livecd-creator and selinux, status at the end of week 1

Stephen Smalley sds at tycho.nsa.gov
Mon May 19 19:30:38 UTC 2008


On Mon, 2008-05-19 at 15:14 -0400, Eric Paris wrote:
> On Fri, 2008-05-16 at 15:19 -0400, Eric Paris wrote:
> > I've spent pretty much all week flailing around try to get
> > livecd-creator working with selinux enforcing with F10 as both the host
> > and the image.  Next week begins the journey of working on making old
> > composes work on F10.  Where do I stand?  Well, it seems to work!  I
> > booted an image and logged in.
> 
> Today I tried flipped my repos to point at F7 and tried to build.
> Didn't see any selinux messages but crap still hit the fan on boot
> (eventual kernel panic complaining about no root and killing init)

So the interesting question there is whether the image was missing files
or just mislabeled?

> Anyway, I also decided to see what would happen if I flipped my
> kickstart file to selinux --disabled while leaving the system enforcing.
> Sorta boom.  Installing selinux-policy-targeted got really pissed off:
> 
> libsepol.policydb_write: Discarding booleans and conditional rules
> libsepol.policydb_write: Discarding booleans and conditional rules
> libsepol.context_read_and_validate: invalid security context
> libsepol.policydb_to_image: new policy image is invalid
> libsepol.policydb_to_image: could not create policy image
> /usr/sbin/load_policy:  Can't load policy:  No such file or directory
> libsemanage.semanage_reload_policy: load_policy returned error code 2.
> libsemanage.semanage_install_active: Could not
> copy /etc/selinux/targeted/modules/active/policy.kern
> to /etc/selinux/targeted/policy/policy.21.

If you are going to build a selinux disabled image, then I assume you'd
want to fake the chroot into seeing SELinux as disabled too so that it
doesn't try to do things like load policy (as above).  Which would mean
bind mounting a file over /proc/filesystems in the chroot to obscure the
presence of selinuxfs.

> But something tells me its still going to work just fine once the build
> finishes.  Anyway.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-devel-list mailing list