mach/mock and selinux
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Sat May 21 14:31:55 UTC 2005
oliver at linux-kernel.at ("Oliver Falk") writes:
>> >>>$ mock -r fedora-3-i386-core mock-0.1-1.src.rpm
>> > ::
>> >>> Non-zero return value 127 on executing
>> >>>/usr/sbin/mock-helper chroot
>> >>>/var/lib/mock//fedora-3-i386-core/root /sbin/runuser - root -c
>> >>>"/usr/sbin/useradd -u 500 -d /builddir mockbuild"
>> >
>> > Ok I haven't tested, but apparently this is caused by using selinux,
>> > which presumably also explains the problem I was seeing earlier with
>> > mach.
>>
>> SELinux was never designed to work with or in chroot environments,
>> and unless somebody implements another kernel API, this will not
>> change. So best would be, to disable SELinux completely at system
>> start.
>
> Correct, Enrico, but wouldn't make sense to give user mock all (selinux)
> permission for /var/lib/mock!?
Probably not. SELinux requires the /proc and /selinux filesystems to
communicate with the kernel; it does not use the common syscall
interface.
This makes e.g. the 'rpm --root' commands nearly impossible: script
execution would require complicated actions in the selinux lib
(getting fd of /proc/self/attr/... before the chroot(2) (perhaps of
files in /selinux/... also) and using it after the chroot(2)). But
the SELinux lib was not designed for it; most functions are doing
'fopen("/proc/...")' themself and can not used cached fd's or other
SELinux information.
See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145770 also.
Enrico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20050521/e7722b95/attachment.sig>
More information about the fedora-extras-list
mailing list