#acl PaulHowarth:read,write,admin,revert,delete All:read
=== Wednesday 19th April 2006 ===
==== Fedora Extras ====
* Imported `perl-Crypt-RSA` and `perl-Net-SSH-Perl` into CVS and built them
* Updated `perl-MIME-tools` to 5.420 (my first update since taking over the package from Ville Skyttä)
* Mailed upstream `bittorrent` about ([[RedHatBugzilla:189295|Bug #189295]])
==== SELinux ====
Made a policy module for `mock` that allows builds for legacy distros like ''Red Hat Linux 7.3'' on a ''Fedora Core 5'' host.
Without the module, `execmod` AVCs occur because the old DSOs that need to be loaded aren't labelled `textrel_shlib_t` in the mock root.
'''mock.if:'''
{{{
########################################
##
## Create objects in the /var/lib/mock directory
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created
##
##
##
##
## The object class.
##
##
#
interface(`files_var_lib_mock_filetrans',`
gen_require(`
type var_t, var_lib_t, mock_var_lib_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lib_t:dir search_dir_perms;
allow $1 mock_var_lib_t:dir rw_dir_perms;
type_transition $1 mock_var_lib_t:$3 $2;
')}}}
'''mock.fc:'''
{{{
/var/lib/mock(/[^/]*)? gen_context(system_u:object_r:mock_var_lib_t,s0)
/var/lib/mock/[^/]*/.* gen_context(system_u:object_r:mock_root_t,s0)}}}
'''mock.te:'''
{{{
policy_module(mock, 0.5)
require {
type unconfined_t;
};
# New types for mock, used for files
type mock_root_t;
files_type(mock_root_t)
type mock_var_lib_t;
files_type(mock_var_lib_t)
# Type transition needed to ensure roots get created as mock_root_t
files_var_lib_mock_filetrans(unconfined_t,mock_root_t,{ file dir })
# Old libraries may need execmod permission
allow unconfined_t mock_root_t:file execmod;}}}
Building and installing is easy.
Copy the three files into an empty directory and do:
{{{
# make -f /usr/share/selinux/devel/Makefile
Compliling targeted mock module
/usr/bin/checkmodule: loading policy configuration from tmp/mock.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 5) to tmp/mock.mod
Creating targeted mock.pp policy package
rm tmp/mock.mod.fc tmp/mock.mod
# semodule -i mock.pp}}}
/!\ The `selinux-policy` and `checkpolicy` packages are required
This all seems to work very nicely, provided the module is loaded before `mock` is installed so that `/var/lib/mock` gets created as `mock_var_lib_t`
Otherwise, a `restorecon` is needed.
----