#acl PaulHowarth:read,write,admin,revert,delete All:read
=== Thursday 20th April 2006 ===
==== Fedora Extras ====
* Built `perl-Math-Pari`, `perl-Crypt-Random`, `perl-Crypt-Primes`, `perl-Crypt-RSA`, and `perl-Net-SSH-Perl` for FC4 and FC5
==== SELinux ====
Rewrote the SELinux policy module for `mock` that I did [[../2006-04-19| yesterday]].
Whilst it handled the `execmod` issue for old distro libraries fairly cleanly, it wasn't able to handle the
[[http://www.redhat.com/archives/fedora-extras-list/2006-March/msg02085.html|problem I'd been having building mono applications]].
It took me a surprisingly long amount of time to twig that this was an SELinux issue.
Mono apps normally run in their own domain, `mono_t`, and have `execmem` and `execheap` privileges.
This particular problem was caused by running `mono` in the `unconfined_t` domain and not being allowed `execheap` privilege.
Domain transitions don't happen in `mock` because it makes child processes think that SELinux is disabled,
so even getting `/usr/bin/mono` in the buildroot set to `mono_exec_t` wouldn't help.
This left me with two options as I could see:
1. Allow `unconfined_t` `execheap` privilege (equivalent to turning on the `allow_execheap` boolean)
1. Run the entire `mock` process in its own domain, and grant that domain `execheap` privilege
Clearly the second option made more sense as it only enabled `execheap` for `mock` rather than virually every process run by a user.
I also took the opportunity of removing `mock_root_t` as there didn't seem to be much point in differentiating between `mock_var_lib_t` and `mock_root_t`.
So here's the new `mock` policy module, mostly cribbed from the `mono` policy:
'''mock.if:'''
{{{
## Build packages in a chroot environment.
########################################
##
## Execute the mock program in the mock domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`mock_domtrans',`
gen_require(`
type mock_t, mock_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1, mock_exec_t, mock_t)
allow $1 mock_t:fd use;
allow mock_t $1:fd use;
allow mock_t $1:fifo_file rw_file_perms;
allow mock_t $1:process sigchld;
')
########################################
##
## Create objects in the /var/lib/mock directory
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created
##
##
##
##
## The object class.
##
##
#
interface(`files_var_lib_mock_filetrans',`
gen_require(`
type var_t, var_lib_t, mock_var_lib_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lib_t:dir search_dir_perms;
allow $1 mock_var_lib_t:dir rw_dir_perms;
type_transition $1 mock_var_lib_t:$3 $2;
')}}}
'''mock.fc:'''
{{{
/usr/bin/mock -- gen_context(system_u:object_r:mock_exec_t,s0)
/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0)
}}}
'''mock.te:'''
{{{
policy_module(mock, 0.7.1)
########################################
#
# Declarations
#
type mock_t;
domain_type(mock_t)
type mock_exec_t;
domain_entry_file(mock_t,mock_exec_t)
type mock_var_lib_t;
files_type(mock_var_lib_t)
########################################
#
# Local policy
#
ifdef(`targeted_policy',`
# execheap & execmem are needed to run mono under mock
# where no transition to mono_t will happen
allow mock_t self:process { execheap execmem };
unconfined_domain_noaudit(mock_t)
role system_r types mock_t;
# Old libraries may need execmod permission
allow mock_t mock_var_lib_t:file execmod;
# Transition to mock_t from unconfined_t
mock_domtrans(unconfined_t)
')}}}
Building and installing is easy.
Copy the three files into an empty directory and do:
{{{
# make -f /usr/share/selinux/devel/Makefile
Compliling targeted mock module
/usr/bin/checkmodule: loading policy configuration from tmp/mock.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 5) to tmp/mock.mod
Creating targeted mock.pp policy package
rm tmp/mock.mod.fc tmp/mock.mod
# semodule -i mock.pp}}}
/!\ The `selinux-policy` and `checkpolicy` packages are required
This all seems to work very nicely, provided the module is loaded before `mock` is installed so that `/var/lib/mock` gets created as `mock_var_lib_t` and `/usr/bin/mock` gets created as `mock_exec_t`
Otherwise, a `restorecon` is needed.
{i} This policy would probably work for `mach` as well, just by adding these lines to `mock.fc`:
{{{
/usr/bin/mach -- gen_context(system_u:object_r:mock_exec_t,s0)
/var/lib/mach(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0)}}}
----