On Wed, Jan 14, 2009 at 11:04 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > If the chcon fails, won't the subsequent attempt to execute the dump > file also fail due to lack of permissions? It doesn't fail on SELinux-enabled hosts where the GCL policy is already in place. On the koji builders, since selinuxenabled exits with code 1, we don't try the chcon in the first place. The only place where I'm having a problem is in a mock build on an SELinux-enabled host. I don't know what to do there. > Ideally you'd get your domain (or perhaps just a more generic > unconfined_execheap_t domain) added to the base policy and included in > the policy on the build servers so that you could use an already defined > file type. GCL needs more than just execheap permission, which is why I wrote an app-specific policy. Since it is still undergoing a certain amount of flux, I think that adding it to the base policy might be premature at this time. > Alternatively, you might be able to workaround via setting the existing > allow_execheap boolean if that exists on those machines: > setsebool allow_execheap = 1 > <run your build> > setsebool allow_execheap = 0 > > That unfortunately will affect more than just your particular process, > but may be a temporary fix. I'd like to avoid this solution if at all possible. Thanks for the help. -- Jerry James http://loganjerry.googlepages.com/ -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
