selinux + livecd-creator, May 20, 2008
eparis at redhat.com
Tue May 27 20:54:42 UTC 2008
On Tue, 2008-05-27 at 16:48 -0400, Stephen Smalley wrote:
> On Tue, 2008-05-27 at 16:25 -0400, Eric Paris wrote:
> > On Tue, 2008-05-20 at 16:10 -0400, Eric Paris wrote:
> > > On Tue, 2008-05-20 at 15:33 -0400, Stephen Smalley wrote:
> > > > On Tue, 2008-05-20 at 15:12 -0400, Eric Paris wrote:
> > > > > ***passwd:
> > > > > running a system with selinux enforcing/permissive (doesn't matter) and
> > > > > attempting to run livecd-creator with selinux --disabled results in
> > > > > passwd espoloding. passwd called is_selinux_enabled() which says yes
> > > > > since /proc/mounts has an selinuxfs and the passwd calls
> > > > > selinux_enforcing() which explodes when it can't find
> > > > > a /selinux/enforce. First discussion was to change /proc/mounts to hide
> > > > > the selinuxfs, sounds like a good plan until I realize /proc/mounts is
> > > > > actually link to /proc/self/mounts and that its getting way to complex
> > > > > tying to set up FS namespaces or whatever this is going to take. Right
> > > > > now I'm thinking of creating a /selinux with enforce=0 in all cases
> > > > > inside the chroot, anyone see a problem with that? (I could also work
> > > > > on fixing passwd, but i'm trying to be as 'backwards compatible' as
> > > > > possible....
> > > >
> > > > Wait - you are confusing /proc/mounts and /proc/filesystems.
> > >
> > > You are (once again) correct. Should be a lot easier to lie to :)
> > I feel vindicated, I knew I saw that /proc/mounts was part of it....
> > init_selinuxmnt() is going to go through /proc/mounts inside the chroot
> > and find an selinuxfs mounted back out on the host system. I think this
> > in turn is going to cause is_selinux_enabled() to return that selinux is
> > in fact enabled. No proof but what i know for sure is that
> > cat /proc/filesystems | grep -v selinux > /tmp.filesystems
> > mount -o bind /tmp.filesystems /chroot/proc/filesystems
> > still caused passwd to fail because it thought selinux was enabled....
> Ah, yes - the optimization by Steve G changed is_selinux_enabled() to
> first check for a selinux_mnt previously set upon library init and uses
> that as indication of being enabled if present; otherwise, it falls back
> to checking /proc/filesystems.
> Regardless, as long as you create /selinux/enforce == 0, you're ok with
> passwd, right?
not sure, don't know how to get python to write a 0 without a null
terminator or EOL or anything like that yet. docs.python.org FTW.
More information about the fedora-selinux-list