selinux breaks revisor

Douglas McClendon dmc.fedora at filteredperception.org
Fri Jan 25 05:59:04 UTC 2008


Jeff Spaleta wrote:
> 2008/1/24 Jesse Keating <jkeating at redhat.com>:
>> Maybe I missed that, but every /rpm/ is buildable by non-root.  It's
>> when you start talking about /composing/ releases and Live images that
>> root privs are needed (or enoug privs to make loopback devices).
> 
> make loopback devices....  does fuse provide a non-root way to deal
> with this here?

I think there are historical threads about the security/code-quality and 
how it related to the decision of requiring root to add users to the 
fuse group.  Sounded like fuse might get the job done someday, but 
someday wasn't quite here yet.

Still, for doing composes as non-root I like my qemu 'qfakeroot', as it 
handles everything nicely (but slowly).  I.e. I imagine running into 
headaches getting rpm post scripts running as non-root in a target dir, 
using something like traditional fakeroot to deal with file ownerships. 
  And of course coming full circle, then there would still be the 
selinux issues in this non-root fuse-using quasi-chroot hypothetical 
compose beast...

-dmc




More information about the fedora-devel-list mailing list