Michael E Brown wrote:
On Fri, Dec 07, 2007 at 02:40:44PM -0600, Michael E Brown wrote:
On Wed, Dec 05, 2007 at 12:35:46PM +0000, Paul Howarth wrote:
The way I *think* it used to work was that mock-helper would set the
LD_PRELOAD and then exec() the required program (rpm, yum, whatever).
When it came to running yum, it didn't exec() yum directly, it exec()-ed
mock-yum instead, which was a simple wrapper that removed the LD_PRELOAD
from the environment (the libselinux-mock already being in place from
the exec() that called it). The result of this was that child processes
of mock-yum (e.g. rpm, package scriptlets running in the chroot) got the
fake libselinux without the LD_PRELOAD being visible.
The more integrated architecture of mock now may make this sort of hack
quite difficult to implement.
s/difficult/easy/g;
It should be extremely easy to do this, *if* it is necessary. We just
need to set/unset the variable as necessary around all calls to external
programs. Like this: os.environ['LD_PRELOAD'] = "..."; or
del(os.environ["LD_PRELOAD"]);
Luckily, we have *one* entry point to call all external programs, atm,
which is mock.util.do(). We just need to decide before each external
call if we need to set the variable or not.
We also have *one* wrapper for running yum, which then calls down to
mock.util.do(). If necessary, we could easily set/unset this variable in
that call and insulate all other callers from this knowledge.
All-in-all, if we can come up with a test case for why we would still
need the preload, I could quite easily add this functionality back. So
far, though, I'm not seeing a lot of evidence of what is broken, and I'm
the sort that likes to see the broken pieces before I implement the fix.
Paul,
I have recreated the git selinux branch at
http://linux.dell.com/git/mock.git (if you have previously cloned,
please re-clone.) It is based on the current 0.8 codebase.
OK, I'll give that a go as soon as I can find a reasonable amount of time.
This version passes all unit tests with no messages about missing
libraries, and also unsets LD_PRELOAD prior to running mock.
Great.
Could you please give it a runthrough and see if you notice it doing
anything? I get the same (nonfatal) AVC denials that I get without the
patch when running in enforcing mode.
I think that any AVCs, even if they don't cause build failures, are a
problem; they add clutter to the audit log, can pop up an setroubleshoot
alert on the desktop and may hide other problems unrelated to mock.
Could you post some examples of the AVCs youre getting?
Could you also test the version with the LD_PRELOAD after removing the
target root entirely and also any root cache and see if you still get
the denials. If you do get any denials, could you check (ls -lZ) if any
of the files installed in the target's /bin, /sbin, /usr/bin, /usr/sbin
directories have context types ending in _exec_t?
Paul.
--
Fedora-buildsys-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
