tree compose: Delete .dbenv.lock and __db.* files from /usr/share/rpm

Currently on an Atomic compose, I'm seeing abrtd trying to write to
/usr/share/rpm/.dbenv.lock, which is denied by policy because it's
usr_t.  There are multiple ways to address this, but there's no good
reason to leave the lock files and __db* files around.

rpm appears to operate correctly without them if calling process
merely gets EROFS.
This commit is contained in:
Colin Walters 2014-06-06 14:51:18 -04:00
parent c8c54d5095
commit 1613435f7d
3 changed files with 49 additions and 7 deletions

View File

@ -15,7 +15,7 @@
# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
# Boston, MA 02111-1307, USA.
privlib_SCRIPTS =
privlib_SCRIPTS = src/rpmqa-sorted-and-clean
bin_PROGRAMS += rpm-ostree

View File

@ -780,12 +780,16 @@ compute_checksum_for_compose (JsonObject *treefile_rootval,
json_node_free (treefile_rootnode);
}
/* Query the generated rpmdb, to see if anything has changed. */
{
int estatus;
/* Ugly but it works... */
gs_free char *rpmqa_shell = g_strdup_printf ("rpm --dbpath=%s/var/lib/rpm -qa | sort -u",
gs_file_get_path_cached (yumroot));
const char *rpmqa_argv[] = { "/bin/sh", "-c", rpmqa_shell, NULL };
gs_free char *yumroot_var_lib_rpm =
g_build_filename (gs_file_get_path_cached (yumroot),
"var/lib/rpm",
NULL);
const char *rpmqa_argv[] = { PKGLIBDIR "/rpmqa-sorted-and-clean",
yumroot_var_lib_rpm,
NULL };
gs_free char *rpmqa_result = NULL;
if (!g_spawn_sync (NULL, (char**)rpmqa_argv, NULL,
@ -793,12 +797,16 @@ compute_checksum_for_compose (JsonObject *treefile_rootval,
&rpmqa_result, NULL, &estatus, error))
goto out;
if (!g_spawn_check_exit_status (estatus, error))
goto out;
{
g_prefix_error (error, "Executing %s: ",
rpmqa_argv[0]);
goto out;
}
if (!*rpmqa_result)
{
g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
"Empty result from %s", rpmqa_shell);
"Empty result from %s", rpmqa_argv[0]);
goto out;
}

34
src/rpmqa-sorted-and-clean Executable file
View File

@ -0,0 +1,34 @@
#!/bin/bash
#
# An ugly shell script to get the sorted output of "rpm -qa", and also
# ensure that leftover __db files are deleted afterwards. This helps
# avoid things like SELinux policy denials from processes that try to
# write to the lock file if it exists (as they'd try to write to
# usr_t).
#
# Copyright (C) 2014 Colin Walters <walters@verbum.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published
# by the Free Software Foundation; either version 2 of the licence or (at
# your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General
# Public License along with this library; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330,
# Boston, MA 02111-1307, USA.
set -e
dbpath=$1
test -n "$dbpath" || (echo 1>&2 "usage: $0 DBPATH"; exit 1)
shift
set -o pipefail
rpm --dbpath=${dbpath} -qa | sort
set +o pipefail
rm -f ${dbpath}/__db.* ${dbpath}/{.dbenv,.rpm}.lock