selinux breaks revisor

Paul Howarth paul at city-fan.org
Tue Jan 22 15:25:33 UTC 2008


Jesse Keating wrote:
> On Tue, 22 Jan 2008 13:29:03 +0100
> "Valent Turkovic" <valent.turkovic at gmail.com> wrote:
> 
>> I tested revisor and wanted to make an up to date version of Fedora 8
>> Live CD - but selinux put a stop to that.
> 
> Selinux is not going to work at all for things like revisor (and
> pungi/livecd-creator).  Both make use of chroots to install packages
> into, and in certain cases you can wind up causing lots of harm to your
> host system (installing a new policy in the chroot will actually cause
> that policy to activate on the running kernel and then you have policy
> that doesn't match labels, watch the fun!).
> 
> It is strongly recommended that you disable SELinux or at least put it
> in permissive if you're going to be doing composes.

Would it not be possible for apps like these compose tools to use an 
LD_PRELOAD libselinux hack like mock used to do in order to avoid these 
pitfalls?

I happily use selinux in enforcing mode on my desktop and would be 
loathed to disable it in order to run one of these tools if I needed to 
do so simply because of the long time it would take to relabel my system 
afterwards to get it back to the state it started in. That's not to 
mention the obvious disadvantage from a security perspective, and the 
impression it gives that two of Fedora's top features (SELinux and the 
custom respin tools) conflict with each other.

Paul.






More information about the fedora-devel-list mailing list