shadow_utils: make shadow --root work by fake permissive mode

rpm-software-management / mock

Mock is a tool for a reproducible build of RPM packages.

GNU General Public License v2.0

376 stars 220 forks source link

shadow_utils: make shadow --root work by fake permissive mode #1313

Open praiskup opened 4 months ago

praiskup commented 4 months ago

Fixes: #1285

praiskup commented 4 months ago

While the use of --root is desired and safer than --prefix, I'm not convinced we want to apply the needed SELinux workaround. I'd rather wait till shadow-utils people tell us what to do about this.

xsuchy commented 4 months ago

This does not work for me. When I change it from host, then it is remounted. And it is read only, so I cannot change it from chroot neither.

praiskup commented 4 months ago

Yes, Mock's selinux plugin has some hacks related to SELinux too, and we do recursive bind-mounts later: https://github.com/rpm-software-management/mock/blob/db64d46820234956bd41e8f350ba970b62b46093/mock/py/mockbuild/mounts.py#L228-L231

The point of this hack is to prepare the enforce file right before shadow-utils (useradd, groupadd, etc.) are executed (from /usr/sbin on host).