query: mock + libselinux-mock.so LD_PRELOAD... why?

[Paul Howarth]

Michael E Brown wrote:
> On Fri, Dec 07, 2007 at 02:40:44PM -0600, Michael E Brown wrote:
>> On Wed, Dec 05, 2007 at 12:35:46PM +0000, Paul Howarth wrote:
>>> The way I *think* it used to work was that mock-helper would set the 
>>> LD_PRELOAD and then exec() the required program (rpm, yum, whatever). 
>>> When it came to running yum, it didn't exec() yum directly, it exec()-ed 
>>> mock-yum instead, which was a simple wrapper that removed the LD_PRELOAD 
>>> from the environment (the libselinux-mock already being in place from 
>>> the exec() that called it). The result of this was that child processes 
>>> of mock-yum (e.g. rpm, package scriptlets running in the chroot) got the 
>>> fake libselinux without the LD_PRELOAD being visible.
>>>
>>> The more integrated architecture of mock now may make this sort of hack 
>>> quite difficult to implement.
>> s/difficult/easy/g;
>>
>> It should be extremely easy to do this, *if* it is necessary. We just
>> need to set/unset the variable as necessary around all calls to external
>> programs. Like this: os.environ['LD_PRELOAD'] = "...";  or
>> del(os.environ["LD_PRELOAD"]);
>>
>> Luckily, we have *one* entry point to call all external programs, atm,
>> which is mock.util.do(). We just need to decide before each external
>> call if we need to set the variable or not.
>>
>> We also have *one* wrapper for running yum, which then calls down to
>> mock.util.do(). If necessary, we could easily set/unset this variable in
>> that call and insulate all other callers from this knowledge.
>>
>> All-in-all, if we can come up with a test case for why we would still
>> need the preload, I could quite easily add this functionality back. So
>> far, though, I'm not seeing a lot of evidence of what is broken, and I'm
>> the sort that likes to see the broken pieces before I implement the fix.
> 
> Paul,
>     I have recreated the git selinux branch at
> http://linux.dell.com/git/mock.git (if you have previously cloned,
> please re-clone.) It is based on the current 0.8 codebase.

OK, I'll give that a go as soon as I can find a reasonable amount of time.

>     This version passes all unit tests with no messages about missing
> libraries, and also unsets LD_PRELOAD prior to running mock.

Great.

>     Could you please give it a runthrough and see if you notice it doing
> anything? I get the same (nonfatal) AVC denials that I get without the
> patch when running in enforcing mode.

I think that any AVCs, even if they don't cause build failures, are a 
problem; they add clutter to the audit log, can pop up an setroubleshoot 
alert on the desktop and may hide other problems unrelated to mock.

Could you post some examples of the AVCs youre getting?

Could you also test the version with the LD_PRELOAD after removing the 
target root entirely and also any root cache and see if you still get 
the denials. If you do get any denials, could you check (ls -lZ) if any 
of the files installed in the target's /bin, /sbin, /usr/bin, /usr/sbin 
directories have context types ending in _exec_t?

Paul.