[PATCH 1/2] LiveCD - Add fake /selinux so livecd can run in enforcing
Jeremy Katz
katzj at redhat.com
Mon Jun 9 14:50:35 UTC 2008
On Mon, 2008-06-09 at 10:12 -0400, Stephen Smalley wrote:
> > + # we steal mls from the host system for now, might be best to always set it to 1????
>
> This might be a problem for building RHEL 4 images, since MLS wasn't
> enabled there. I'm not certain though - I believe that there were
> compatibility fixes put into RHEL 4 kernel updates to allow them to
> mount filesystems modified under RHEL 5, so a modern RHEL 4 kernel would
> ignore any MLS component in the context. But the policy Makefile could
> be confused by /selinux/mls==1 there.
Building a RHEL4 live image is all but certain to involve a number of
additional and probably larger challenges. Just getting RHEL5 ones to
build takes some contortions at this point.
> > - self.call(["/sbin/restorecon", "-l", "-v", "-r", "/"])
> > + self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
>
> I assume that this is running the restorecon program from the chroot
> rather than the host restorecon program. Any issues there with the
> (potentially older) restorecon in the image not providing the same set
> of options or behavior?
Yes, and this is definitely a possible concern. At the same time, if
people aren't building really old images that don't support all the
options, we should take advantage of what we can. So it's a bit of a
"use what we think we need, if someone wants to build something old
where that's not available, adapt"
Jeremy
More information about the fedora-selinux-list
mailing list