Bug 923927 - Some dirs are labeled differently in /var/lib/mock directory
Summary: Some dirs are labeled differently in /var/lib/mock directory
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: mock
Version: 19
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Clark Williams
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 835934 (view as bug list)
Depends On:
Blocks: 948396
TreeView+ depends on / blocked
 
Reported: 2013-03-20 18:08 UTC by Miroslav Grepl
Modified: 2013-05-05 02:29 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 948396 (view as bug list)
Environment:
Last Closed: 2013-05-04 01:40:29 UTC


Attachments (Terms of Use)
Add default options for yum to avoid SELinux relabeling (1.50 KB, patch)
2013-03-27 17:15 UTC, Clark Williams
no flags Details | Diff
patch to selinux plugin to catch yum-builddep (561 bytes, patch)
2013-04-01 19:16 UTC, Clark Williams
no flags Details | Diff

Description Miroslav Grepl 2013-03-20 18:08:27 UTC
Description of problem:

I see some dirs are labeled differently in /var/lib/mock directory. For example


drwxr-xr-x. root root system_u:object_r:usr_t:s0 /var/lib/mock/fedora-rawhide-x86_64/root/usr/share/yum-cli
drwxr-xr-x. root root system_u:object_r:usr_t:s0 /var/lib/mock/fedora-rawhide-x86_64/root/usr/share/yum-plugins
drwxr-xr-x. root root system_u:object_r:etc_t:s0       logrotate.d
drwxr-xr-x. root root system_u:object_r:etc_t:s0       yum

Version-Release number of selected component (if applicable):

# rpm -q mock selinux-policy
mock-1.1.29-1.fc19.noarch
selinux-policy-3.12.1-22.fc19.noarch

How reproducible:

mock -r fedora-rawhide-x86_64 -v --rebuild selinux-policy-3.12.1-22.fc19.src.rpm


Basically if you change default labeling for /usr/share/yum-cli for example, you get this labeling also in /var/lib/mock/fedora-rawhide-x86_64/root/usr/share/yum-cli.

So does mock setup it using a reference?

Comment 1 Miroslav Grepl 2013-03-20 18:31:25 UTC
Actually it looks like it is caused by yum-builddep.

Comment 2 Daniel Walsh 2013-03-20 20:59:44 UTC
If that is being launched by mock, mock was supposed to tell it to not do any labeling.

Comment 3 Miroslav Grepl 2013-03-21 08:03:27 UTC
Yes, probably there is a change.

Comment 4 Miroslav Grepl 2013-03-21 08:49:49 UTC
*** Bug 835934 has been marked as a duplicate of this bug. ***

Comment 5 Clark Williams 2013-03-26 17:47:31 UTC
(In reply to comment #2)
> If that is being launched by mock, mock was supposed to tell it to not do
> any labeling.

Couple of questions:

1) should mock explicitly relabel the contents of a chroot? if so what would be the recommendation for how best to do so when setting up a chroot?

2) if mock should just leave the labeling alone, how to tell yum* to do that?

Comment 6 Daniel Walsh 2013-03-26 19:48:09 UTC
Mock should not touch the label of the chroot.   The idea is to tell rpm/yum not to do any labeling.

Comment 7 Daniel Walsh 2013-03-26 19:52:57 UTC
Panu what is the flag to rpm to tell it not to label content?

Comment 8 Panu Matilainen 2013-03-27 03:50:00 UTC
RPMTRANS_FLAG_NOCONTEXTS, but yum has its own version, both yum and yum-builddep should accept --setopt=tsflags=nocontext on the cli.

Comment 9 Clark Williams 2013-03-27 15:13:30 UTC
I'll look at adding the --setopt=tsflags=nocontext option on all yum operations inside mock.

Comment 10 Clark Williams 2013-03-27 17:15:58 UTC
Created attachment 717173 [details]
Add default options for yum to avoid SELinux relabeling

Added the option '--setopt=tsflags=nocontext' to the yum_common_opt configuration variable, meaning this option will be passed to yum in all yum operations done by mock. 

Testing showed no ill effects so queuing this for the 1.1.30 release.

Comment 11 Clark Williams 2013-03-27 21:10:41 UTC
Well, I started seeing duplicate --setopt lines and realized that the selinux plugin alreadys appends --setopt=tsflags=nocontext to yum commands

So, if selinux is running on the host system and the selinux plugin for mock is loaded, it should be passing in the nocontext argument to yum.

Miroslav, you didn't disable the mock selinux plugin did you?

Comment 12 Miroslav Grepl 2013-03-28 06:24:20 UTC
I use the default mock setup.

Comment 13 Daniel Walsh 2013-03-28 08:50:56 UTC
Clark does this change effect yum-builddep?  Is this run as a separate process and for some reason does not get the flag?

Comment 14 Clark Williams 2013-04-01 19:11:24 UTC
(In reply to comment #13)
> Clark does this change effect yum-builddep?  Is this run as a separate
> process and for some reason does not get the flag?

I was just looking at that and yes, I believe there's a case where it can happen. Here's the callback in the selinux.py plugin that does the work:

    def _selinuxDoYum(self, command, *args, **kargs):
        option = "--setopt=tsflags=nocontexts"

        if type(command) is list:
            if command[0] == self.rootObj.yum_path:
                command.append(option)
        elif type(command) is str:
            if command.startswith(self.rootObj.yum_path):
                command += " %s" % option

        return self._originalUtilDo(command, *args, **kargs)


Note the list block that looks for equality with yum_path. That will fail for yum-builddep, while the str block will succeed because of the "startswith" comparison. I'll look into it a bit more but I may need to rework this some.

Comment 15 Clark Williams 2013-04-01 19:16:39 UTC
Created attachment 730396 [details]
patch to selinux plugin to catch yum-builddep

Trying this patch to catch invocations of yum-builddep and pass it the 
--setopt=tsflags=nocontexts flag.

Comment 16 Miroslav Grepl 2013-04-04 14:50:33 UTC
Clark,
this is much better. Now I see mock_var_lib_t labeling.

Comment 17 Miroslav Grepl 2013-04-04 17:15:41 UTC
I finally got it working in enforcing mode for staff_t. Will update rules.

Comment 18 Fedora Update System 2013-04-16 17:34:06 UTC
mock-1.1.31-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/mock-1.1.31-1.fc19

Comment 19 Fedora Update System 2013-04-16 17:35:14 UTC
mock-1.1.31-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/mock-1.1.31-1.fc17

Comment 20 Fedora Update System 2013-04-16 17:36:07 UTC
mock-1.1.31-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/mock-1.1.31-1.el6

Comment 21 Fedora Update System 2013-04-16 17:37:04 UTC
mock-1.1.31-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/mock-1.1.31-1.fc18

Comment 22 Fedora Update System 2013-04-17 16:21:38 UTC
Package mock-1.1.31-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing mock-1.1.31-1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5858/mock-1.1.31-1.fc19
then log in and leave karma (feedback).

Comment 23 Fedora Update System 2013-04-18 20:27:23 UTC
mock-1.1.32-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/mock-1.1.32-1.fc17

Comment 24 Fedora Update System 2013-04-18 20:28:35 UTC
mock-1.1.32-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/mock-1.1.32-1.fc18

Comment 25 Fedora Update System 2013-04-18 20:29:53 UTC
mock-1.1.32-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/mock-1.1.32-1.el6

Comment 26 Fedora Update System 2013-04-18 20:31:28 UTC
mock-1.1.32-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/mock-1.1.32-1.fc19

Comment 27 Fedora Update System 2013-05-04 01:40:31 UTC
mock-1.1.32-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 28 Fedora Update System 2013-05-05 02:28:29 UTC
mock-1.1.32-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 29 Fedora Update System 2013-05-05 02:29:39 UTC
mock-1.1.32-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.