On Wed, 2006-08-09 at 23:05 +0100, Paul Howarth wrote: > On Wed, 2006-08-09 at 15:41 -0400, Stephen Smalley wrote: > > On Wed, 2006-08-09 at 18:28 +0100, Paul Howarth wrote: > > > Supposing I just remove the pam_selinux from /etc/pam.d/su altogether? > > > Is that likely to break anything? Any other way of persuading an FC2 > > > system that SELinux is disabled? > > > > Removing it should be fine (and has already happened in FC5). I'm not > > clear on the cause though - pam_selinux returns immediately with > > PAM_SUCCESS if is_selinux_enabled() returns <= 0. > > It got further with that line removed, and now hangs when trying to run > rpm as the user "mockbuild" that was added by "useradd". This appears to > be the first chroot command that's not running as root. It's not obvious > to me what it's waiting for. It turns out it must have been waiting for a password, because after killing the process the echo on the terminal was turned off. I now believe I have solved this problem. Many, many thanks to Dan and Stephen for helping. The mock tool does include a dummy libselinux library that returns 0 for all calls to is_selinux_enabled(). This library is LD-PRELOAD-ed for calls to yum to install packages into the chroot. However, it is not LD-PRELOAD-ed for any other operation, such as running "useradd" or "rpmbuild" in the chroot. In FC2, this results in a hangup when the user is prompted for a new context to use if the host system has SELinux enabled. I tried building an FC2 libselinux package with the is_selinux_enabled() hack to install into the chroot so that this wouldn't happen, but this appeared to have no effect. Further investigation revealed that although I had included the hack patch in the libselinux package, and that package was being installed into the chroot, I actually forgotten to *apply* the patch in the hacked libselinux package and it was therefore identical to the original FC2 libselinux package. D'oh! After configuring mock to install the properly-hacked libselinux package into the chroot, it appears to be building packages successfully now. Phew! I'll try it on a few more packages and if all seems well, I'll update the Legacy/Mock wiki page with the new information. Paul. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
