Re: mock context

[Daniel J Walsh <dwalsh redhat com>]

Paul Howarth wrote:
> Daniel J Walsh wrote:
>> Eric Paris wrote:
>>> On Sun, 2008-05-25 at 16:20 +0100, Paul Howarth wrote:
>>>> Is there some reason why the context type of /usr/sbin/mock has
>>>> reverted
>>>> to bin_t in F9 from unconfined_notrans_exec_t in F8? The latter still
>>>> seems to work OK for me in F9 and significantly reduces the number of
>>>> spurious AVCs when using mock.
>>> I think Dan did it after reading some of my messages about getting
>>> livecd's to work.  I've since reverted it on my local livecd building
>>> systems and just haven't told dan I think unconfined_notrans_exec_t is
>>> the right way to go after all...
>>>
>>> Sorry, just still so much in progress with livecd and eventually mock...
>>>
>>> Dan, I think leave it as notrans for now and eventually i'm going to
>>> want a custom mock/livecd type to be determined at a later date...
>>>
>>> (at least that's my guess...)
>>>
>>> -Eric
>>
>> I changed it back in -58, but I want to generate a mock file context
>> with limited access to network for example.
> 
> Please make network access restrictions tunable by a boolean; I tend to
> leave network tests enabled in the packages I build locally in mock.
> 
> Paul.
Yes this would definitely be a tunable.   I am just trying to think of
ways we could protect the Fedora Infrastructure.