Fedora buildsys and SELinux

Eric Paris eparis at redhat.com
Mon May 12 14:45:32 UTC 2008 

On Mon, 2008-05-12 at 08:08 -0400, Stephen Smalley wrote:
> On Fri, 2008-05-09 at 15:33 -0400, Eric Paris wrote:
> > On Fri, 2008-05-02 at 13:20 -0400, Stephen Smalley wrote:
> > > One question that has come up is whether the patch to support setting
> > > unknown file labels is sufficient to support the buildsys needs, or
> > > whether something more is required.  My impression is that all we truly
> > > need is:
> > > 1) support for setting unknown file labels for use by rpm, and
> > > 2) bind mount /dev/null over selinux/load within the chroot so that
> > > policy loads within the chroot do nothing rather than changing the build
> > > host's policy, and
> > > 3) bind mount a regular empty file over selinux/context within the
> > > chroot so that attempts to validate/canonicalize contexts by rpm will
> > > always return the original value w/o trying to validate against the
> > > build host's policy.
> > 
> > So I ran livecd-creator today with a couple of things inside the
> > chroot /selinux
> > 
> > load -> /dev/null
> > null -> /dev/null
> > context = [blank file]
> > mls = 1
> > enforcing = 1
> > policyvers = 22
> > 
> > This was attempting to build a F9 livecd on an F9 box, so I wasn't
> > worried about the labeling issues (although the kernel in question is
> > patched to support unknown labels)
> > 
> > Things blew up spectacularly   :)
> > 
> > warning: libgcc-4.3.0-8: Header V3 DSA signature: NOKEY, key ID 4f2a6fd2
> >   Installing: libgcc                       ##################### [  1/129] 
> > error: %post(libgcc-4.3.0-8.x86_64) scriptlet failed, exit status 255
> >   Installing: setup                        ##################### [  2/129] 
> > error: unpacking of archive failed on file /etc/bashrc: cpio: lsetfilecon
> >   Installing: filesystem                   ##################### [  3/129] 
> > error: unpacking of archive failed on file /: cpio: lsetfilecon
> >   Installing: basesystem                   ##################### [  4/129] 
> >   Installing: ncurses-base                 ##################### [  5/129] 
> > error: unpacking of archive failed on file /etc/terminfo: cpio: lsetfilecon
> > 
> > So I took a look at what's in "context" and I see
> > "t:s00s0s0s0s0s0s0s0s0s0:s0" which just seems horrible...  I assume this
> > is a libselinux function using this.  I wonder if I change that to use
> > O_TRUNC if things would go a bit more smoothly....
> 
> I think it would be better to just adjust userspace as we discussed to
> perform context validation against the target policy rather than the
> build host policy as is done by setfiles -c.

On second thought is that even possible?  As I recall
selinux-policy-targeted rpm is installed about 128/129 packages when I
do my livecd create.  That means that we didn't even have an 'inside
chroot' policy to check against for the vast majority of this operation.
I'd assume that building the appropriete mock buildroot would have the
same problem.  Wonder how people would feel about really hacking up the
buildroot creator to force install selinux stuff first and then run the
full install transaction set....

> Or disable context validation altogether in userspace in that instance.

Anyone have suggestions on how to go about this?

> Or create some kind of "identity" node in the selinuxfs filesystem that
> is transaction-based like the existing selinuxfs nodes and always
> returns whatever was written to it, then bind mount that on top
> of /selinux/context.

I did get that out of using a plain file and using O_TRUNC in libselinux
eventually.

More information about the fedora-selinux-list mailing list