#acl PaulHowarth:read,write,admin,revert,delete All:read

=== Wednesday 19th April 2006 ===

==== Fedora Extras ====

 * Imported `perl-Crypt-RSA` and `perl-Net-SSH-Perl` into CVS and built them
 * Updated `perl-MIME-tools` to 5.420 (my first update since taking over the package from Ville Skyttä)
 * Mailed upstream `bittorrent` about ([[RedHatBugzilla:189295|Bug #189295]])

==== SELinux ====

Made a policy module for `mock` that allows builds for legacy distros like ''Red Hat Linux 7.3'' on a ''Fedora Core 5'' host.
Without the module, `execmod` AVCs occur because the old DSOs that need to be loaded aren't labelled `textrel_shlib_t` in the mock root.

'''mock.if:'''

{{{
########################################
## <summary>
##      Create objects in the /var/lib/mock directory
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <param name="file_type">
##      <summary>
##      The type of the object to be created
##      </summary>
## </param>
## <param name="object_class">
##      <summary>
##      The object class.
##      </summary>
## </param>
#
interface(`files_var_lib_mock_filetrans',`
        gen_require(`
                type var_t, var_lib_t, mock_var_lib_t;
        ')

        allow $1 var_t:dir search_dir_perms;
        allow $1 var_lib_t:dir search_dir_perms;
        allow $1 mock_var_lib_t:dir rw_dir_perms;
        type_transition $1 mock_var_lib_t:$3 $2;
')}}}

'''mock.fc:'''

{{{
/var/lib/mock(/[^/]*)? gen_context(system_u:object_r:mock_var_lib_t,s0)
/var/lib/mock/[^/]*/.* gen_context(system_u:object_r:mock_root_t,s0)}}}

'''mock.te:'''

{{{
policy_module(mock, 0.5)

require {
        type unconfined_t;
};

# New types for mock, used for files
type mock_root_t;
files_type(mock_root_t)
type mock_var_lib_t;
files_type(mock_var_lib_t)

# Type transition needed to ensure roots get created as mock_root_t
files_var_lib_mock_filetrans(unconfined_t,mock_root_t,{ file dir })

# Old libraries may need execmod permission
allow unconfined_t mock_root_t:file execmod;}}}

Building and installing is easy.
Copy the three files into an empty directory and do:
{{{
# make -f /usr/share/selinux/devel/Makefile
Compliling targeted mock module
/usr/bin/checkmodule:  loading policy configuration from tmp/mock.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 5) to tmp/mock.mod
Creating targeted mock.pp policy package
rm tmp/mock.mod.fc tmp/mock.mod
# semodule -i mock.pp}}}

/!\ The `selinux-policy` and `checkpolicy` packages are required

This all seems to work very nicely, provided the module is loaded before `mock` is installed so that `/var/lib/mock` gets created as `mock_var_lib_t`

Otherwise, a `restorecon` is needed. 

----