Michael E Brown wrote:
On Fri, Nov 30, 2007 at 04:17:52PM +0000, Paul Howarth wrote:
Michael E Brown wrote:
I need a little bit of help understanding what the 'libselinux-mock.so' LD_PRELOAD was supposed to be doing. I released and pushed out mock-0.8 without this. I have rebuilt most of rawhide with this new mock version and have not seen anything that I directly can say was a failure due to this being missing, so I am sort of not seeing the point.
I have searched around as much as I can to try to understand why this was put into place. From what I can understand, it was only put in in the FC2 timeframe to fix some problems with the selinux policy on the host machine. These *appear* to have been fixed in the host selinux policy, so again, i dont see a reason to keep this around.
Jesse mentioned on IRC, though, that this might be needed, so I pose this question. I've a local branch set up with the 0.8.x code and the LD_PRELOAD put back in. So, I can quickly spin a new release with this back in if it is actually needed. So far, I havent convinced myself it is needed, though...
Could somebody please enlighten me?
I suspect it was there to convince rpm that selinux was disabled and hence prevent it from trying to set the contexts of installed files. If rpm doesn't set the context, the files are installed as mock_var_lib_t (assuming my policy module from the wiki is loaded), and this is a "neutral" type that doesn't cause any problems. However, if rpm sets the contexts of files it installs, it'll set things like /sbin/ldconfig to ldconfig_exec_t, and there is now a transition defined in policy from unconfined_t to ldconfig_exec_t. The result of this is that some processes such as ldconfig get run "confined" in the chroot and fail as a result because not *all* file contexts are set up as they would be on the host system, which is what the policy is set up for.
I've not quite figured out all te ins and outs of it but a tell-tale sign of there being a problem is to look (ls -lZ) at the root directories of your chroots and see if they look like this:
/var/lib/mock/fedora-2-i386-core/root: drwxr-xr-x root root system_u:object_r:bin_t:s0 bin drwxr-xr-x root root system_u:object_r:boot_t:s0 boot drwx------ root mock system_u:object_r:mock_var_lib_t:s0 builddir drwxrwsr-x root mock system_u:object_r:mock_var_lib_t:s0 dev drwxr-xr-x root root system_u:object_r:etc_t:s0 etc drwxr-xr-x root root system_u:object_r:home_root_t:s0 home drwxr-xr-x root root system_u:object_r:root_t:s0 initrd drwxr-xr-x root root system_u:object_r:lib_t:s0 lib drwxr-xr-x root root system_u:object_r:mnt_t:s0 mnt drwxr-xr-x root root system_u:object_r:usr_t:s0 opt drwxrwsr-x root mock system_u:object_r:mock_var_lib_t:s0 proc drwxr-x--- root root system_u:object_r:user_home_dir_t:s0 root drwxr-xr-x root root system_u:object_r:bin_t:s0 sbin drwxr-xr-x root root system_u:object_r:mock_var_lib_t:s0 selinux drwxrwsr-x root mock system_u:object_r:mock_var_lib_t:s0 sys drwxrwxrwt root root system_u:object_r:tmp_t:s0 tmp drwxr-xr-x root root system_u:object_r:usr_t:s0 usr drwxr-xr-x root root system_u:object_r:var_t:s0 var
rather than this: /var/lib/mock/fedora-3-i386-core/root: drwxr-xr-x root root system_u:object_r:mock_var_lib_t:s0 bin drwxr-xr-x root root system_u:object_r:mock_var_lib_t:s0 boot drwx------ paul mock system_u:object_r:mock_var_lib_t:s0 builddir drwxrwsr-x root mock system_u:object_r:mock_var_lib_t:s0 dev drwxr-xr-x root root system_u:object_r:mock_var_lib_t:s0 etc drwxr-xr-x root root system_u:object_r:mock_var_lib_t:s0 home drwxr-xr-x root root system_u:object_r:mock_var_lib_t:s0 initrd drwxr-xr-x root root system_u:object_r:mock_var_lib_t:s0 lib drwxr-xr-x root root system_u:object_r:mock_var_lib_t:s0 media drwxr-xr-x root root system_u:object_r:mock_var_lib_t:s0 mnt drwxr-xr-x root root system_u:object_r:mock_var_lib_t:s0 opt drwxrwsr-x root mock system_u:object_r:mock_var_lib_t:s0 proc drwxr-x--- root root system_u:object_r:mock_var_lib_t:s0 root drwxr-xr-x root root system_u:object_r:mock_var_lib_t:s0 sbin drwxr-xr-x root root system_u:object_r:mock_var_lib_t:s0 selinux drwxr-xr-x root root system_u:object_r:mock_var_lib_t:s0 srv drwxrwsr-x root mock system_u:object_r:mock_var_lib_t:s0 sys drwxrwxrwt root root system_u:object_r:mock_var_lib_t:s0 tmp drwxr-xr-x root root system_u:object_r:mock_var_lib_t:s0 usr drwxr-xr-x root root system_u:object_r:mock_var_lib_t:s0 var
(it's best to remove any cache or existing root and generate a fresh one)
I'd like to try a version with the LD_PRELOAD back in if possible.
Well you can look at current fedora mock and run mock -r fedora-8-x86_64 init
On my local machine (with selinux enabled), I see that everything is labelled with "var_lib_t", like this:
$ ls -lZ drwxr-xr-x root root user_u:object_r:var_lib_t bin drwxr-xr-x root root user_u:object_r:var_lib_t boot drwx------ michael_e_brown mock user_u:object_r:var_lib_t builddir drwxrwxr-x root root user_u:object_r:var_lib_t dev ... cut ...
If you're not using the policy module, I'd expect you to have problems building packages that run mono and/or java code at build time as described at http://fedoraproject.org/wiki/PackageMaintainers/MockTricks
The package I came across that exhibited this problem and led me to write the policy module was "lat", a mono-based package.
There is a current git branch with the selinux changes ported at:
git clone http://linux.dell.com/git/mock.git git checkout -b selinux origin/selinux
I built an RPM from this, and my first try at running it resulted in:
Traceback (most recent call last): File "/usr/libexec/mock.py", line 430, in <module> os.environ["LD_PRELOAD"] = LIBDIR+"/libselinux-mock.so" NameError: name 'LIBDIR' is not defined
I added a manual definition of LIBDIR into /usr/libexec/mock.py and tt ran a bit further. I now get the sane file contexts that I was expecting but none of the scriptlets run in the target chroot because the object pointed to by the LD_PRELOAD isn't available in the chroot:
/bin/sh: error while loading shared libraries: /usr/lib64/libselinux-mock.so: cannot open shared object file: No such file or directory error: %post(bash-2.05b-38.i386) scriptlet failed, exit status 127 /bin/sh: error while loading shared libraries: /usr/lib64/libselinux-mock.so: cannot open shared object file: No such file or directory error: %post(libselinux-1.11.4-1.mockfix.fc2.i386) scriptlet failed, exit status 127 /bin/sh: error while loading shared libraries: /usr/lib64/libselinux-mock.so: cannot open shared object file: No such file or directory error: %post(info-4.7-4.i386) scriptlet failed, exit status 127 /bin/sh: error while loading shared libraries: /usr/lib64/libselinux-mock.so: cannot open shared object file: No such file or directory error: %post(sed-4.0.8-4.i386) scriptlet failed, exit status 127 /bin/sh: error while loading shared libraries: /usr/lib64/libselinux-mock.so: cannot open shared object file: No such file or directory
... and so on.
Don't know what to do about that.
Paul.