[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux in mock

On Wed, Jan 14, 2009 at 11:04 AM, Stephen Smalley <sds tycho nsa gov> wrote:
> If the chcon fails, won't the subsequent attempt to execute the dump
> file also fail due to lack of permissions?

It doesn't fail on SELinux-enabled hosts where the GCL policy is
already in place.  On the koji builders, since selinuxenabled exits
with code 1, we don't try the chcon in the first place.  The only
place where I'm having a problem is in a mock build on an
SELinux-enabled host.  I don't know what to do there.

> Ideally you'd get your domain (or perhaps just a more generic
> unconfined_execheap_t domain) added to the base policy and included in
> the policy on the build servers so that you could use an already defined
> file type.

GCL needs more than just execheap permission, which is why I wrote an
app-specific policy.  Since it is still undergoing a certain amount of
flux, I think that adding it to the base policy might be premature at
this time.

> Alternatively, you might be able to workaround via setting the existing
> allow_execheap boolean if that exists on those machines:
>        setsebool allow_execheap = 1
>        <run your build>
>        setsebool allow_execheap = 0
> That unfortunately will affect more than just your particular process,
> but may be a temporary fix.

I'd like to avoid this solution if at all possible.

Thanks for the help.
Jerry James

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]