selinux breaks revisor

Douglas McClendon dmc.fedora at filteredperception.org
Fri Jan 25 02:27:05 UTC 2008


Jesse Keating wrote:
> On Thu, 24 Jan 2008 19:49:42 -0600
> Douglas McClendon <dmc.fedora at filteredperception.org> wrote:
> 
>> A while back on this list, I asked what parts of fedora required root 
>> privileges to be rebuilt.  I.e. why you couldn't just rpmbuild
>> --rebuild every last thing as a build user, never subjecting the
>> build system to the impact of building as root.  The answer seemed to
>> come back that the only things that _really_ required root, were the
>> creation of small filesystem-disk images.  My tool qfakeroot provides
>> a solution for that, and given the sizes of the images involved, will
>> add but a few minutes to the rpmbuild--rebuild time.
> 
> 
> Maybe I missed that, but every /rpm/ is buildable by non-root.  It's
> when you start talking about /composing/ releases and Live images that
> root privs are needed (or enoug privs to make loopback devices).

I did miss that (had thought that the anaconda rpm was spinning some 
disk images).  But my target was recompiling every line of fedora source 
code into a new fedora release (isos too), without requiring root privs. 
  I.e. that was the itch I wanted to scratch, and so the distinction 
between rpms and compose tools doesn't change the issue for me.

> 
> Now, we could do something more sneaky and ship the livcd-creator and
> pungi python scripts setuid, but that's probably not what you're
> looking for.

Correct.  Nor a magical hal/dbus/whatever service that exposes some root 
capabilities.

But again, I'm not suggesting that there aren't a few viable theoretical 
alternatives to the method I presented.   Though I don't know of any 
that work already.  But as you said, sure, you can just go suid and do 
whatever you want.  I just am kind of proud of the fact that I can 
accomplish the task without root/suid.

Along with as described, the relative ease of doing a very small 
containered alternate-selinux policy set up.  It sort of sounded to me 
like a useful solution for the selinux-chroot issues brought up in this 
thread.

I was disappointed googling and seeing your issues with qemu-ppc not 
being great for booting up full blown fedora-ppc.  I too really hope 
that sees improvement soon.

-dmc




More information about the devel mailing list