By default, mock won’t work with staff_selinux mode in RHEL 7. The instruction from Fedora is mostly correct, but insufficient for staff_selinux. This is because:
/usr/bin/mock is now a sym-link to /usr/bin/consolehelper, thus consolehelper permission should be also allowed.- The Fedora mock policy module does not have the types like
staff_consolehelper_t.
There are a lot more reasons, but long story short, I have edited a policy file (PackageMaintainers_MockTricks_mock.te) that should covered the most mock usage. My SELinux skill quickly build up by editing that file. 🙂
Time for script that setup the mock, assuming you are running as root:
# getting dependencies
yum -y install selinux-policy-devel policycoreutils-python mock
# Download policy files
wget https://fedoraproject.org/w/uploads/2/2f/PackageMaintainers_MockTricks_mock.if
wget https://fedoraproject.org/w/uploads/7/73/PackageMaintainers_MockTricks_mock.fc
wget https://dchen.fedorapeople.org/files/PackageMaintainers_MockTricks_mock.te
# Build and install
make -f /usr/share/selinux/devel/Makefile
semodule -i PackageMaintainers_MockTricks_mock.pp
That’s it.
But just in case you are still getting SELinux AVC denials, you can get around yourself by using following scripts:
grep -E -e "(mock|consolehelper)" /var/log/audit/audit.log | audit2allow -M my_mock
semodule -i my_mock.pp
Definite's Extractor 