Michael Scherer misc at
Wed Sep 4 19:48:40 UTC 2013

Le mardi 03 septembre 2013 à 15:37 -0400, Jay Greguske a écrit :
> On 09/03/2013 12:29 PM, Michael scherer wrote:
> > On Tue, Sep 03, 2013 at 09:48:52AM -0600, Kevin Fenzi wrote:
> >> On Tue, 03 Sep 2013 10:10:32 -0400
> >> Jay Greguske <jgregusk at> wrote:
> >>
> >>> If we had SELinux policy enabled on the builders and used MLS on the
> >>> chroots that would mitigate chroot-to-chroot attacks. I'm not sure if
> >>> policy could prevent a chroot'ed process from getting access to the
> >>> builder's certificate. If it could, I think getting SELinux working on
> >>> the builders would be an easier path than re-writing koji to use VMs.
> >>>
> >>> Maybe someone with more expertise could comment on the latter issue.
> >>
> >> In the past we had selinux disabled on the builders, as mock didn't
> >> handle selinux very well at all and there were issues. (even in
> >> permissive mode).
> >>
> >> With this switch to Fedora 19 for builders, we also enabled selinux in
> >> permissive mode to gather information on any outstanding issues/avcs. 
> >>
> >> Ideally I would like to get them all to enforcing and make sure we lock
> >> down the builds as much as we are able from the vm. 
> > 
> > the main issue is that mock should do the transition to a different domain once it
> > run anything in chroot. I do have a patch but I was not able to make a policy for the transition
> > ( or my patch is buggy ) and I didn't look at it since a few weeks. I can send it
> > if someone want to take a look.
> > 
> Please post it. :)

Sure, here it is.

I just rebased on newer mock yesterday, and didn't tested at all ( it
didn't rebase well, so maybe there is something missing ). 
I also didn't spent much time on the integration on a config point of
view, ie config for each domain, or that's not needed, etc, etc. But
that's polish I plan to keep once I had it working (and i do not
remember the status at all, maybe that's completely broken and will not
have time to work on it before 2 weeks ) 

Michael Scherer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-add-options-to-make-process-run-in-a-chroot-in-a-dif.patch
Type: text/x-patch
Size: 6561 bytes
Desc: not available
URL: <>

More information about the devel mailing list