Red Hat Bugzilla – Bug 1271209
add file context for /usr/libexec/mock/mock
Last modified: 2016-11-03 22:23:13 EDT
+++ This bug was initially created as a clone of Bug #1270972 +++
Description of problem:
In bug 1246810 we are thinking about moving /usr/sbin/mock to /usr/libexec/mock/mock. But before we do that, we need to have correct selinux context for /usr/libexec/mock/mock.
Can you please add new selinux file context for:
and make it the same type as file
However we will need this on all platforms where mock run: all Fedoras, EL6 and EL7.
Is this possible?
--- Additional comment from Miroslav Grepl on 2015-10-13 07:36:00 EDT ---
Thank you for this info.
Could you create clone bugs for RHELs?
--- Additional comment from Miroslav Grepl on 2015-10-13 07:39:20 EDT ---
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see email@example.com with any questions
The test is IMHO incorrect. Mock does not yet have the script in /usr/libexec/mock/mock. The script can be moved only and only after the selinux policy will change.
So you cannot test functionality of mock per se.
Test should be as simple as
ls -lZ /usr/libexec/mock/mock
ls -lZ /usr/sbin/mock
and compare that those files have identical selinux context.
Both files have the same context:
# matchpathcon /usr/libexec/mock/mock
# matchpathcon /usr/sbin/mock
There are several transitions into the mock_t domain. I chose one of them (staff_t, one of the confined users) and the AVCs were results of running the mock program in that domain:
# sesearch -t mock_exec_t -T
Found 5 semantic te rules:
type_transition staff_consolehelper_t mock_exec_t : process mock_t;
type_transition abrt_retrace_worker_t mock_exec_t : process mock_t;
type_transition rhev_agentd_consolehelper_t mock_exec_t : process mock_t;
type_transition realmd_consolehelper_t mock_exec_t : process mock_t;
type_transition staff_t mock_exec_t : process mock_t;
# rpm -qa selinux-policy\*
Could you run it in permissive mode?
I believe you will need to run it also with
to collect all needed AVCs.
This is weird, that you don't catch AVCs from comment 12.
Could you create local policy to check if it working with these rules?
Hmm what does it mean? That mock_t is trying to open /etc/pki/nssdb/key4.db? This seems to do urlgrabber, which should be ok. Does this happen when urlgrabber is trying to access https pages? Or I am reading the logs incorrectly?
The AVCs mentioned in comment#22 are generated by urlgrabber (comm=urlgrabber-ext-), but the urlgrabber process still runs under mock_t, because transition from mock_t to rpm_t (yum) is not allowed. If it was allowed then urlgrabber would run under the same context as yum and everything would be fine.
I don't see a way for this transition. There is no rpm_exec_t labeling for urlgrabber.
does it work correctly though AVC msgs.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.