Dne 25. 03. 19 v 4:26 John M. Harris, Jr. napsal(a): > What is the reason for builders running permissive, rather than with a tailored targeted policy? Technical details from Mock POV: When Mock install the chroot using: dnf --installroot=/var/lib/mock/fedora-29-x86_64-bootstrap/root/ .... the files there get the same SELinux context as /var/lib/mock/fedora-29-x86_64-bootstrap/root/ - which in my case is unconfined_u:object_r:user_tmp_t because I use tmpfs plugin. If you would relabel that chroot, e.g., etc_t for /var/lib/mock/fedora-29-x86_64-bootstrap/root/etc/ you would make big hole in system allowing user to play with the system if they have access to host. The propper solution would likely means giving the files something like mock_etc_t for CHROOT/root/etc, but that would mean you cannot install selinux-policy-targeted in the chroot - so different package for runtime and different package for buildtime... Soooo many issues, and no one had time, will and power to work on this. You can be the first one :) BTW there is SELinux plugin which (with --old-chroot) pretends that SELinux is disabled. https://github.com/rpm-software-management/mock/wiki/Plugin-SELinux Miroslav _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
