livecd-creator + selinux

[Stephen Smalley]

On Thu, 2008-05-15 at 13:50 -0400, Eric Paris wrote:
> So I'm still stumbling along in the dark trying to get livecd-creator to
> build me a nice new F10 image inside an F10 host.  I've actually got an
> image that built and runs, but not without its issues.
> 
> my kickstart file has:
> auth --enableshadow --enablemd5
> rootpw redhat
> 
> but the livecd always has x for the password in /etc/password and * for
> the password in /etc/shadow.  No ideas here I must admit.  I'm highly
> doubtful its selinux since it happens in permissive and enforcing.  I
> have just been booting into single user, calling passwd, init 3, and
> logging in to play around in my live image....

No ideas here - hopefully the livecd folks can help you with that one.

> 
> 3 errors/issues/quirks in building/running my livecd
> 
> 1) libsemanage.dbase_llist_query: could not query record value
> I'm told empty table, but I don't know what that means

Looking at selinux-policy.spec, I see that it runs semanage login -l and
semanage user -l in its scriptlets.  If it does that and there are no
user or login entries defined yet, then you'd get that error I think.
Not sure if that means that something went wrong earlier or if it is
normal/legitimate.  Dan?

> 2) /usr/sbin/semanage: Invalid prefix user
> This pops out when semanage calls:
> if selinux.security_check_context("system_u:object_r:%s_home_t:s0" % prefix) != 0:
> I assume this has to do with my bastardized /selinux inside the chroot.
> Should we just make it != 0 && != -ENOENT or whatever the error is we
> get there?

That should work, and this check should really be replaced by a new
libsemanage interface that checks against the target policy rather than
the host policy, like the mls enabled test.

> 3) When booting I get 3 messages that say:
> inode_doinit_with_dentry:  no dentry for dev=dm-0 ino=8345
> The 3 inodes in question correspond to
> /etc/udev
> /etc/udev/rules.d
> /etc/udev/rules.d/50-udev-default.rules

Happens when SELinux is setting up pre-existing inodes upon initial
policy load and it cannot find a dentry for the inode and thus cannot
invoke the ->getxattr method on it.   Likely harmless.  When/if the
files are subsequently looked up, the inodes should get set up at that
time upon the d_instantiate/d_splice_alias.

> no clues where this is coming from.  I don't see it when I booted my
> host system....
> 
> 
> 
> Anyway, at this point I want clues/help/suggestions on how to create my
> hacked up /selinux inside the chroot.  Right now all I'm going is
> creating it on the host system and bind mounting it into the chroot.  I
> really should be creating this inside creator.py.  All that needs to be
> inside it is 3 files.   copies of mls and policyvers from the host
> system and load is a chrfile of /dev/null.  I could just create those in
> the livecd image and they will get mounted on top of when its running,
> but I don't want to waste the 50 bytes or whatever it would take.  Any
> good suggests on how to build this temp?  Or where I could clean it out
> later?
> 
> -Eric
-- 
Stephen Smalley
National Security Agency