Michael E Brown wrote:
On Thu, Dec 13, 2007 at 12:01:47PM +0000, Paul Howarth wrote:
Paul Howarth wrote:
Just tried it, seems to have the same LIBDIR problem as last time:
$ mock -r fedora-8-x86_64 rebuild mock-0.8.17-0.se.fc8.src.rpm INFO: mock.py version 0.8.17 starting... State Changed: init plugins State Changed: start ERROR: global name 'LIBDIR' is not defined Traceback (most recent call last): File "/usr/libexec/mock.py", line 529, in <module> main(retParams) File "/usr/libexec/mock.py", line 512, in main do_rebuild(config_opts, chroot, args) File "<peak.util.decorators.rewrap wrapping __main__.do_rebuild at 0x008BA668>", line 3, in do_rebuild def do_rebuild(config_opts, chroot, srpms): return __decorated(config_opts, chroot, srpms) File "/usr/lib/python2.5/site-packages/mock/trace_decorator.py", line 70, in trace result = func(*args, **kw) File "/usr/libexec/mock.py", line 312, in do_rebuild os.environ["LD_PRELOAD"] = LIBDIR+"/libselinux-mock.so" NameError: global name 'LIBDIR' is not defined
This is odd. I ran a full unit test until I didnt see this message at all. Might be having git sync issues with our public mirror, I'll check.
I don't think this stuff is necessary any more. Since selinux-policy 3.0.8-67 in Fedora 8, /usr/bin/mock is labelled unconfined_notrans_exec_t. So mock doesn't transition into other domains and it doesn't matter that rpm labels files in the chroot with context types that would normally cause the problematic transitions (into useradd_t, ldconfig_t etc.). The result is nice, clean, denial-free builds with SELinux in enforcing mode.
This fix also renders the mock policy module as described on the wiki (the MockTricks page) largely redundant. The only exception case I can see is if some task needing to run as part of a build requires execheap permission, which might happen for some mono/java-based packages but I don't know of any problem packages right now. That bridge can no doubt be crossed when someone comes tp it.
Not sure if this fix has been applied in F-7 or if it will ever make it into RHEL/CentOS though.
Paul.