[Rpm-maint] [Patch] Get RPM to not put down SELinux labels if NOCONTEXTS flag is enabled

Panu Matilainen pmatilai at laiskiainen.org
Fri Aug 13 07:36:36 UTC 2010 

On Fri, 13 Aug 2010, Panu Matilainen wrote:

> On Wed, 11 Aug 2010, Daniel J Walsh wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> On 08/11/2010 02:19 AM, Panu Matilainen wrote:
>>> On Wed, 14 Jul 2010, Thomas Liu wrote:
>>> 
>>>> Hi,
>>>> 
>>>> Dan Walsh and I have been working on confining mock builds with
>>>> SELinux. As part of this process, we needed rpm to not put down
>>>> SELinux labels inside the chroot, and wanted to accomplish this with
>>>> the NOCONTEXTS flag, which this patch gets rpm to honor.
>>> 
>>> Rpm does honor RPMTRANS_FLAG_NOCONTEXTS for not putting down SELinux
>>> labels as it AFAICT. What's the exact problem this is supposed to solve?
>>> The only place that I can think of where this change might matter is
>>> rpm_execcon() getting called when NOCONTEXTS is used and you'd want
>>> regular execv(), or am I missing something?
>>>
>>>     - Panu -
>> 
>> Yes that is the idea.
>> 
>> We added this patch for mock builds.
>> 
>> When mock does a build on a enforcing machine we want all the labels to
>> be mock_var_lib_t (Or something like this),  And we do not want any of
>> the post install scripts or RPM to attempt to do any SELinux stuff.
>> 
>> The problem we saw was mock was running as mock_t and installing the
>> packages, when mock_t(rpm) tried to run a post install script it noticed
>> SELinux was enabled so it tried to execute the post install script as
>> rpm_script_t (rpm_execcon) and mock_t is not allowed to run rpm_script_t
>> so it blew up.  We do not want to allow rpm_script_t to run within a
>> mock environment since it is a very privileged selinux label.
>
> Ok. But rather than change rpmtsSELinuxEnabled(), which is a cached value of 
> is_selinux_enabled() to tell whether selinux is enabled on the /system/, it'd 
> probably make more sense to just conditionalize rpm_execcon() vs execv() on 
> the per-transaction RPMTRANS_FLAG_NOCONTEXTS flag. Which AFAICT ends up doing 
> just the same thing as this patch, without changing + overloading semantics 
> of a public API function.
>
> It does of course extend the meaning of NOCONTEXTS flag which is also public, 
> but it seems fairly reasonable: currently NOCONTEXT means "dont put down file 
> contexts", with the change it would mean "dont apply selinux contexts at 
> all". At least I can't see what sense it would make to install something 
> without selinux contexts but still run scripts within selinux context, it's 
> just likely to break anyway.

Hmm.. and actually with that change, the whole rpmtsSELinuxEnabled() 
function becomes unnecessary as it's only needed for avoiding the 
relatively expensive is_selinux_enabled() call on each and every scriptlet 
execution. All the better :)

 	- Panu -

More information about the Rpm-maint mailing list