Definite's Extractor

My findings on Life, Linux, Open Source, and so on.

RHEL 7 mock build with staff_selinux

2 Comments Posted by on 2016/04/21

By default, mock won’t work with staff_selinux mode in RHEL 7. The instruction from Fedora is mostly correct, but insufficient for staff_selinux. This is because:

  1. /usr/bin/mock is now a sym-link to /usr/bin/consolehelper, thus consolehelper permission should be also allowed.
  2. The Fedora mock policy module does not have the types like staff_consolehelper_t.

There are a lot more reasons, but long story short, I have edited a policy file (PackageMaintainers_MockTricks_mock.te) that should covered the most mock usage. My SELinux skill quickly build up by editing that file. šŸ™‚

Time for script that setup the mock, assuming you are running as root:

# getting dependencies
yum -y install selinux-policy-devel policycoreutils-python mock

# Download policy files
wget https://fedoraproject.org/w/uploads/2/2f/PackageMaintainers_MockTricks_mock.if
wget https://fedoraproject.org/w/uploads/7/73/PackageMaintainers_MockTricks_mock.fc
wget https://dchen.fedorapeople.org/files/PackageMaintainers_MockTricks_mock.te

# Build and install
make -f /usr/share/selinux/devel/Makefile
semodule -i PackageMaintainers_MockTricks_mock.pp

That’s it.

But just in case you are still getting SELinux AVC denials, you can get around yourself by using following scripts:

grep -E -e "(mock|consolehelper)" /var/log/audit/audit.log | audit2allow -M my_mock
semodule -i my_mock.pp
epel, fedora, RHEL , , ,

2 responses to “RHEL 7 mock build with staff_selinux

  1. Pingback: Links 21/4/2016: KDE Applications 16.04, New *buntu LTS Releases | Techrights

  2. dac override 2016/04/22 at 12:34 am

    I also recently encountered consolehelper (liveinst uses it as well)

    It got me confused. The policy comes with a userhelper_context file that has the context of “sysadm”, but it seems that consolehelper/userhelper never uses it. I am wondering why that is.

    Could it be that pam configuration is missing? There are pam configuration files for “liveinst” in /etc/pam.d/ but they have no calls to pam_selinux directly or indirectly.

    I do not fully understand consolehelper/userhelper or the policy configuration for it but i suspect that there is something wrong and that it is pam related.

    PS. I got liveinst to work for “staff” but it runs with with the staff id and staff role and that can cause issues. Instead, I suspect, consolehelper should have associated my process with sysadm_u:sysadm_r instead.

    Like

    Reply

Leave a comment