Wednesday 19th April 2006
Fedora Extras
Imported perl-Crypt-RSA and perl-Net-SSH-Perl into CVS and built them
Updated perl-MIME-tools to 5.420 (my first update since taking over the package from Ville Skyttä)
Mailed upstream bittorrent about (Bug #189295)
SELinux
Made a policy module for mock that allows builds for legacy distros like Red Hat Linux 7.3 on a Fedora Core 5 host. Without the module, execmod AVCs occur because the old DSOs that need to be loaded aren't labelled textrel_shlib_t in the mock root.
mock.if:
########################################
## <summary>
## Create objects in the /var/lib/mock directory
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="file_type">
## <summary>
## The type of the object to be created
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The object class.
## </summary>
## </param>
#
interface(`files_var_lib_mock_filetrans',`
gen_require(`
type var_t, var_lib_t, mock_var_lib_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lib_t:dir search_dir_perms;
allow $1 mock_var_lib_t:dir rw_dir_perms;
type_transition $1 mock_var_lib_t:$3 $2;
')mock.fc:
/var/lib/mock(/[^/]*)? gen_context(system_u:object_r:mock_var_lib_t,s0) /var/lib/mock/[^/]*/.* gen_context(system_u:object_r:mock_root_t,s0)
mock.te:
policy_module(mock, 0.5)
require {
type unconfined_t;
};
# New types for mock, used for files
type mock_root_t;
files_type(mock_root_t)
type mock_var_lib_t;
files_type(mock_var_lib_t)
# Type transition needed to ensure roots get created as mock_root_t
files_var_lib_mock_filetrans(unconfined_t,mock_root_t,{ file dir })
# Old libraries may need execmod permission
allow unconfined_t mock_root_t:file execmod;Building and installing is easy. Copy the three files into an empty directory and do:
# make -f /usr/share/selinux/devel/Makefile Compliling targeted mock module /usr/bin/checkmodule: loading policy configuration from tmp/mock.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 5) to tmp/mock.mod Creating targeted mock.pp policy package rm tmp/mock.mod.fc tmp/mock.mod # semodule -i mock.pp
![/!\](/moin_static1911/monobook/img/alert.png "/!\"){kind=small}
The selinux-policy and checkpolicy packages are required
This all seems to work very nicely, provided the module is loaded before mock is installed so that /var/lib/mock gets created as mock_var_lib_t
Otherwise, a restorecon is needed.