load_policy in chroot question
Colin Walters
walters at redhat.com
Mon Jan 10 04:20:04 UTC 2005
On Sun, 2005-01-09 at 19:51 -0800, Bob Kashani wrote:
> I'm actually playing around with UML as well. :) The only issue with
> virtualization is that you end up taking a performance hit but on the
> other hand it does make life easier.
Right. By the way, I think Xen is in rawhide now, so that could be
worth checking out.
> I'll try your patches. But I did figure out a simple workaround. (not
> mounting /selinux in the chroot). It seems that if you don't
> mount /selinux in the chroot then load_policy doesn't try to install the
> policy in the chroot into the running kernel. I have no idea why that is
> the case.
Well, loading the policy will fail since load_policy just writes data
to /selinux/load. I'm surprised that doesn't turn into a postinst
error.
Anyways, I suspect that you don't want other tools inside the chroot to
think SELinux is enabled, so the patches should help there. But I
haven't tested this, so there may be something I'm missing.
> But everything seems to work without mounting /selinux so...in
> fact it seems that I don't even need /sys either.
Lacking /sys will almost certainly cause problems.
> I just tried mounting
> only /proc (which is what I was doing in the first place) with selinux-
> policy-targeted-1.17.30-2.68 and everything works!!! :) I did do a
> 'touch /.autorelabel' as specified in the FAQ which seems to have helped
> with a few other things as well.
What is it specifically that you are doing with the chroot? Building
RPMs?
More information about the fedora-selinux-list
mailing list