Fedora buildsys and SELinux

Stephen Smalley sds at tycho.nsa.gov
Tue May 13 16:53:47 UTC 2008


On Tue, 2008-05-13 at 12:06 -0400, Eric Paris wrote:
> Current Setup:
> 
> F9 trying to build an F9 livecd so policy should be happy.  I'm trying
> to eliminate the illegal file context cruft to start with.
> 
> Enforcing.
> 
> the label on livecd-creator is bin_t    NOT  unconfined_notran_t
> 
> chroot/selinux contains:
> null -> /dev/null
> load -> /dev/null
> mls -> 1
> enforcing -> 1
> policyvers -> 22
> context -> regular file

Just as a reminder, I don't believe you should have context there at
all, as omitting it should just work (tm).

> libselinux always opens files with O_TRUNC

And thus you wouldn't need this hack.

> libselinux rpm_execcon has the patch to return -1 and set con =
> context_new(mycon);

Just to clarify, the patch should actually enable rpm_execcon() to
proceed with rpm_script_t even if /selinux/create does not exist.

> the new libselinux is being used inside and outside the chroot
> 
> rpm was NOT rebuilt with the new libselinux, rpm.src.rpm only requires
> libeselinux-devel not libselinux-static so I'm hoping we are safe.
> 
> ******************************
> 
> ^M  Installing: kbd                          ##################### [126/129]
> ^M  Installing: kernel                       ##################### [127/129]
> ^M  Installing: selinux-policy               ##################### [128/129]
> ^M  Installing: selinux-policy-targeted      ##################### [129/129]
> 
> All of this still went smoothly...
> 
> libsemanage.dbase_llist_query: could not query record value
>
> No idea where this is coming from

Maybe a table was empty.  Might want to look under etc/selinux/targeted
within the chroot.

> /sbin/restorecon reset / context system_u:object_r:file_t:s0->system_u:object_r:root_t:s0
> /sbin/restorecon reset /lib context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
> /sbin/restorecon reset /lib/kbd context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
> /sbin/restorecon reset /lib/kbd/consoletrans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
> /sbin/restorecon reset /lib/kbd/consoletrans/cp1250_to_uni.trans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
> /sbin/restorecon reset /lib/kbd/consoletrans/cp1251_to_uni.trans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
> /sbin/restorecon reset /lib/kbd/consoletrans/8859-4_to_uni.trans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
> 
> We are back to calling restorecon on every single file.....

Well, you did put back in a /selinux/context against my advice, and I'm
not sure what else you changed in the above.

But more fundamentally we really need someone who understands the code
flow in rpm to explain when rpm checks for SELinux status and how it
switches from using policy outside the chroot to using policy within the
chroot for file labeling.

An strace of rpm might be interesting although no doubt very hard to
follow.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list