policy for mock - put in mock package or selinux-policy-targeted?

Paul Howarth paul at city-fan.org
Sun Jun 4 20:11:15 UTC 2006


On Sun, 2006-06-04 at 15:18 -0400, Jeremy Katz wrote:
> On Thu, 2006-06-01 at 13:51 -0500, Matt Domsch wrote:
> > Should those files get compiled into modules, and installed, using
> > mock's SRPM, or should they go into selinux-policy-targeted?
> 
> Right now, they should go into the main policy package.  Work is
> underway to allow reasonable packaging of policy within other packages,
> but there are some dependencies there which need to be handled first.

I tend to agree, Whilst there are already a few packages in Extras with
custom policy hacks (semanage calls mainly, though pureftpd has a custom
module), there isn't yet a definitive way to do this nice and cleanly
(see the "SELinux Module Packaging in FC5" thread).

> Also, I'm not 100% convinced that relaxing what mock is allowed to do
> unconditionally like is described there is the best approach.  Not that
> anything better is immediately coming to mind at the moment :-/

Major problems that need to be overcome in order to do something better
include:

1. Mock itself loads a dummy libselinux, which makes everything that
happens under its control believe that SELinux is disabled.

2. The entire default file context tree in policy (and add-on modules,
semanage-ed custom policy tweaks etc.) would need to be duplicated for
each chroot.

Paul.




More information about the fedora-selinux-list mailing list