load_policy in chroot question

Bob Kashani bobk at ocf.berkeley.edu
Mon Jan 10 05:01:11 UTC 2005 

On Sun, 2005-01-09 at 23:20 -0500, Colin Walters wrote:
> On Sun, 2005-01-09 at 19:51 -0800, Bob Kashani wrote:
> 
> > I'm actually playing around with UML as well. :) The only issue with
> > virtualization is that you end up taking a performance hit but on the
> > other hand it does make life easier. 
> 
> Right.  By the way, I think Xen is in rawhide now, so that could be
> worth checking out.

Cool, I'll check it out. Thanks!!! :)

> > I'll try your patches. But I did figure out a simple workaround. (not
> > mounting /selinux in the chroot). It seems that if you don't
> > mount /selinux in the chroot then load_policy doesn't try to install the
> > policy in the chroot into the running kernel. I have no idea why that is
> > the case. 
> 
> Well, loading the policy will fail since load_policy just writes data
> to /selinux/load.  I'm surprised that doesn't turn into a postinst
> error.  

I just checked the selinux-policy-targeted.spec and in the %post section
at the very end there is an 'exit 0'.

> Anyways, I suspect that you don't want other tools inside the chroot to
> think SELinux is enabled, so the patches should help there.  But I
> haven't tested this, so there may be something I'm missing.
> 
> > But everything seems to work without mounting /selinux so...in
> > fact it seems that I don't even need /sys either. 
> 
> Lacking /sys will almost certainly cause problems.

Really? Nothing fails to install because of it. I tried with and without
it and there is no difference. But I'm only installing RPMS in the
chroot at the moment so that might be the reason. I'll keep this in mind
when I get around to building my RPMS later though...thanks. :)

> > I just tried mounting
> > only /proc (which is what I was doing in the first place) with selinux-
> > policy-targeted-1.17.30-2.68 and everything works!!! :) I did do a
> > 'touch /.autorelabel' as specified in the FAQ which seems to have helped
> > with a few other things as well.
> 
> What is it specifically that you are doing with the chroot?  Building
> RPMs?

Yup.

Bob

-- 
Bob Kashani
http://www.ocf.berkeley.edu/~bobk/garnome

More information about the fedora-selinux-list mailing list