Thursday 29th April 2010
Local Packages
New package perl-Compress-Raw-Lzma (2.027); I had to patch this to get it to build against a recent xz (CPAN RT#57080)
New package perl-IO-Compress-Lzma (2.027)
I also updated curl to patch the test suite to get it to be able to start the OpenSSH server on a system with SELinux in enforcing mode (but only for an unconfined user) - Bug #521087. Now it might seem strange that this would be a problem for an unconfined user but OpenSSH is an SELinux-aware application, and takes different code paths depending on whether SELinux is enforcing or not. When starting a new session, it needs to set the correct SELinux security context for the session, and the possible options to choose from a different depending on the context OpenSSH is running in. When it's running unconfined, it doesn't get a valid context to start a session, and so it bombs out. So the trick is to get it to run in the regular sshd_t security context.
Processes can transition between SELinux domains when they exec another process but not all execs cause domain transitions. In the curl test suite running as unconfined_t, the sshd daemon (file content sshd_exec_t) is started but no domain transition is defined for that in policy so sshd continues running as unconfined_t. My patch adds an intermediate process (a perl script called initdaemon.pl, which is labelled with a file context of initrc_exec_t) that is used to start sshd. Now, when a process running in unconfined_t executes a file labelled initrc_exec_t, it transitions to the initrc_t domain, which is what system initscripts run as. And when that process subsequently runs sshd (file content sshd_exec_t), it transitions to sshd_t as desired.
That gets us part way there. The next problem is that sshd_t, being a confined domain, can no longer write its log files or PID files into the directory the curl build is running in (typically a user's home directory, or a subdirectory of it) because SELinux prevents the system process trampling over user data. So the other part of the patch is to:
Create a new subdirectory for the test suite to write PID files to, label it appropriately by using the same SELinux context type as the /var/run directory where system PID files usually reside, and persuade the test suite to put PID files in that directory
Make sure that the file that records the output of the sshd process is labelled with an SELinux context type that sshd_t can write to, for which I copied the context type of ~/.ssh (home_ssh_t on F-12)
The changes I've made don't seem to have broken anything else, so I'll look to push it upstream. First though, Kamil, the Fedora curl maintainer, will try it out on a variety of systems (both with and without SELinux) to check that it works as advertised and doesn't cause any regressions, which should happen some time next week.