Fedora buildsys and SELinux

Stephen Smalley sds at tycho.nsa.gov
Thu Apr 17 13:12:59 UTC 2008

On Wed, 2008-04-16 at 23:23 -0400, Bill Nottingham wrote:
> James Morris (jmorris at namei.org) said: 
> > > You cannot create files in a chroot of a context not known by the
> > > host policy. This means that if your host is running RHEL 5, you are
> > > unable to compose any trees/images/livecds with SELinux enabled for
> > > later releases.
> > 
> > Ok, that's what I suspected.
> > 
> > One of the possible plans for this is to allow a process to run in a 
> > separate policy namespace, and probably also utilize namespace support in 
> > general.
> > 
> > This is non-trivial and needs more analysis.
> Incidentally, this is also one of the blockers for policy-in-packages,
> rather than a monolithic one.

I assume you mean setting down unknown file labels rather than
per-namespace or per-chroot policy support.  I think they are related
but different.  The former is required if you always plan to install the
files _before_ loading the policy.  The latter is required primarily for
getting any scriptlets to run in the right security contexts so that any
files they create are labeled appropriately within the chroot.

Also, I wanted to emphasize that chroot is different than unsharing the
filesystem namespace, and per-chroot policy is not the same thing as
per-namespace policy.  I'd expect though that it would actually be a
per-process policy mechanism, with most processes sharing the same
policy but programs like rpm being able to unshare policy from their
parent and then load a private policy to be applied only to their
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list