Fedora buildsys and SELinux

Paul Howarth paul at city-fan.org
Sat May 10 22:48:44 UTC 2008 

On Fri, 09 May 2008 16:00:17 -0400
Eric Paris <eparis at redhat.com> wrote:

> On Fri, 2008-05-09 at 15:33 -0400, Eric Paris wrote:
> > On Fri, 2008-05-02 at 13:20 -0400, Stephen Smalley wrote:
> > > One question that has come up is whether the patch to support
> > > setting unknown file labels is sufficient to support the buildsys
> > > needs, or whether something more is required.  My impression is
> > > that all we truly need is:
> > > 1) support for setting unknown file labels for use by rpm, and
> > > 2) bind mount /dev/null over selinux/load within the chroot so
> > > that policy loads within the chroot do nothing rather than
> > > changing the build host's policy, and
> > > 3) bind mount a regular empty file over selinux/context within the
> > > chroot so that attempts to validate/canonicalize contexts by rpm
> > > will always return the original value w/o trying to validate
> > > against the build host's policy.
> > 
> > So I ran livecd-creator today with a couple of things inside the
> > chroot /selinux
> > 
> > load -> /dev/null
> > null -> /dev/null
> > context = [blank file]
> > mls = 1
> > enforcing = 1
> > policyvers = 22
> > 
> > This was attempting to build a F9 livecd on an F9 box, so I wasn't
> > worried about the labeling issues (although the kernel in question
> > is patched to support unknown labels)
> > 
> > Things blew up spectacularly   :)
> 
> So I added O_TRUNC to both of the callers to /selinux/context in
> libselinux and that took care of the lsetfilecon() crap but I still
> get tons and tons of "scriptlet failed, exit status 255"
> 
> Anyone have ideas/suggestions how to debug those more?  
> 
> warning: libgcc-4.3.0-8: Header V3 DSA signature: NOKEY, key ID
> 4f2a6fd2 Installing: libgcc
> ##################### [  1/129] error: %post(libgcc-4.3.0-8.x86_64)
> scriptlet failed, exit status 255 Installing:
> setup                        ##################### [  2/129]
> Installing: filesystem                   #####################
> [  3/129] Installing: basesystem
> ##################### [  4/129] Installing:
> ncurses-base                 ##################### [  5/129]
> Installing: tzdata                       #####################
> [  6/129] Installing: rootfiles
> ##################### [  7/129] Installing:
> glibc                        ##################### [  8/129] error:
> %post(glibc-2.8-3.x86_64) scriptlet failed, exit status 255
> Installing: ncurses-libs                 #####################
> [  9/129] error: %post(ncurses-libs-5.6-16.20080301.fc9.x86_64)
> scriptlet failed, exit status 255 Installing:
> popt                         ##################### [ 10/129] error:
> %post(popt-1.13-3.fc9.x86_64) scriptlet failed, exit status 255
> Installing: zlib                         #####################
> [ 11/129] error: %post(zlib-1.2.3-18.fc9.x86_64) scriptlet failed,
> exit status 255

These all look like library packages so I'd hazard a guess that the
thing that's failing is ldconfig. Perhaps you could replace ldconfig
with a wrapper than runs it under strace?

Paul.

More information about the fedora-selinux-list mailing list