query: mock + libselinux-mock.so LD_PRELOAD... why?
Paul Howarth
paul at city-fan.org
Thu Jan 3 15:41:02 UTC 2008
Michael E Brown wrote:
> On Thu, Dec 13, 2007 at 12:01:47PM +0000, Paul Howarth wrote:
>> Paul Howarth wrote:
>>
>> Just tried it, seems to have the same LIBDIR problem as last time:
>>
>> $ mock -r fedora-8-x86_64 rebuild mock-0.8.17-0.se.fc8.src.rpm
>> INFO: mock.py version 0.8.17 starting...
>> State Changed: init plugins
>> State Changed: start
>> ERROR: global name 'LIBDIR' is not defined
>> Traceback (most recent call last):
>> File "/usr/libexec/mock.py", line 529, in <module>
>> main(retParams)
>> File "/usr/libexec/mock.py", line 512, in main
>> do_rebuild(config_opts, chroot, args)
>> File "<peak.util.decorators.rewrap wrapping __main__.do_rebuild at
>> 0x008BA668>", line 3, in do_rebuild
>> def do_rebuild(config_opts, chroot, srpms): return
>> __decorated(config_opts, chroot, srpms)
>> File "/usr/lib/python2.5/site-packages/mock/trace_decorator.py", line
>> 70, in trace
>> result = func(*args, **kw)
>> File "/usr/libexec/mock.py", line 312, in do_rebuild
>> os.environ["LD_PRELOAD"] = LIBDIR+"/libselinux-mock.so"
>> NameError: global name 'LIBDIR' is not defined
>
> This is odd. I ran a full unit test until I didnt see this message at
> all. Might be having git sync issues with our public mirror, I'll check.
I don't think this stuff is necessary any more. Since selinux-policy
3.0.8-67 in Fedora 8, /usr/bin/mock is labelled
unconfined_notrans_exec_t. So mock doesn't transition into other domains
and it doesn't matter that rpm labels files in the chroot with context
types that would normally cause the problematic transitions (into
useradd_t, ldconfig_t etc.). The result is nice, clean, denial-free
builds with SELinux in enforcing mode.
This fix also renders the mock policy module as described on the wiki
(the MockTricks page) largely redundant. The only exception case I can
see is if some task needing to run as part of a build requires execheap
permission, which might happen for some mono/java-based packages but I
don't know of any problem packages right now. That bridge can no doubt
be crossed when someone comes tp it.
Not sure if this fix has been applied in F-7 or if it will ever make it
into RHEL/CentOS though.
Paul.
More information about the Fedora-buildsys-list
mailing list