query: mock + libselinux-mock.so LD_PRELOAD... why?

Paul Howarth paul at city-fan.org
Tue Dec 4 12:35:03 UTC 2007 

Michael E Brown wrote:
> On Mon, Dec 03, 2007 at 04:39:26PM -0600, Michael E Brown wrote:
>> On Mon, Dec 03, 2007 at 04:49:41PM +0000, Paul Howarth wrote:
>>> Michael E Brown wrote:
>>> If you're not using the policy module, I'd expect you to have problems 
>>> building packages that run mono and/or java code at build time as 
>>> described at http://fedoraproject.org/wiki/PackageMaintainers/MockTricks
> 
> Can you explain to me what you mean by "if you're not using the policy
> module"? I'm sorta-slow when it comes to selinux (as evidenced by this
> thread...)

I'm referring to the SELinux policy module attached to the wiki page:
http://fedoraproject.org/wiki/PackageMaintainers/MockTricks

There's a description of the problem (at least as it was in FC5) on that 
page.

>>> The package I came across that exhibited this problem and led me to 
>>> write the policy module was "lat", a mono-based package.
> 
> Using unmodified current mock (0.8.12) on Fedora 8 with selinux
> enforcing, I was able to compile current F8 lat:
> 
> $ mock -r fedora-8-x86_64 --rebuild --resultdir=./try/out ./try/lat-1.2.3-1.fc8.src.rpm 
> INFO: mock.py version 0.8.12 starting...
> State Changed: init plugins
> State Changed: start
> State Changed: lock buildroot
> State Changed: clean
> INFO: Start(./try/lat-1.2.3-1.fc8.src.rpm)  Config(fedora-8-x86_64)
> State Changed: init
> State Changed: lock buildroot
> INFO: enabled yum cache
> State Changed: cleaning yum metadata
> INFO: enabled root cache
> State Changed: unpacking cache
> State Changed: running yum
> State Changed: setup
> State Changed: build
> INFO: Done(./try/lat-1.2.3-1.fc8.src.rpm) Config(fedora-8-x86_64) 9 minutes 42 seconds
> INFO: Results and/or logs in: ./try/out
> INFO: Cleaning up build root ('clean_on_success=True')
> State Changed: lock buildroot
> State Changed: clean

I'm also unable to reproduce the problem at this time, but I believe 
that that's because of the labelling issue, which is masking the problem.

After building lat, try this:
# ls -lZ /var/lib/mock/fedora-8-x86_64/root/usr/bin/mono

I get:
-rwxr-xr-x  root root system_u:object_r:mono_exec_t:s0 
/var/lib/mock/fedora-8-x86_64/root/usr/bin/mono

With the LD_PRELOAD, this would have been var_lib_t or mock_var_lib_t, 
depending on whether you were using the policy module. I'd expect the 
build to fail with this file not labelled as mono_exec_t, due to execmod 
errors.

If you get var_lib_t for this file, could you try removing any cache for 
this root, and also the root itself (/var/lib/mock/fedora-8-x86_64/root) 
and try again?

Paul.

More information about the Fedora-buildsys-list mailing list