load_policy in chroot question

Bob Kashani bobk at ocf.berkeley.edu
Mon Jan 10 03:51:14 UTC 2005 

On Sun, 2005-01-09 at 12:48 -0500, Colin Walters wrote:
> On Sat, 2005-01-08 at 21:55 -0800, Bob Kashani wrote:
> > When I install the selinux-policy-targeted rpm in a chroot it seems that
> > load_policy is executed and loads the policy that's installed in the
> > chroot into the running kernel (I'm assuming via %post). Should
> > installing the selinux-policy-targeted rpm in a chroot allow this to
> > happen? What if you're installing a policy into the chroot that's
> > different than the one you have installed on your system? Is there a way
> > to not allow load_policy to execute in a chroot?
> 
> I don't think we're going to be able to support generically using
> SELinux in chroots¹.  Fundamentally chroot is a very weak virtualization
> mechanism; much of the core system leaks to the chroot (and vice versa),
> and that's the problem you're running into here.  I think moving forward
> most of what people are doing with chroots (e.g. package building and
> especially testing) should be done with "real" virtualization like UML
> or Xen.

I'm actually playing around with UML as well. :) The only issue with
virtualization is that you end up taking a performance hit but on the
other hand it does make life easier. 

> But one workaround for your problem may be to make SELinux appear to be
> disabled inside the chroot.  I've attached two (completely untested)
> patches; the first attempts to make SELinux appear to be disabled if you
> don't mount /selinux inside the chroot, and the second makes load_policy
> exit immediately with 0 status if SELinux isn't enabled.

I'll try your patches. But I did figure out a simple workaround. (not
mounting /selinux in the chroot). It seems that if you don't
mount /selinux in the chroot then load_policy doesn't try to install the
policy in the chroot into the running kernel. I have no idea why that is
the case. But everything seems to work without mounting /selinux so...in
fact it seems that I don't even need /sys either. I just tried mounting
only /proc (which is what I was doing in the first place) with selinux-
policy-targeted-1.17.30-2.68 and everything works!!! :) I did do a
'touch /.autorelabel' as specified in the FAQ which seems to have helped
with a few other things as well.

I'll let you know how it goes with your patches.

Thanks,

Bob

-- 
Bob Kashani
http://www.ocf.berkeley.edu/~bobk/garnome

More information about the fedora-selinux-list mailing list