SELinux in mock
Jerry James
loganjerry at gmail.com
Wed Jan 14 18:15:44 UTC 2009
On Wed, Jan 14, 2009 at 11:04 AM, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> If the chcon fails, won't the subsequent attempt to execute the dump
> file also fail due to lack of permissions?
It doesn't fail on SELinux-enabled hosts where the GCL policy is
already in place. On the koji builders, since selinuxenabled exits
with code 1, we don't try the chcon in the first place. The only
place where I'm having a problem is in a mock build on an
SELinux-enabled host. I don't know what to do there.
> Ideally you'd get your domain (or perhaps just a more generic
> unconfined_execheap_t domain) added to the base policy and included in
> the policy on the build servers so that you could use an already defined
> file type.
GCL needs more than just execheap permission, which is why I wrote an
app-specific policy. Since it is still undergoing a certain amount of
flux, I think that adding it to the base policy might be premature at
this time.
> Alternatively, you might be able to workaround via setting the existing
> allow_execheap boolean if that exists on those machines:
> setsebool allow_execheap = 1
> <run your build>
> setsebool allow_execheap = 0
>
> That unfortunately will affect more than just your particular process,
> but may be a temporary fix.
I'd like to avoid this solution if at all possible.
Thanks for the help.
--
Jerry James
http://loganjerry.googlepages.com/
More information about the fedora-devel-list
mailing list