selinux breaks revisor
Douglas McClendon
dmc.fedora at filteredperception.org
Fri Jan 25 02:27:05 UTC 2008
Jesse Keating wrote:
> On Thu, 24 Jan 2008 19:49:42 -0600
> Douglas McClendon <dmc.fedora at filteredperception.org> wrote:
>
>> A while back on this list, I asked what parts of fedora required root
>> privileges to be rebuilt. I.e. why you couldn't just rpmbuild
>> --rebuild every last thing as a build user, never subjecting the
>> build system to the impact of building as root. The answer seemed to
>> come back that the only things that _really_ required root, were the
>> creation of small filesystem-disk images. My tool qfakeroot provides
>> a solution for that, and given the sizes of the images involved, will
>> add but a few minutes to the rpmbuild--rebuild time.
>
>
> Maybe I missed that, but every /rpm/ is buildable by non-root. It's
> when you start talking about /composing/ releases and Live images that
> root privs are needed (or enoug privs to make loopback devices).
I did miss that (had thought that the anaconda rpm was spinning some
disk images). But my target was recompiling every line of fedora source
code into a new fedora release (isos too), without requiring root privs.
I.e. that was the itch I wanted to scratch, and so the distinction
between rpms and compose tools doesn't change the issue for me.
>
> Now, we could do something more sneaky and ship the livcd-creator and
> pungi python scripts setuid, but that's probably not what you're
> looking for.
Correct. Nor a magical hal/dbus/whatever service that exposes some root
capabilities.
But again, I'm not suggesting that there aren't a few viable theoretical
alternatives to the method I presented. Though I don't know of any
that work already. But as you said, sure, you can just go suid and do
whatever you want. I just am kind of proud of the fact that I can
accomplish the task without root/suid.
Along with as described, the relative ease of doing a very small
containered alternate-selinux policy set up. It sort of sounded to me
like a useful solution for the selinux-chroot issues brought up in this
thread.
I was disappointed googling and seeing your issues with qemu-ppc not
being great for booting up full blown fedora-ppc. I too really hope
that sees improvement soon.
-dmc
More information about the devel
mailing list