Bug 835934 - staff_u cannot use mock
staff_u cannot use mock
Status: CLOSED DUPLICATE of bug 923927
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-27 10:57 EDT by Konstantin Ryabitsev
Modified: 2013-03-21 04:49 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-03-21 04:49:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
AVCs obtained on fedora 17 (4.73 KB, application/x-gzip)
2012-06-28 09:51 EDT, Konstantin Ryabitsev
no flags Details
AVCs obtained on RHEL6 (57.95 KB, application/x-gzip)
2012-06-28 09:52 EDT, Konstantin Ryabitsev
no flags Details
mock -r fedora-rawhide-x86_64 -v --rebuild awstats-7.1.1-1.fc20.src.rpm (96.18 KB, text/plain)
2013-03-18 10:17 EDT, Petr Lautrbach
no flags Details

  None (edit)
Description Konstantin Ryabitsev 2012-06-27 10:57:21 EDT
If a user has their role set to staff_u, the selinux policy prevents them from using mock to build packages.

mricon@nikko:[~]$ mock -r fedora-17-x86_64 rpmbuild/SRPMS/totpcgi-0.5.0-2.fc17.src.rpm 
INFO: mock.py version 1.1.22 starting...
State Changed: init plugins
INFO: selinux enabled
State Changed: start
ERROR: Cannot find/open srpm: rpmbuild/SRPMS/totpcgi-0.5.0-2.fc17.src.rpm. Error: Unable to open file

mricon@nikko:[~]$ id -Z
staff_u:staff_r:staff_t:s0

mricon@nikko:[~]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      26

The AVCs are too numerous to list and are mostly for staff_consolehelper_t.
Comment 1 Miroslav Grepl 2012-06-28 07:49:15 EDT
Could you compress these AVC msgs and attach them? Thank you.
Comment 2 Konstantin Ryabitsev 2012-06-28 09:51:36 EDT
Created attachment 595024 [details]
AVCs obtained on fedora 17
Comment 3 Konstantin Ryabitsev 2012-06-28 09:52:03 EDT
Created attachment 595025 [details]
AVCs obtained on RHEL6
Comment 4 Petr Lautrbach 2013-03-18 10:17:54 EDT
Created attachment 711990 [details]
mock -r fedora-rawhide-x86_64 -v --rebuild awstats-7.1.1-1.fc20.src.rpm

staff_u can't use mock also in Rawhide 

selinux-policy-3.12.1-20.fc19.noarch
mock-1.1.29-1.fc19.noarch
Comment 5 Miroslav Grepl 2013-03-19 04:58:51 EDT
Petr,
did it work with a local policy?
Comment 6 Miroslav Grepl 2013-03-21 04:49:49 EDT

*** This bug has been marked as a duplicate of bug 923927 ***

Note You need to log in before you can comment on or make changes to this bug.