livecd-creator and selinux, status at the end of week 1

Eric Paris eparis at redhat.com
Fri May 16 19:19:09 UTC 2008 

I've spent pretty much all week flailing around try to get
livecd-creator working with selinux enforcing with F10 as both the host
and the image.  Next week begins the journey of working on making old
composes work on F10.  Where do I stand?  Well, it seems to work!  I
booted an image and logged in.

Changes I've made so far (doesn't look like a whole lot for basically a
week of work....)

policycoreutils got some updates to allow users to be created in the
chroot (already built and in koji) and to make relabeling a little
better.

libselinux has no changes with my current approach.  I do not want rpm
running inside the chroot to transition to rpm_t, nor do I want
scriptlets to run as rpm_script_t as then those scriptlets can cause
transitions to things like depmod_t which isn't going to have
permissions necessary to run with the possibly screwy labels inside the
chroot.

I added one rule to policy to allow hal to respond back to chroot
allow hald_t unconfined_notrans_t:dbus send_msg;

Create a fake /selinux inside the chroot it contains:
mls -> copy from host
poliyver -> copy from host
enforce -> 0
load -> /dev/null
This means that from the point of view of the inside of the chroot
selinux is "on" but not enforcing.  The not enforcing part is important
because some programs (passwd for example) try to determine if selinux
is going to permit something before it actually tries it.  If passwd
realizes that selinux is enforcing but then it doesn't have a
real /selinux to make those decisions it gets mad.  So I'm lieing to the
chroot.

Changes to livecd-creator:
diff -Naupr imgcreate/creator.py imgcreate.new/creator.py
--- imgcreate/creator.py	2008-05-06 12:16:08.000000000 -0400
+++ imgcreate.new/creator.py	2008-05-16 13:01:05.000000000 -0400
@@ -22,6 +22,7 @@ import stat
 import sys
 import tempfile
 import shutil
+import selinux
 
 import yum
 import rpm
@@ -427,7 +428,7 @@ class ImageCreator(object):
 
         self._mount_instroot(base_on)
 
-        for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum"):
+        for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum", "/sys", "/proc"):
             makedirs(self._instroot + d)
 
         cachesrc = cachedir or (self.__builddir + "/yum-cache")
@@ -439,10 +440,6 @@ class ImageCreator(object):
                           (cachesrc, "/var/cache/yum")]:
             self.__bindmounts.append(BindChrootMount(f, self._instroot, dest))
 
-        # /selinux should only be mounted if selinux is enabled (enforcing or permissive)
-        if kickstart.selinux_enabled(self.ks):
-            self.__bindmounts.append(BindChrootMount("/selinux", self._instroot, None))
-
         # Create minimum /dev
         origumask = os.umask(0000)
         devices = [('null',   1, 3, 0666),
@@ -460,6 +457,20 @@ class ImageCreator(object):
         os.symlink('/proc/self/fd/2', self._instroot + "/dev/stderr")
         os.umask(origumask)
 
+        # selinux whoo hooo
+        if kickstart.selinux_enabled(self.ks):
+            makedirs(self._instroot + "/selinux")
+            # this should actually create our new fake /selinux, not bind from the host, though i haven't decided how
+            self.__bindmounts.append(BindChrootMount("/selinux1", self._instroot, "/selinux"))
+
+            # label the fs like it is a root before the bind mounting
+            cmd = "/sbin/setfiles -F -r %s %s %s" % (self._instroot, selinux.selinux_file_context_path(), self._instroot)
+            os.system(cmd)
+            # these dumb things don't get magically fixed, so make the user generic
+            for f in ["/proc", "/sys", "/selinux"]:
+                cmd = "chcon -u system_u %s" % (self._instroot + f)
+                os.system(cmd)
+
         self._do_bindmounts()
 
         os.symlink("../proc/mounts", self._instroot + "/etc/mtab")
diff -Naupr imgcreate/kickstart.py imgcreate.new/kickstart.py
--- imgcreate/kickstart.py	2008-05-06 12:16:08.000000000 -0400
+++ imgcreate.new/kickstart.py	2008-05-15 10:10:40.000000000 -0400
@@ -372,11 +372,11 @@ class SelinuxConfig(KickstartConfig):
 
         if ksselinux.selinux == ksconstants.SELINUX_DISABLED:
             return
-        if not os.path.exists(self.path("/sbin/restorecon")):
+        if os.path.exists(self.path("/sbin/restorecon")):
+            self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
+        else:
             return
 
-        self.call(["/sbin/restorecon", "-l", "-v", "-r", "/"])
-
     def apply(self, ksselinux):
         if os.path.exists(self.path("/usr/sbin/lokkit")):
             args = ["/usr/sbin/lokkit", "-f", "--quiet", "--nostart"]

More information about the fedora-devel-list mailing list