On Thu, Jan 03, 2008 at 03:41:02PM +0000, Paul Howarth wrote:
Michael E Brown wrote:
>This is odd. I ran a full unit test until I didnt see this message at
>all. Might be having git sync issues with our public mirror, I'll check.
I don't think this stuff is necessary any more. Since selinux-policy
3.0.8-67 in Fedora 8, /usr/bin/mock is labelled
unconfined_notrans_exec_t. So mock doesn't transition into other domains
and it doesn't matter that rpm labels files in the chroot with context
types that would normally cause the problematic transitions (into
useradd_t, ldconfig_t etc.). The result is nice, clean, denial-free
builds with SELinux in enforcing mode.
This fix also renders the mock policy module as described on the wiki
(the MockTricks page) largely redundant. The only exception case I can
see is if some task needing to run as part of a build requires execheap
permission, which might happen for some mono/java-based packages but I
don't know of any problem packages right now. That bridge can no doubt
be crossed when someone comes tp it.
Not sure if this fix has been applied in F-7 or if it will ever make it
into RHEL/CentOS though.
Well this is good news. Thanks.
--
Michael