selinux breaks revisor

Daniel J Walsh dwalsh at redhat.com
Thu Jan 24 15:08:14 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Valent Turkovic wrote:
> John Dennis wrote:
>> Valent Turkovic wrote:
>>> 2008/1/22 Jesse Keating <jkeating at redhat.com>:
>>>> On Tue, 22 Jan 2008 13:29:03 +0100
>>>> "Valent Turkovic" <valent.turkovic at gmail.com> wrote:
>>>>
>>>>> I tested revisor and wanted to make an up to date version of Fedora 8
>>>>> Live CD - but selinux put a stop to that.
>>>> Selinux is not going to work at all for things like revisor (and
>>>> pungi/livecd-creator).  Both make use of chroots to install packages
>>>> into, and in certain cases you can wind up causing lots of harm to your
>>>> host system (installing a new policy in the chroot will actually cause
>>>> that policy to activate on the running kernel and then you have policy
>>>> that doesn't match labels, watch the fun!).
>>>>
>>>> It is strongly recommended that you disable SELinux or at least put it
>>>> in permissive if you're going to be doing composes.
>>>
>>> Is there a was to make selinux aware of that or atleast put a
>>> notification window saying that you need to disable selinux in order
>>> to use revisor?
>>
>> Revisor could be aware of SELinux and provide a warning, SELinux
>> cannot do this.
>>
>>> One more issue for removing selinux as I said in an earlier thread :)
>>> Selinux breaks features by desing and in a bad way, and I as a user
>>> see more trouble from selinux than it is worth (just MHO).
>>
>> Your dissatisfaction with SELinux has been duly noted by the list, you
>> are free to disable it. However, we would prefer contributions to make
>> the distribution more robust and smooth out the bumps rather than
>> disabling the technology. Your choice.
>>
> 
> I started to like selinux because all of you great fedora devels said
> nothing but praises for it, but still it seams that any "feature" I test
> seams to break because of selinux.
> 
> But don't worry you all convinced me that selinux has a good reason to
> stay.
> 
> Valent.
> 
As Jesse stated earlier, using SELinux on a machine where you are going
to use a chroot and install packages without using a virtual machine
currently will not work.  You are using the same kernel for both the
chroot and the host machine, so when a package loads new policy in the
chroot (selinux-policy-*rpm) the new policy will effect the host
machine.  For example if you are building a Fedora 7 livecd on a Fedora
8 host machine, when the new selinux-policy package gets installed the
Fedora 7 policy will load and replace the Fedora 8 policy.  This will
invalidate any contexts that existed in Fedora 8 and not in Fedora 7
causing them to become unlabeled_t.  If this happens to a process, the
process usually goes wild.  We (SELinux engineering) is working on some
solutions, but don't have a good one now.

Virtual machines?  Getting the chroot to run with a different kernel.
Faking out /selinux in chroot to do nothing on policy load?
Trying to stop Transitions?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEUEARECAAYFAkeYqd4ACgkQrlYvE4MpobPyMwCYwWwFtTnOQit/ENGWGGudTvGa
mgCgkUEgkCrRDo/EVbwQq9Ax6ZCWCug=
=Ol/k
-----END PGP SIGNATURE-----

More information about the fedora-devel-list mailing list