-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/04/2013 03:48 PM, Michael Scherer wrote: > Le mardi 03 septembre 2013 à 15:37 -0400, Jay Greguske a écrit : >> On 09/03/2013 12:29 PM, Michael scherer wrote: >>> On Tue, Sep 03, 2013 at 09:48:52AM -0600, Kevin Fenzi wrote: >>>> On Tue, 03 Sep 2013 10:10:32 -0400 Jay Greguske <jgregusk@xxxxxxxxxx> >>>> wrote: >>>> >>>>> If we had SELinux policy enabled on the builders and used MLS on >>>>> the chroots that would mitigate chroot-to-chroot attacks. I'm not >>>>> sure if policy could prevent a chroot'ed process from getting >>>>> access to the builder's certificate. If it could, I think getting >>>>> SELinux working on the builders would be an easier path than >>>>> re-writing koji to use VMs. >>>>> >>>>> Maybe someone with more expertise could comment on the latter >>>>> issue. >>>> >>>> In the past we had selinux disabled on the builders, as mock didn't >>>> handle selinux very well at all and there were issues. (even in >>>> permissive mode). >>>> >>>> With this switch to Fedora 19 for builders, we also enabled selinux >>>> in permissive mode to gather information on any outstanding >>>> issues/avcs. >>>> >>>> Ideally I would like to get them all to enforcing and make sure we >>>> lock down the builds as much as we are able from the vm. >>> >>> the main issue is that mock should do the transition to a different >>> domain once it run anything in chroot. I do have a patch but I was not >>> able to make a policy for the transition ( or my patch is buggy ) and I >>> didn't look at it since a few weeks. I can send it if someone want to >>> take a look. >>> >> >> Please post it. :) > > Sure, here it is. > > I just rebased on newer mock yesterday, and didn't tested at all ( it > didn't rebase well, so maybe there is something missing ). I also didn't > spent much time on the integration on a config point of view, ie config for > each domain, or that's not needed, etc, etc. But that's polish I plan to > keep once I had it working (and i do not remember the status at all, maybe > that's completely broken and will not have time to work on it before 2 > weeks ) > > > > What happens when you tried to run it? Did it run in permissive mode? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlInkgkACgkQrlYvE4MpobOi6ACgrKBXhATLR1EqcL5li3Rmj1N8 To4An3KUTuFIoErVqxCzgIcYUDOgk1AQ =QkER -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
