Fedora buildsys and SELinux

John Reiser jreiser at BitWagon.com
Thu Apr 17 00:14:00 UTC 2008


>> the challenges we have with SELinux in the Fedora build system.

> Can you please explain specifically what the problem is?

One of the problems is that the result of a pungi compose that is performed
with SELinux enforcing, does not install SELinux enabled by default,
because [a chain of events] the DVD/CD does not contain the policy file,
partly because under enforcing you cannot create a virtualized /dev/null
that has the right context.
   http://bugzilla.redhat.com/show_bug.cgi?id=343861
   http://bugzilla.redhat.com/show_bug.cgi?id=343851
The workaround is "setenforce 0" during the pungi compose.

In general, it looks to me like SELinux itself cannot be virtualized.
[I really didn't expect it, but nevertheless I cannot find it.]
This means that any time you want to "fake it", then you must
turn off enforcing, or create a full virtualized OS instance
that has enforcing off.

-- 




More information about the fedora-selinux-list mailing list