COPR

Daniel J Walsh dwalsh at redhat.com
Wed Sep 4 20:03:21 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/04/2013 03:48 PM, Michael Scherer wrote:
> Le mardi 03 septembre 2013 à 15:37 -0400, Jay Greguske a écrit :
>> On 09/03/2013 12:29 PM, Michael scherer wrote:
>>> On Tue, Sep 03, 2013 at 09:48:52AM -0600, Kevin Fenzi wrote:
>>>> On Tue, 03 Sep 2013 10:10:32 -0400 Jay Greguske <jgregusk at redhat.com>
>>>> wrote:
>>>> 
>>>>> If we had SELinux policy enabled on the builders and used MLS on
>>>>> the chroots that would mitigate chroot-to-chroot attacks. I'm not
>>>>> sure if policy could prevent a chroot'ed process from getting
>>>>> access to the builder's certificate. If it could, I think getting
>>>>> SELinux working on the builders would be an easier path than
>>>>> re-writing koji to use VMs.
>>>>> 
>>>>> Maybe someone with more expertise could comment on the latter
>>>>> issue.
>>>> 
>>>> In the past we had selinux disabled on the builders, as mock didn't 
>>>> handle selinux very well at all and there were issues. (even in 
>>>> permissive mode).
>>>> 
>>>> With this switch to Fedora 19 for builders, we also enabled selinux
>>>> in permissive mode to gather information on any outstanding
>>>> issues/avcs.
>>>> 
>>>> Ideally I would like to get them all to enforcing and make sure we
>>>> lock down the builds as much as we are able from the vm.
>>> 
>>> the main issue is that mock should do the transition to a different
>>> domain once it run anything in chroot. I do have a patch but I was not
>>> able to make a policy for the transition ( or my patch is buggy ) and I
>>> didn't look at it since a few weeks. I can send it if someone want to
>>> take a look.
>>> 
>> 
>> Please post it. :)
> 
> Sure, here it is.
> 
> I just rebased on newer mock yesterday, and didn't tested at all ( it 
> didn't rebase well, so maybe there is something missing ). I also didn't
> spent much time on the integration on a config point of view, ie config for
> each domain, or that's not needed, etc, etc. But that's polish I plan to
> keep once I had it working (and i do not remember the status at all, maybe
> that's completely broken and will not have time to work on it before 2
> weeks )
> 
> 
> 
> 
What happens when you tried to run it?  Did it run in permissive mode?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlInkgkACgkQrlYvE4MpobOi6ACgrKBXhATLR1EqcL5li3Rmj1N8
To4An3KUTuFIoErVqxCzgIcYUDOgk1AQ
=QkER
-----END PGP SIGNATURE-----

More information about the devel mailing list