query: mock + libselinux-mock.so LD_PRELOAD... why?

Michael E Brown Michael_E_Brown at dell.com
Fri Nov 30 19:35:57 UTC 2007 

On Fri, Nov 30, 2007 at 04:17:52PM +0000, Paul Howarth wrote:
> Michael E Brown wrote:
> >    I need a little bit of help understanding what the
> >'libselinux-mock.so' LD_PRELOAD was supposed to be doing. I released and
> >pushed out mock-0.8 without this. I have rebuilt most of rawhide with
> >this new mock version and have not seen anything that I directly can say
> >was a failure due to this being missing, so I am sort of not seeing the
> >point.
> >
> >    I have searched around as much as I can to try to understand why
> >this was put into place. From what I can understand, it was only put in
> >in the FC2 timeframe to fix some problems with the selinux policy on the
> >host machine. These *appear* to have been fixed in the host selinux
> >policy, so again, i dont see a reason to keep this around.
> >
> >    Jesse mentioned on IRC, though, that this might be needed, so I pose
> >this question. I've a local branch set up with the 0.8.x code and the
> >LD_PRELOAD put back in. So, I can quickly spin a new release with this
> >back in if it is actually needed. So far, I havent convinced myself it
> >is needed, though...
> >
> >    Could somebody please enlighten me?
> 
> I suspect it was there to convince rpm that selinux was disabled and 
> hence prevent it from trying to set the contexts of installed files. If 
> rpm doesn't set the context, the files are installed as mock_var_lib_t 
> (assuming my policy module from the wiki is loaded), and this is a 
> "neutral" type that doesn't cause any problems. However, if rpm sets the 
> contexts of files it installs, it'll set things like /sbin/ldconfig to 
> ldconfig_exec_t, and there is now a transition defined in policy from 
> unconfined_t to ldconfig_exec_t. The result of this is that some 
> processes such as ldconfig get run "confined" in the chroot and fail as 
> a result because not *all* file contexts are set up as they would be on 
> the host system, which is what the policy is set up for.
> 
> I've not quite figured out all te ins and outs of it but a tell-tale 
> sign of there being a problem is to look (ls -lZ) at the root 
> directories of your chroots and see if they look like this:
> 
> /var/lib/mock/fedora-2-i386-core/root:
> drwxr-xr-x  root root system_u:object_r:bin_t:s0       bin
> drwxr-xr-x  root root system_u:object_r:boot_t:s0      boot
> drwx------  root mock system_u:object_r:mock_var_lib_t:s0 builddir
> drwxrwsr-x  root mock system_u:object_r:mock_var_lib_t:s0 dev
> drwxr-xr-x  root root system_u:object_r:etc_t:s0       etc
> drwxr-xr-x  root root system_u:object_r:home_root_t:s0 home
> drwxr-xr-x  root root system_u:object_r:root_t:s0      initrd
> drwxr-xr-x  root root system_u:object_r:lib_t:s0       lib
> drwxr-xr-x  root root system_u:object_r:mnt_t:s0       mnt
> drwxr-xr-x  root root system_u:object_r:usr_t:s0       opt
> drwxrwsr-x  root mock system_u:object_r:mock_var_lib_t:s0 proc
> drwxr-x---  root root system_u:object_r:user_home_dir_t:s0 root
> drwxr-xr-x  root root system_u:object_r:bin_t:s0       sbin
> drwxr-xr-x  root root system_u:object_r:mock_var_lib_t:s0 selinux
> drwxrwsr-x  root mock system_u:object_r:mock_var_lib_t:s0 sys
> drwxrwxrwt  root root system_u:object_r:tmp_t:s0       tmp
> drwxr-xr-x  root root system_u:object_r:usr_t:s0       usr
> drwxr-xr-x  root root system_u:object_r:var_t:s0       var
> 
> rather than this:
> /var/lib/mock/fedora-3-i386-core/root:
> drwxr-xr-x  root root system_u:object_r:mock_var_lib_t:s0 bin
> drwxr-xr-x  root root system_u:object_r:mock_var_lib_t:s0 boot
> drwx------  paul mock system_u:object_r:mock_var_lib_t:s0 builddir
> drwxrwsr-x  root mock system_u:object_r:mock_var_lib_t:s0 dev
> drwxr-xr-x  root root system_u:object_r:mock_var_lib_t:s0 etc
> drwxr-xr-x  root root system_u:object_r:mock_var_lib_t:s0 home
> drwxr-xr-x  root root system_u:object_r:mock_var_lib_t:s0 initrd
> drwxr-xr-x  root root system_u:object_r:mock_var_lib_t:s0 lib
> drwxr-xr-x  root root system_u:object_r:mock_var_lib_t:s0 media
> drwxr-xr-x  root root system_u:object_r:mock_var_lib_t:s0 mnt
> drwxr-xr-x  root root system_u:object_r:mock_var_lib_t:s0 opt
> drwxrwsr-x  root mock system_u:object_r:mock_var_lib_t:s0 proc
> drwxr-x---  root root system_u:object_r:mock_var_lib_t:s0 root
> drwxr-xr-x  root root system_u:object_r:mock_var_lib_t:s0 sbin
> drwxr-xr-x  root root system_u:object_r:mock_var_lib_t:s0 selinux
> drwxr-xr-x  root root system_u:object_r:mock_var_lib_t:s0 srv
> drwxrwsr-x  root mock system_u:object_r:mock_var_lib_t:s0 sys
> drwxrwxrwt  root root system_u:object_r:mock_var_lib_t:s0 tmp
> drwxr-xr-x  root root system_u:object_r:mock_var_lib_t:s0 usr
> drwxr-xr-x  root root system_u:object_r:mock_var_lib_t:s0 var
> 
> (it's best to remove any cache or existing root and generate a fresh one)
> 
> I'd like to try a version with the LD_PRELOAD back in if possible.

Well you can look at current fedora mock and run 
    mock -r fedora-8-x86_64 init

On my local machine (with selinux enabled), I see that everything is
labelled with "var_lib_t", like this:

$ ls -lZ
drwxr-xr-x  root            root user_u:object_r:var_lib_t        bin
drwxr-xr-x  root            root user_u:object_r:var_lib_t        boot
drwx------  michael_e_brown mock user_u:object_r:var_lib_t        builddir
drwxrwxr-x  root            root user_u:object_r:var_lib_t        dev
... cut ...

There is a current git branch with the selinux changes ported at:

    git clone http://linux.dell.com/git/mock.git
    git checkout -b selinux origin/selinux

I'm thinking about it a bit, and I think that the root cache might
affect this a little, because it tars/untars the chroot fs. I'll need to
do some experiments to see if there is any difference with/without root
cache enabled.
--
Michael

More information about the Fedora-buildsys-list mailing list