Saturday 14th January 2012

Local Packages

Buildsystem SELinux Fix

The mock tool for building packages in a chroot includes an SELinux plug-in to try to fool processes running in the chroot that SELinux is disabled (even on systems where the host has SELinux enforcing, which is the case on all of my systems) by creating a fake /proc/filesystems that doesn't include selinuxfs. This is necessary because files unpacked into the chroot doesn't get labelled as they would if they were installed normally, and in any case they might be targeting a distribution with a very different policy than the host. This works fine in most cases, but for the now-EOL Fedora releases 7 through to 11, it doesn't work because the libselinux versions there don't check for SELinux in the same way.

I had a hack in my buildsystem to cater for this, namely to create a fake /selinux/enforce file containing just "0" to trick those versions of libselinux into thinking that SELinux is in permissive mode. This is sufficient to get SELinux-aware applications such as sshd working properly, which is necessary for the libssh2 test suite. However, in Fedora 16 the selinuxfs mount point moved from /selinux to /sys/fs/selinux, and, since /sys is bind-mounted into the chroot by mock and it's not possible to create/write to arbitrary files in that hierarchy, a different approach was needed. What I did was to create a directory "/srv/buildsys/mock-selinux" on my buildsystem, containing one file "enforce", containing just "0", and then bind-mounting that on top of /sys/fs/selinux in the chroot, using this addition to my mock configuration for those releases:

config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/srv/buildsys/mock-selinux', '/sys/fs/selinux'))

Worked a treat :-)

last edited 2012-01-23 11:22:26 by PaulHowarth