Michael E Brown wrote:
On Thu, Dec 13, 2007 at 12:01:47PM +0000, Paul Howarth wrote:
Paul Howarth wrote:
Just tried it, seems to have the same LIBDIR problem as last time:
$ mock -r fedora-8-x86_64 rebuild mock-0.8.17-0.se.fc8.src.rpm
INFO: mock.py version 0.8.17 starting...
State Changed: init plugins
State Changed: start
ERROR: global name 'LIBDIR' is not defined
Traceback (most recent call last):
File "/usr/libexec/mock.py", line 529, in <module>
main(retParams)
File "/usr/libexec/mock.py", line 512, in main
do_rebuild(config_opts, chroot, args)
File "<peak.util.decorators.rewrap wrapping __main__.do_rebuild at
0x008BA668>", line 3, in do_rebuild
def do_rebuild(config_opts, chroot, srpms): return
__decorated(config_opts, chroot, srpms)
File "/usr/lib/python2.5/site-packages/mock/trace_decorator.py", line
70, in trace
result = func(*args, **kw)
File "/usr/libexec/mock.py", line 312, in do_rebuild
os.environ["LD_PRELOAD"] = LIBDIR+"/libselinux-mock.so"
NameError: global name 'LIBDIR' is not defined
This is odd. I ran a full unit test until I didnt see this message at
all. Might be having git sync issues with our public mirror, I'll check.
I don't think this stuff is necessary any more. Since selinux-policy
3.0.8-67 in Fedora 8, /usr/bin/mock is labelled
unconfined_notrans_exec_t. So mock doesn't transition into other domains
and it doesn't matter that rpm labels files in the chroot with context
types that would normally cause the problematic transitions (into
useradd_t, ldconfig_t etc.). The result is nice, clean, denial-free
builds with SELinux in enforcing mode.
This fix also renders the mock policy module as described on the wiki
(the MockTricks page) largely redundant. The only exception case I can
see is if some task needing to run as part of a build requires execheap
permission, which might happen for some mono/java-based packages but I
don't know of any problem packages right now. That bridge can no doubt
be crossed when someone comes tp it.
Not sure if this fix has been applied in F-7 or if it will ever make it
into RHEL/CentOS though.
Paul.
--
Fedora-buildsys-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
