[Rpm-maint] [Patch] Get RPM to not put down SELinux labels if NOCONTEXTS flag is enabled

Daniel J Walsh dwalsh at redhat.com
Wed Aug 11 11:51:59 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/11/2010 02:19 AM, Panu Matilainen wrote:
> On Wed, 14 Jul 2010, Thomas Liu wrote:
> 
>> Hi,
>>
>> Dan Walsh and I have been working on confining mock builds with
>> SELinux. As part of this process, we needed rpm to not put down
>> SELinux labels inside the chroot, and wanted to accomplish this with
>> the NOCONTEXTS flag, which this patch gets rpm to honor.
> 
> Rpm does honor RPMTRANS_FLAG_NOCONTEXTS for not putting down SELinux
> labels as it AFAICT. What's the exact problem this is supposed to solve?
> The only place that I can think of where this change might matter is
> rpm_execcon() getting called when NOCONTEXTS is used and you'd want
> regular execv(), or am I missing something?
> 
>     - Panu -

Yes that is the idea.

We added this patch for mock builds.

When mock does a build on a enforcing machine we want all the labels to
be mock_var_lib_t (Or something like this),  And we do not want any of
the post install scripts or RPM to attempt to do any SELinux stuff.

The problem we saw was mock was running as mock_t and installing the
packages, when mock_t(rpm) tried to run a post install script it noticed
SELinux was enabled so it tried to execute the post install script as
rpm_script_t (rpm_execcon) and mock_t is not allowed to run rpm_script_t
so it blew up.  We do not want to allow rpm_script_t to run within a
mock environment since it is a very privileged selinux label.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxijtsACgkQrlYvE4MpobN19gCdFCViR2djGTzJB8HYmWl9Jy8D
cDoAn1nozDOLwi7j2mRwIAOoaFOAOsKH
=xZH8
-----END PGP SIGNATURE-----


More information about the Rpm-maint mailing list