Re: selinux breaks revisor

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Jesse Keating wrote:

On Thu, 24 Jan 2008 19:49:42 -0600
Douglas McClendon <dmc.fedora@xxxxxxxxxxxxxxxxxxxxxx> wrote:
A while back on this list, I asked what parts of fedora required root privileges to be rebuilt. I.e. why you couldn't just rpmbuild 
--rebuild every last thing as a build user, never subjecting the
build system to the impact of building as root.  The answer seemed to
come back that the only things that _really_ required root, were the
creation of small filesystem-disk images.  My tool qfakeroot provides
a solution for that, and given the sizes of the images involved, will
add but a few minutes to the rpmbuild--rebuild time.



Maybe I missed that, but every /rpm/ is buildable by non-root.  It's
when you start talking about /composing/ releases and Live images that
root privs are needed (or enoug privs to make loopback devices).
I did miss that (had thought that the anaconda rpm was spinning some disk images). But my target was recompiling every line of fedora source code into a new fedora release (isos too), without requiring root privs. I.e. that was the itch I wanted to scratch, and so the distinction between rpms and compose tools doesn't change the issue for me. 



Now, we could do something more sneaky and ship the livcd-creator and
pungi python scripts setuid, but that's probably not what you're
looking for.
Correct. Nor a magical hal/dbus/whatever service that exposes some root capabilities.
But again, I'm not suggesting that there aren't a few viable theoretical alternatives to the method I presented. Though I don't know of any that work already. But as you said, sure, you can just go suid and do whatever you want. I just am kind of proud of the fact that I can accomplish the task without root/suid.
Along with as described, the relative ease of doing a very small containered alternate-selinux policy set up. It sort of sounded to me like a useful solution for the selinux-chroot issues brought up in this thread.
I was disappointed googling and seeing your issues with qemu-ppc not being great for booting up full blown fedora-ppc. I too really hope that sees improvement soon. 

-dmc

--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux