[Rpm-maint] [Patch] Get RPM to not put down SELinux labels if NOCONTEXTS flag is enabled

Panu Matilainen pmatilai at laiskiainen.org
Fri Aug 13 07:28:27 UTC 2010

On Wed, 11 Aug 2010, Daniel J Walsh wrote:

> Hash: SHA1
> On 08/11/2010 02:19 AM, Panu Matilainen wrote:
>> On Wed, 14 Jul 2010, Thomas Liu wrote:
>>> Hi,
>>> Dan Walsh and I have been working on confining mock builds with
>>> SELinux. As part of this process, we needed rpm to not put down
>>> SELinux labels inside the chroot, and wanted to accomplish this with
>>> the NOCONTEXTS flag, which this patch gets rpm to honor.
>> Rpm does honor RPMTRANS_FLAG_NOCONTEXTS for not putting down SELinux
>> labels as it AFAICT. What's the exact problem this is supposed to solve?
>> The only place that I can think of where this change might matter is
>> rpm_execcon() getting called when NOCONTEXTS is used and you'd want
>> regular execv(), or am I missing something?
>>     - Panu -
> Yes that is the idea.
> We added this patch for mock builds.
> When mock does a build on a enforcing machine we want all the labels to
> be mock_var_lib_t (Or something like this),  And we do not want any of
> the post install scripts or RPM to attempt to do any SELinux stuff.
> The problem we saw was mock was running as mock_t and installing the
> packages, when mock_t(rpm) tried to run a post install script it noticed
> SELinux was enabled so it tried to execute the post install script as
> rpm_script_t (rpm_execcon) and mock_t is not allowed to run rpm_script_t
> so it blew up.  We do not want to allow rpm_script_t to run within a
> mock environment since it is a very privileged selinux label.

Ok. But rather than change rpmtsSELinuxEnabled(), which is a cached value 
of is_selinux_enabled() to tell whether selinux is enabled on the 
/system/, it'd probably make more sense to just conditionalize 
rpm_execcon() vs execv() on the per-transaction RPMTRANS_FLAG_NOCONTEXTS 
flag. Which AFAICT ends up doing just the same thing as this patch, 
without changing + overloading semantics of a public API function.

It does of course extend the meaning of NOCONTEXTS flag which is also 
public, but it seems fairly reasonable: currently NOCONTEXT means "dont 
put down file contexts", with the change it would mean "dont apply selinux 
contexts at all". At least I can't see what sense it would make to install 
something without selinux contexts but still run scripts within selinux 
context, it's just likely to break anyway.

 	- Panu -

More information about the Rpm-maint mailing list