On Wed, 2006-08-09 at 23:05 +0100, Paul Howarth wrote:
On Wed, 2006-08-09 at 15:41 -0400, Stephen Smalley wrote:
> On Wed, 2006-08-09 at 18:28 +0100, Paul Howarth wrote:
> > Supposing I just remove the pam_selinux from /etc/pam.d/su altogether?
> > Is that likely to break anything? Any other way of persuading an FC2
> > system that SELinux is disabled?
>
> Removing it should be fine (and has already happened in FC5). I'm not
> clear on the cause though - pam_selinux returns immediately with
> PAM_SUCCESS if is_selinux_enabled() returns <= 0.
It got further with that line removed, and now hangs when trying to run
rpm as the user "mockbuild" that was added by "useradd". This appears
to
be the first chroot command that's not running as root. It's not obvious
to me what it's waiting for.
It turns out it must have been waiting for a password, because after
killing the process the echo on the terminal was turned off.
I now believe I have solved this problem. Many, many thanks to Dan and
Stephen for helping.
The mock tool does include a dummy libselinux library that returns 0 for
all calls to is_selinux_enabled(). This library is LD-PRELOAD-ed for
calls to yum to install packages into the chroot. However, it is not
LD-PRELOAD-ed for any other operation, such as running "useradd" or
"rpmbuild" in the chroot. In FC2, this results in a hangup when the user
is prompted for a new context to use if the host system has SELinux
enabled.
I tried building an FC2 libselinux package with the is_selinux_enabled()
hack to install into the chroot so that this wouldn't happen, but this
appeared to have no effect. Further investigation revealed that although
I had included the hack patch in the libselinux package, and that
package was being installed into the chroot, I actually forgotten to
*apply* the patch in the hacked libselinux package and it was therefore
identical to the original FC2 libselinux package. D'oh!
After configuring mock to install the properly-hacked libselinux package
into the chroot, it appears to be building packages successfully now.
Phew!
I'll try it on a few more packages and if all seems well, I'll update
the Legacy/Mock wiki page with the new information.
Paul.