Bug 395981

Summary: SELinux is preventing /sbin/ldconfig (ldconfig_t) "write" to /dev/null (var_lib_t). durring mock build
Product: [Fedora] Fedora Reporter: Russell Harrison <fedora>
Component: selinux-policyAssignee: David Cantrell <dcantrell>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 7CC: mebrown
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-26 19:48:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
setroubleshoot output none

Description Russell Harrison 2007-11-22 18:01:36 UTC 
setroublshoot reports an error preventing ldconfig from writing to /dev/null
durring a mock build

Ataching the setroubleshoot output.
Comment 1 Russell Harrison 2007-11-22 18:01:36 UTC 
Created attachment 267171 [details]
setroubleshoot output
Comment 2 Michael E Brown 2007-11-22 18:38:53 UTC 
doesnt prevent mock builds, simply produces annoying log messages.

Should be filed against selinux-policy.
Comment 3 Daniel Walsh 2007-11-26 15:00:16 UTC 
This is caused by a mislabling of the mock build direcrtory  /dev/null should be
labeled null_device_t not dev_log_t.  I think the true solution to get mock to
run in a context that does not transion to confined domains, so these avc's dont
happen.
Comment 4 Michael E Brown 2007-11-26 19:48:22 UTC 
dwalsh,

Thanks for the help. I have fixed this in mock by doing a "chcon
--reference=/dev/FILE  /mock/build/root/dev/FILE". 

This fixes this issue for all of the /dev/ entries in mock. There are still a
couple other denials that dont have file details:

SELinux is preventing /sbin/depmod (depmod_t) "search" to (var_lib_t).
SELinux is preventing useradd (useradd_t) "read write" to (var_log_t).
SELinux is preventing tzdata-update (tzdata_t) "search" to (var_lib_t).

I'm not sure how to fix these because it does not list the path it is trying to
access.

Can you explain more about "get mock to run in a context that does not transion
to confined domains"? I dont follow this.

This specific bug I am going to mark as FIXED - NEXTRELEASE. I dont intend to
make another release for a few weeks, at least. If you would like to check out
the fixed version, please look in the git repository for mock.