", line 629, in _prep_repository_access
    run(["chroot", target_userspace, "/bin/bash", "-c", "su - -c update-ca-trust"])
  File "/usr/lib/python3.6/site-packages/leapp/libraries/stdlib/__init__.py", line 192, in run
    result=result
leapp.libraries.stdlib.CalledProcessError: Command ['chroot', '/var/lib/leapp/el9userspace', '/bin/bash', '-c', 'su - -c update-ca-trust'] failed with exit code 127.

      The issue can be reproduced with:

      # chroot /var/lib/leapp/el9userspace  /bin/bash -c 'su - -c update-ca-trust'                                                                                      
/bin/bash: error while loading shared libraries: libtinfo.so.6: cannot open shared object file: Operation not permitted

      Corresponding interpreted audit.log

      ----
node=host.example.com type=PROCTITLE msg=audit(02/11/24 22:09:46.752:812959) : proctitle=/bin/bash -c su - -c update-ca-trust 
node=host.example.com type=PATH msg=audit(02/11/24 22:09:46.752:812959) : item=0 name=/lib64/libtinfo.so.6 inode=101807 dev=fd:05 mode=file,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
node=host.example.com type=CWD msg=audit(02/11/24 22:09:46.752:812959) : cwd=/ 
node=host.example.com type=SYSCALL msg=audit(02/11/24 22:09:46.752:812959) : arch=x86_64 syscall=openat success=no exit=EPERM(Operation not permitted) a0=AT_FDCWD a1=0x7fee0306cf50 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=5149 pid=208190 auid=exampleuser uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=4 comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=access 
node=host.example.com type=FANOTIFY msg=audit(02/11/24 22:09:46.752:812959) : resp=deny fan_type=rule_info fan_info=10 subj_trust=no obj_trust=no 
----
node=host.example.com type=PROCTITLE msg=audit(02/11/24 22:09:46.753:812960) : proctitle=/bin/bash -c su - -c update-ca-trust 
node=host.example.com type=PATH msg=audit(02/11/24 22:09:46.753:812960) : item=0 name=/lib64/libtinfo.so.6 inode=101807 dev=fd:05 mode=file,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
node=host.example.com type=CWD msg=audit(02/11/24 22:09:46.753:812960) : cwd=/ 
node=host.example.com type=SYSCALL msg=audit(02/11/24 22:09:46.753:812960) : arch=x86_64 syscall=openat success=no exit=EPERM(Operation not permitted) a0=AT_FDCWD a1=0x7ffcc2d74620 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=5149 pid=208190 auid=exampleuser uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=4 comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=access 
node=host.example.com type=FANOTIFY msg=audit(02/11/24 22:09:46.753:812960) : resp=deny fan_type=rule_info fan_info=10 subj_trust=no obj_trust=no

      A quick workaround is to stop fapolicyd with

      # service fapolicyd stop

      Then the symptom gone.

      What is the impact of this issue to you?

      It stops leapp upgrade from functioning.

      Please provide the package NVR for which the bug is s

      • leapp-0.17.0-1.el8.noarch
      • fapolicyd-1.3.2-1.el8.x86_64

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Ensure the fapolicyd is running
      2. leapp update

      Expected results

      leapp succeed

      Actual results

      leapp failed with error 

      leapp.libraries.stdlib.CalledProcessError: Command ['chroot', '/var/lib/leapp/el9userspace', '/bin/bash', '-c', 'su - -c update-ca-trust'] failed with exit code 127.

              leapp-notifications leapp-notifications
              rhn-support-dchen Ding Yi Chen
              leapp-notifications leapp-notifications
              RHEL Upgrades QE Team RHEL Upgrades QE Team
              Miriam Portman Miriam Portman
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: