First cut a new mock launcher

Clark Williams williams at redhat.com
Wed Jun 14 20:47:38 UTC 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike McLean wrote:
> Clark Williams wrote:
>> Note that the program makes use of Linux namespaces. This *should*
>> make our handling of mount points within the chroot (/proc, /sys,
>> etc.) a bit easier to clean up, since when the process dies the mounts
>> should just go away. I haven't verified this though, so caveat emptor.
>
> Using namespaces does not relieve us of managing our mounts. For
> example, mock.py still needs to make sure the mounts are gone before
> attempting to remove a buildroot. It mainly serves as a safety net.
>
I suppose I should have said "if the process terminates abnormally" as
opposed to "when the process dies". I realize that we can't whack a
directory that still has a mount on/in it and that namespaces do
nothing for us there.

>> #ifdef USE_SELINUX
>>     // add LD_PRELOAD for our selinux lib if selinux is in use is set
>
> I don't think the SELINUX preload needs to be done here anymore.
> mock.py can set it up when running mock-yum if need be.

Yeah, I meant to ask that on my original email. I didn't build the new
mock.c with USE_SELINUX enabled, because I wasn't sure if we were
going to need it, or if we were going to push forward with a mock
SELinux policy, or something completely different. I will admit to not
having paid the closest attention to all the SELinux traffic on the
lists lately... :).

As I recall, we do an LD_PRELOAD of our .so before going into the
chroot, so that selinux is effectively disabled in the chroot.
Personally, I think that SELinux is a bit of overkill inside a chroot,
but someone running at a high-security facility may feel differently.

I'm ok with letting mock.py manage the addition of LD_PRELOAD to the
chroot and moving it out of the launcher. The code is only complete
when you can remove no more...

Clark


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEkHXpHyuj/+TTEp0RAma5AJ9RHCWo+SA/JQGOo8naNO5kafUK9ACeK8on
IUkEUflC8a5xuzB9PqmGcHE=
=QV9c
-----END PGP SIGNATURE-----

More information about the Fedora-buildsys-list mailing list