SELinux for mock

Piscium groknok at gmail.com
Tue May 3 19:32:40 UTC 2011 

On 2 May 2011 14:06, Kevin Fenzi <kevin at scrye.com> wrote:
> On Sun, 1 May 2011 19:29:50 +0100
> Piscium <groknok at gmail.com> wrote:
>
>> I like to rebuild a number of Fedora source packages for performance
>> and some tweaking.
>>
>> In the past I have used rpmbuild for that purpose, but this weekend I
>> started using mock.
>>
>> So far I built about a dozen source packages successfully, but then
>> got a SELinux snag when building glibc (I am using the targeted policy
>> on F14).
>>
>> The wiki has instructions on how to set SELinux for mock:
>> http://fedoraproject.org/wiki/Using_Mock_to_test_package_builds#SELinux_policy_module_for_mock
>>
>> I followed the instructions but the result of running Make was
>> different from the expected, there was an error. [1].
>>
>> My question is if the policy files of the wiki page are current? They
>> are three years old, which is a long time in dog years or Fedora
>> years!
>
> Right. Thats out of date. As far as I know you don't need to do
> anything special anymore. Mock handles it all.
>
> Just run mock out of the box? Does it fail? If so, how?

I am not sure what you mean by "just" "out of the box". I ran mock
with the "--no-clean" option to save the time to download and install
the whole chroot environment. I did "mock --update" before, and I
changed the default optflags. Other than that it was a pristine
chroot.

Yesterday I built glibc with rpmbuild (i. e. without mock) and got the
same SELinux alert as with mock. Some months ago on F13  I built glibc
with rpmbuild without an alert, so it seems that something changed
between F13 and F14, possibly in glibc.

As I said, while glibc self-tests failed, the whole build succeeded,
so yesterday I installed the glibc packages that I built and so far
everything seems fine.

I am pasting below the alert message I got from SELinux. I kept the
mock build log that shows the failed tests (some of them failed while
testing execstack). If anybody is interested I can upload it somewhere
(I am not sure if I can email to the list, can I?).

This makes me wonder if the Koji servers that do the Fedora builds
have SELinux enabled?

-----------------

SELinux is preventing
/builddir/build/BUILD/glibc-2.13/build-i686-linuxnptl/elf/ld.so from
using the execstack access on a process.

*****  Plugin allow_execstack (53.1 confidence) suggests  ********************

If you believe that
None
should not require execstack
Then you should clear the execstack flag and see if
/builddir/build/BUILD/glibc-2.13/build-i686-linuxnptl/elf/ld.so works
correctly.
Report this as a bug on None.
You can clear the exestack flag by executing:
Do
execstack -c None

*****  Plugin catchall_boolean (42.6 confidence) suggests  *******************

If you want to allow unconfined executables to make their stack
executable.  This should never, ever be necessary. Probably indicates
a badly coded executable, but could indicate an attack. This
executable should be reported in bugzilla
Then you must tell SELinux about this by enabling the 'allow_execstack' boolean.
Do
setsebool -P allow_execstack 1

*****  Plugin catchall (5.76 confidence) suggests  ***************************

If you believe that ld.so should be allowed execstack access on
processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ld-linux.so.2 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                Unknown [ process ]
Source                        ld-linux.so.2
Source Path                   /builddir/build/BUILD/glibc-2.13/build-i686-linuxn
                              ptl/elf/ld.so
Port                          <Unknown>
Host                          d3000
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.9.7-40.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     d3000
Platform                      Linux d3000 2.6.35.12-90.fc14.i686 #1 SMP Fri Apr
                              22 16:14:44 UTC 2011 i686 i686
Alert Count                   8
First Seen                    Sun 01 May 2011 17:38:44 IST
Last Seen                     Sun 01 May 2011 18:14:25 IST
Local ID                      df1866d2-1dcb-4bd9-bcc0-88a350597d97

Raw Audit Messages
type=AVC msg=audit(1304270065.850:25864): avc:  denied  { execstack }
for  pid=967 comm="ld-linux.so.2"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process


type=SYSCALL msg=audit(1304270065.850:25864): arch=i386
syscall=mprotect per=8 success=no exit=EACCES a0=bf924000 a1=1000
a2=1000007 a3=bf9248c8 items=0 ppid=966 pid=967 auid=1000 uid=1000
gid=490 euid=1000 suid=1000 fsuid=1000 egid=490 sgid=490 fsgid=490
tty=pts2 ses=1 comm=ld-linux.so.2
exe=/builddir/build/BUILD/glibc-2.13/build-i686-linuxnptl-nosegneg/elf/ld.so
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: ld-linux.so.2,unconfined_t,unconfined_t,process,execstack

audit2allow

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'

allow unconfined_t self:process execstack;

audit2allow -R

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'

allow unconfined_t self:process execstack;

More information about the users mailing list