What makes a spin a Spin?
Jeremy Katz
katzj at redhat.com
Tue Feb 26 14:23:31 UTC 2008
On Tue, 2008-02-26 at 04:09 -0600, Mike McGrath wrote:
> On Tue, 26 Feb 2008, Jeremy Katz wrote:
> > On Mon, 2008-02-25 at 22:39 -0600, Mike McGrath wrote:
> > > On Mon, 25 Feb 2008, Josh Boyer wrote:
> > > > On Mon, 25 Feb 2008 18:19:53 -0900
> > > > We _are_ dealing with it. Infrastructure was kind enough to provide
> > > > xen instances for spins to be created on. I'm volunteering to do the
> > > > actual spin creation. Rel-eng is working out a proposal (which I know
> > > > various Board members have seen drafts of) for how to handle this.
> > > >
> > > Side note about this, if anyone wants to try to get the cd creation
> > > working in a chroot or via mock it would be greatly appreciated. As it is
> > > we've got a dedicated i386 and x86_64 machine that just sit there waiting
> > > for spins, we should be able to do it on the builders.
> >
> > If only it were as simple as "get it going in mock". Unfortunately,
> > with how SELinux policy works in chroots (hint: it affects outside the
> > chroot), this is pretty non-trivial and is going to require getting
> > SELinux upstream on-board with allowing contexts to be set which aren't
> > known by the kernel or per-namespace policy.
> >
> That's why I'm asking someone else to do it :) Shouldn't it just work if
> we just have all the builders in permissive mode?
No, permissive doesn't mean "you can do whatever the hell you want with
security xattrs". The kernel still strictly defines what happens there.
Also, transitions differ from policy to policy and control what the file
gets written as -- if there are different transitions from release to
release (... and there are), then this matters some. Less, as we do a
full relabel at the end, but it still matters.
Jeremy
More information about the fedora-advisory-board
mailing list