Wednesday 19th April 2006
Fedora Extras
Imported perl-Crypt-RSA and perl-Net-SSH-Perl into CVS and built them
Updated perl-MIME-tools to 5.420 (my first update since taking over the package from Ville Skyttä)
Mailed upstream bittorrent about (Bug #189295)
SELinux
Made a policy module for mock that allows builds for legacy distros like Red Hat Linux 7.3 on a Fedora Core 5 host. Without the module, execmod AVCs occur because the old DSOs that need to be loaded aren't labelled textrel_shlib_t in the mock root.
mock.if:
######################################## ## <summary> ## Create objects in the /var/lib/mock directory ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <param name="file_type"> ## <summary> ## The type of the object to be created ## </summary> ## </param> ## <param name="object_class"> ## <summary> ## The object class. ## </summary> ## </param> # interface(`files_var_lib_mock_filetrans',` gen_require(` type var_t, var_lib_t, mock_var_lib_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_lib_t:dir search_dir_perms; allow $1 mock_var_lib_t:dir rw_dir_perms; type_transition $1 mock_var_lib_t:$3 $2; ')
mock.fc:
/var/lib/mock(/[^/]*)? gen_context(system_u:object_r:mock_var_lib_t,s0) /var/lib/mock/[^/]*/.* gen_context(system_u:object_r:mock_root_t,s0)
mock.te:
policy_module(mock, 0.5) require { type unconfined_t; }; # New types for mock, used for files type mock_root_t; files_type(mock_root_t) type mock_var_lib_t; files_type(mock_var_lib_t) # Type transition needed to ensure roots get created as mock_root_t files_var_lib_mock_filetrans(unconfined_t,mock_root_t,{ file dir }) # Old libraries may need execmod permission allow unconfined_t mock_root_t:file execmod;
Building and installing is easy. Copy the three files into an empty directory and do:
# make -f /usr/share/selinux/devel/Makefile Compliling targeted mock module /usr/bin/checkmodule: loading policy configuration from tmp/mock.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 5) to tmp/mock.mod Creating targeted mock.pp policy package rm tmp/mock.mod.fc tmp/mock.mod # semodule -i mock.pp
The selinux-policy and checkpolicy packages are required
This all seems to work very nicely, provided the module is loaded before mock is installed so that /var/lib/mock gets created as mock_var_lib_t
Otherwise, a restorecon is needed.