[Rpm-maint] [Patch] Get RPM to not put down SELinux labels if NOCONTEXTS flag is enabled
dwalsh at redhat.com
Fri Aug 13 13:42:24 UTC 2010
----- Original Message -----
From: "Panu Matilainen" <pmatilai at laiskiainen.org>
To: "Daniel J Walsh" <dwalsh at redhat.com>
Cc: "Thomas Liu" <tliu at redhat.com>, "rpm-maint" <rpm-maint at lists.rpm.org>
Sent: Friday, August 13, 2010 3:28:27 AM GMT -05:00 US/Canada Eastern
Subject: Re: [Rpm-maint] [Patch] Get RPM to not put down SELinux labels if NOCONTEXTS flag is enabled
On Wed, 11 Aug 2010, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 08/11/2010 02:19 AM, Panu Matilainen wrote:
>> On Wed, 14 Jul 2010, Thomas Liu wrote:
>>> Dan Walsh and I have been working on confining mock builds with
>>> SELinux. As part of this process, we needed rpm to not put down
>>> SELinux labels inside the chroot, and wanted to accomplish this with
>>> the NOCONTEXTS flag, which this patch gets rpm to honor.
>> Rpm does honor RPMTRANS_FLAG_NOCONTEXTS for not putting down SELinux
>> labels as it AFAICT. What's the exact problem this is supposed to solve?
>> The only place that I can think of where this change might matter is
>> rpm_execcon() getting called when NOCONTEXTS is used and you'd want
>> regular execv(), or am I missing something?
>> - Panu -
> Yes that is the idea.
> We added this patch for mock builds.
> When mock does a build on a enforcing machine we want all the labels to
> be mock_var_lib_t (Or something like this), And we do not want any of
> the post install scripts or RPM to attempt to do any SELinux stuff.
> The problem we saw was mock was running as mock_t and installing the
> packages, when mock_t(rpm) tried to run a post install script it noticed
> SELinux was enabled so it tried to execute the post install script as
> rpm_script_t (rpm_execcon) and mock_t is not allowed to run rpm_script_t
> so it blew up. We do not want to allow rpm_script_t to run within a
> mock environment since it is a very privileged selinux label.
Ok. But rather than change rpmtsSELinuxEnabled(), which is a cached value
of is_selinux_enabled() to tell whether selinux is enabled on the
/system/, it'd probably make more sense to just conditionalize
rpm_execcon() vs execv() on the per-transaction RPMTRANS_FLAG_NOCONTEXTS
flag. Which AFAICT ends up doing just the same thing as this patch,
without changing + overloading semantics of a public API function.
It does of course extend the meaning of NOCONTEXTS flag which is also
public, but it seems fairly reasonable: currently NOCONTEXT means "dont
put down file contexts", with the change it would mean "dont apply selinux
contexts at all". At least I can't see what sense it would make to install
something without selinux contexts but still run scripts within selinux
context, it's just likely to break anyway.
- Panu -
More information about the Rpm-maint