load_policy in chroot question

Colin Walters walters at redhat.com
Sun Jan 9 17:48:05 UTC 2005 

On Sat, 2005-01-08 at 21:55 -0800, Bob Kashani wrote:
> When I install the selinux-policy-targeted rpm in a chroot it seems that
> load_policy is executed and loads the policy that's installed in the
> chroot into the running kernel (I'm assuming via %post). Should
> installing the selinux-policy-targeted rpm in a chroot allow this to
> happen? What if you're installing a policy into the chroot that's
> different than the one you have installed on your system? Is there a way
> to not allow load_policy to execute in a chroot?

I don't think we're going to be able to support generically using
SELinux in chroots¹.  Fundamentally chroot is a very weak virtualization
mechanism; much of the core system leaks to the chroot (and vice versa),
and that's the problem you're running into here.  I think moving forward
most of what people are doing with chroots (e.g. package building and
especially testing) should be done with "real" virtualization like UML
or Xen.

But one workaround for your problem may be to make SELinux appear to be
disabled inside the chroot.  I've attached two (completely untested)
patches; the first attempts to make SELinux appear to be disabled if you
don't mount /selinux inside the chroot, and the second makes load_policy
exit immediately with 0 status if SELinux isn't enabled.

¹ By "generically" I mean e.g. a stock FC3 installation.  Certainly it's
possible to add policy for a specific chrooted application.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: libselinux-enabled-checking.patch
Type: text/x-patch
Size: 360 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050109/39da70ce/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: policycoreutils-load-policy-chroot.patch
Type: text/x-patch
Size: 532 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050109/39da70ce/attachment-0001.bin>

More information about the fedora-selinux-list mailing list