Fedora buildsys and SELinux
Jeremy Katz
katzj at redhat.com
Mon May 12 20:33:07 UTC 2008
On Mon, 2008-05-12 at 08:17 -0400, Stephen Smalley wrote:
> On Fri, 2008-05-09 at 16:00 -0400, Eric Paris wrote:
> > So I added O_TRUNC to both of the callers to /selinux/context in
> > libselinux and that took care of the lsetfilecon() crap but I still get
> > tons and tons of "scriptlet failed, exit status 255"
> >
> > Anyone have ideas/suggestions how to debug those more?
>
> Ah, it is likely failing on the rpm_execcon(3) ->
> security_compute_create(3) call i.e. writing to /selinux/create.
> Which computes the context in which to run the scriptlet or helper from
> the policy. If that returns the same as rpm's own context, then we fall
> back to rpm_script_t. So this affects things like ldconfig.
>
> I increasingly suspect we're better off not mounting selinuxfs within
> the chroot at all and addressing any issues that arise via policy.
If we don't mount selinuxfs, then anything that attempts to figure out
if SELinux is enabled (ie the fact that rpm checks if SELinux is enabled
to determine whether or not to set the xattrs) will fail. Also, I don't
remember for certain without looking, but even restorecon checks like
that from what I remember. So we have to at least have some of /selinux
present or we have to do deeper tricks with labeling outside of chroots
which ... pain :-/
Jeremy
More information about the fedora-selinux-list
mailing list