Create new types in modules?
Paul Howarth
paul at city-fan.org
Thu Apr 13 07:36:05 UTC 2006
Is it possible to create new context types in a loadable module?
Here's why I ask:
I'm trying to use mock to build packages on FC5 targeted at older
distributions, like Red Hat 8 for instance (more on mock at
http://fedoraproject.org/wiki/Legacy/Mock and
http://fedoraproject.org/wiki/Projects/Mock). What mock basically does
is to create a chroot with a build environment for the target
distribution and runs a regular rpm build within that chroot, pulling in
the other distro's binaries, shared libraries, etc.
Mock's approach to SELinux is simple: it loads a dummy libselinux that
effectively turns it off.
However, with FC5, this no longer seems to be enough. The memory tests
don't like loading ancient DSO's that don't have separate stack segments
and so some builds fail with execmod errors. I tried using semanage to
set the default context for .so.* files under the chroot to
textrel_shlib_t but although restorecon targeted those files properly,
the contexts weren't set properly within the chrooted build (would I
have to remove the chroot prefix in the semanage call to get that to
work? it's not something I want to do as I'll get the wrong contexts on
files in the host system that way).
So, my idea was to define everything under my chroot as a new type,
mock_root_t, and then have a module like this:
module mock 0.2;
require {
class file execmod;
type unconfined_t;
type mock_root_t;
};
allow unconfined_t mock_root_t:file execmod;
However, I can't load this module using semodule because mock_root_t
doesn't exist. So is there a way of defining a new type in a module?
Paul.
More information about the fedora-selinux-list
mailing list