livecd-creator + selinux
Stephen Smalley
sds at tycho.nsa.gov
Thu May 15 19:30:39 UTC 2008
On Thu, 2008-05-15 at 13:50 -0400, Eric Paris wrote:
> So I'm still stumbling along in the dark trying to get livecd-creator to
> build me a nice new F10 image inside an F10 host. I've actually got an
> image that built and runs, but not without its issues.
>
> my kickstart file has:
> auth --enableshadow --enablemd5
> rootpw redhat
>
> but the livecd always has x for the password in /etc/password and * for
> the password in /etc/shadow. No ideas here I must admit. I'm highly
> doubtful its selinux since it happens in permissive and enforcing. I
> have just been booting into single user, calling passwd, init 3, and
> logging in to play around in my live image....
No ideas here - hopefully the livecd folks can help you with that one.
>
> 3 errors/issues/quirks in building/running my livecd
>
> 1) libsemanage.dbase_llist_query: could not query record value
> I'm told empty table, but I don't know what that means
Looking at selinux-policy.spec, I see that it runs semanage login -l and
semanage user -l in its scriptlets. If it does that and there are no
user or login entries defined yet, then you'd get that error I think.
Not sure if that means that something went wrong earlier or if it is
normal/legitimate. Dan?
> 2) /usr/sbin/semanage: Invalid prefix user
> This pops out when semanage calls:
> if selinux.security_check_context("system_u:object_r:%s_home_t:s0" % prefix) != 0:
> I assume this has to do with my bastardized /selinux inside the chroot.
> Should we just make it != 0 && != -ENOENT or whatever the error is we
> get there?
That should work, and this check should really be replaced by a new
libsemanage interface that checks against the target policy rather than
the host policy, like the mls enabled test.
> 3) When booting I get 3 messages that say:
> inode_doinit_with_dentry: no dentry for dev=dm-0 ino=8345
> The 3 inodes in question correspond to
> /etc/udev
> /etc/udev/rules.d
> /etc/udev/rules.d/50-udev-default.rules
Happens when SELinux is setting up pre-existing inodes upon initial
policy load and it cannot find a dentry for the inode and thus cannot
invoke the ->getxattr method on it. Likely harmless. When/if the
files are subsequently looked up, the inodes should get set up at that
time upon the d_instantiate/d_splice_alias.
> no clues where this is coming from. I don't see it when I booted my
> host system....
>
>
>
> Anyway, at this point I want clues/help/suggestions on how to create my
> hacked up /selinux inside the chroot. Right now all I'm going is
> creating it on the host system and bind mounting it into the chroot. I
> really should be creating this inside creator.py. All that needs to be
> inside it is 3 files. copies of mls and policyvers from the host
> system and load is a chrfile of /dev/null. I could just create those in
> the livecd image and they will get mounted on top of when its running,
> but I don't want to waste the 50 bytes or whatever it would take. Any
> good suggests on how to build this temp? Or where I could clean it out
> later?
>
> -Eric
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list