COPR

Tue Sep 3 16:29:34 UTC 2013

On Tue, Sep 03, 2013 at 09:48:52AM -0600, Kevin Fenzi wrote:
> On Tue, 03 Sep 2013 10:10:32 -0400
> Jay Greguske <jgregusk at redhat.com> wrote:
> 
> > If we had SELinux policy enabled on the builders and used MLS on the
> > chroots that would mitigate chroot-to-chroot attacks. I'm not sure if
> > policy could prevent a chroot'ed process from getting access to the
> > builder's certificate. If it could, I think getting SELinux working on
> > the builders would be an easier path than re-writing koji to use VMs.
> > 
> > Maybe someone with more expertise could comment on the latter issue.
> 
> In the past we had selinux disabled on the builders, as mock didn't
> handle selinux very well at all and there were issues. (even in
> permissive mode).
> 
> With this switch to Fedora 19 for builders, we also enabled selinux in
> permissive mode to gather information on any outstanding issues/avcs. 
> 
> Ideally I would like to get them all to enforcing and make sure we lock
> down the builds as much as we are able from the vm. 

the main issue is that mock should do the transition to a different domain once it
run anything in chroot. I do have a patch but I was not able to make a policy for the transition
( or my patch is buggy ) and I didn't look at it since a few weeks. I can send it
if someone want to take a look.
-- 
Michael Scherer