[Rpm-maint] [Patch] Get RPM to not put down SELinux labels if NOCONTEXTS flag is enabled
Panu Matilainen
pmatilai at laiskiainen.org
Fri Aug 13 07:36:36 UTC 2010
On Fri, 13 Aug 2010, Panu Matilainen wrote:
> On Wed, 11 Aug 2010, Daniel J Walsh wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 08/11/2010 02:19 AM, Panu Matilainen wrote:
>>> On Wed, 14 Jul 2010, Thomas Liu wrote:
>>>
>>>> Hi,
>>>>
>>>> Dan Walsh and I have been working on confining mock builds with
>>>> SELinux. As part of this process, we needed rpm to not put down
>>>> SELinux labels inside the chroot, and wanted to accomplish this with
>>>> the NOCONTEXTS flag, which this patch gets rpm to honor.
>>>
>>> Rpm does honor RPMTRANS_FLAG_NOCONTEXTS for not putting down SELinux
>>> labels as it AFAICT. What's the exact problem this is supposed to solve?
>>> The only place that I can think of where this change might matter is
>>> rpm_execcon() getting called when NOCONTEXTS is used and you'd want
>>> regular execv(), or am I missing something?
>>>
>>> - Panu -
>>
>> Yes that is the idea.
>>
>> We added this patch for mock builds.
>>
>> When mock does a build on a enforcing machine we want all the labels to
>> be mock_var_lib_t (Or something like this), And we do not want any of
>> the post install scripts or RPM to attempt to do any SELinux stuff.
>>
>> The problem we saw was mock was running as mock_t and installing the
>> packages, when mock_t(rpm) tried to run a post install script it noticed
>> SELinux was enabled so it tried to execute the post install script as
>> rpm_script_t (rpm_execcon) and mock_t is not allowed to run rpm_script_t
>> so it blew up. We do not want to allow rpm_script_t to run within a
>> mock environment since it is a very privileged selinux label.
>
> Ok. But rather than change rpmtsSELinuxEnabled(), which is a cached value of
> is_selinux_enabled() to tell whether selinux is enabled on the /system/, it'd
> probably make more sense to just conditionalize rpm_execcon() vs execv() on
> the per-transaction RPMTRANS_FLAG_NOCONTEXTS flag. Which AFAICT ends up doing
> just the same thing as this patch, without changing + overloading semantics
> of a public API function.
>
> It does of course extend the meaning of NOCONTEXTS flag which is also public,
> but it seems fairly reasonable: currently NOCONTEXT means "dont put down file
> contexts", with the change it would mean "dont apply selinux contexts at
> all". At least I can't see what sense it would make to install something
> without selinux contexts but still run scripts within selinux context, it's
> just likely to break anyway.
Hmm.. and actually with that change, the whole rpmtsSELinuxEnabled()
function becomes unnecessary as it's only needed for avoiding the
relatively expensive is_selinux_enabled() call on each and every scriptlet
execution. All the better :)
- Panu -
More information about the Rpm-maint
mailing list