warning: Found bdb Packages database while attempting sqlite backend

I updated fedora from 31 to 33, skipping 32 because I live on the edge.

When I tried using DNF, fedora spewed this on stderr warning: Found bdb Packages database while attempting sqlite backend: using bdb backend.

Sweet, no worries! A swift search and you find this advice

In some circumstances [*] users may see messages like “warning: Found bdb Packages database while attempting sqlite backend: using bdb backend.” This is a harmless indication that rpm configuration and what’s on disk disagree. It can be silenced either by running rpmdb –rebuilddb to convert the database to match configuration, or by overriding configuration to match what is on disk (see above).

https://fedoraproject.org/wiki/Changes/Sqlite_Rpmdb

Great! I ran rpmdb --rebuilddb and it returned quickly. Running more dnf commands, though, continued giving the same error.

I checked journalctl and found the following errors

AVC avc: denied { read } for pid=12602 comm="rpmdb" name="resolv.conf" dev="dm-0" ino=1966429 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=0
AVC avc: denied { open } for pid=12906 comm="rpmdb" path="/var/lib/rpm/.rpm.lock" dev="dm-0" ino=799036 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
AVC avc: denied { lock } for pid=13224 comm="rpmdb" path="/var/lib/rpm/.rpm.lock" dev="dm-0" ino=799036 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0

I noticed that the errors say the command causing the errors is rpmdb, which is exactly what I was hoping to find. Perfect! I searched for “AVC avc: denied” and found a link to this fantastic page on the gentoo wiki explaining what I was reading https://wiki.gentoo.org/wiki/SELinux/Tutorials/Where_to_find_SELinux_permission_denial_details

From there, I knew I needed to allow the rpmdb command the permissions that were being denied. I saw that audit2allow seemed to be a command I needed to allow these permissions. The man page lists the purpose of the command as

   audit2allow - generate SELinux policy allow/dontaudit rules from logs of denied operations

I copy and pasted the errors from journalctl into a temporary file I called temp.pp, using audit2allow to create a module I called rpmdb and then installed the module into selinux, reran the rpmdb command and repeated the process until I’d dealt with all of the errors.

audit2allow -M rpmdb < temp.pp
semodule -i rpmdb.pp

As an experiment, I tried repeatedly adding the rules to the same temp file and re-adding the temp file with the same audit2allow/semodule commands, worked perfectly.

Reading the man page for audit2allow and this page https://danwalsh.livejournal.com/24750.html (linked to from https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow), I’m pretty sure I didn’t need to use the temp file.

Once all the errors were dealt with, the rpmdb rebuilt just fine to

Author: jamandbees

There's just this whole, like, wha? Out there in the world, y'know? The jam and the bees, please.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s