Fedora buildsys and SELinux

Stephen Smalley sds at tycho.nsa.gov
Mon May 12 12:08:38 UTC 2008 

On Fri, 2008-05-09 at 15:33 -0400, Eric Paris wrote:
> On Fri, 2008-05-02 at 13:20 -0400, Stephen Smalley wrote:
> > One question that has come up is whether the patch to support setting
> > unknown file labels is sufficient to support the buildsys needs, or
> > whether something more is required.  My impression is that all we truly
> > need is:
> > 1) support for setting unknown file labels for use by rpm, and
> > 2) bind mount /dev/null over selinux/load within the chroot so that
> > policy loads within the chroot do nothing rather than changing the build
> > host's policy, and
> > 3) bind mount a regular empty file over selinux/context within the
> > chroot so that attempts to validate/canonicalize contexts by rpm will
> > always return the original value w/o trying to validate against the
> > build host's policy.
> 
> So I ran livecd-creator today with a couple of things inside the
> chroot /selinux
> 
> load -> /dev/null
> null -> /dev/null
> context = [blank file]
> mls = 1
> enforcing = 1
> policyvers = 22
> 
> This was attempting to build a F9 livecd on an F9 box, so I wasn't
> worried about the labeling issues (although the kernel in question is
> patched to support unknown labels)
> 
> Things blew up spectacularly   :)
> 
> warning: libgcc-4.3.0-8: Header V3 DSA signature: NOKEY, key ID 4f2a6fd2
>   Installing: libgcc                       ##################### [  1/129] 
> error: %post(libgcc-4.3.0-8.x86_64) scriptlet failed, exit status 255
>   Installing: setup                        ##################### [  2/129] 
> error: unpacking of archive failed on file /etc/bashrc: cpio: lsetfilecon
>   Installing: filesystem                   ##################### [  3/129] 
> error: unpacking of archive failed on file /: cpio: lsetfilecon
>   Installing: basesystem                   ##################### [  4/129] 
>   Installing: ncurses-base                 ##################### [  5/129] 
> error: unpacking of archive failed on file /etc/terminfo: cpio: lsetfilecon
> 
> So I took a look at what's in "context" and I see
> "t:s00s0s0s0s0s0s0s0s0s0:s0" which just seems horrible...  I assume this
> is a libselinux function using this.  I wonder if I change that to use
> O_TRUNC if things would go a bit more smoothly....

I think it would be better to just adjust userspace as we discussed to
perform context validation against the target policy rather than the
build host policy as is done by setfiles -c.

Or disable context validation altogether in userspace in that instance.

Or create some kind of "identity" node in the selinuxfs filesystem that
is transaction-based like the existing selinuxfs nodes and always
returns whatever was written to it, then bind mount that on top
of /selinux/context.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list