Michael E Brown wrote:
On Thu, Dec 13, 2007 at 12:01:47PM +0000, Paul Howarth wrote:
> Paul Howarth wrote:
>
> Just tried it, seems to have the same LIBDIR problem as last time:
>
> $ mock -r fedora-8-x86_64 rebuild mock-0.8.17-0.se.fc8.src.rpm
> INFO: mock.py version 0.8.17 starting...
> State Changed: init plugins
> State Changed: start
> ERROR: global name 'LIBDIR' is not defined
> Traceback (most recent call last):
> File "/usr/libexec/mock.py", line 529, in <module>
> main(retParams)
> File "/usr/libexec/mock.py", line 512, in main
> do_rebuild(config_opts, chroot, args)
> File "<peak.util.decorators.rewrap wrapping __main__.do_rebuild at
> 0x008BA668>", line 3, in do_rebuild
> def do_rebuild(config_opts, chroot, srpms): return
> __decorated(config_opts, chroot, srpms)
> File "/usr/lib/python2.5/site-packages/mock/trace_decorator.py", line
> 70, in trace
> result = func(*args, **kw)
> File "/usr/libexec/mock.py", line 312, in do_rebuild
> os.environ["LD_PRELOAD"] = LIBDIR+"/libselinux-mock.so"
> NameError: global name 'LIBDIR' is not defined
This is odd. I ran a full unit test until I didnt see this message at
all. Might be having git sync issues with our public mirror, I'll check.
I don't think this stuff is necessary any more. Since selinux-policy
3.0.8-67 in Fedora 8, /usr/bin/mock is labelled
unconfined_notrans_exec_t. So mock doesn't transition into other domains
and it doesn't matter that rpm labels files in the chroot with context
types that would normally cause the problematic transitions (into
useradd_t, ldconfig_t etc.). The result is nice, clean, denial-free
builds with SELinux in enforcing mode.
This fix also renders the mock policy module as described on the wiki
(the MockTricks page) largely redundant. The only exception case I can
see is if some task needing to run as part of a build requires execheap
permission, which might happen for some mono/java-based packages but I
don't know of any problem packages right now. That bridge can no doubt
be crossed when someone comes tp it.
Not sure if this fix has been applied in F-7 or if it will ever make it
into RHEL/CentOS though.
Paul.