Fedora buildsys and SELinux

Stephen Smalley sds at tycho.nsa.gov
Mon May 12 12:17:27 UTC 2008


On Fri, 2008-05-09 at 16:00 -0400, Eric Paris wrote:
> On Fri, 2008-05-09 at 15:33 -0400, Eric Paris wrote:
> > On Fri, 2008-05-02 at 13:20 -0400, Stephen Smalley wrote:
> > > One question that has come up is whether the patch to support setting
> > > unknown file labels is sufficient to support the buildsys needs, or
> > > whether something more is required.  My impression is that all we truly
> > > need is:
> > > 1) support for setting unknown file labels for use by rpm, and
> > > 2) bind mount /dev/null over selinux/load within the chroot so that
> > > policy loads within the chroot do nothing rather than changing the build
> > > host's policy, and
> > > 3) bind mount a regular empty file over selinux/context within the
> > > chroot so that attempts to validate/canonicalize contexts by rpm will
> > > always return the original value w/o trying to validate against the
> > > build host's policy.
> > 
> > So I ran livecd-creator today with a couple of things inside the
> > chroot /selinux
> > 
> > load -> /dev/null
> > null -> /dev/null
> > context = [blank file]
> > mls = 1
> > enforcing = 1
> > policyvers = 22
> > 
> > This was attempting to build a F9 livecd on an F9 box, so I wasn't
> > worried about the labeling issues (although the kernel in question is
> > patched to support unknown labels)
> > 
> > Things blew up spectacularly   :)
> 
> So I added O_TRUNC to both of the callers to /selinux/context in
> libselinux and that took care of the lsetfilecon() crap but I still get
> tons and tons of "scriptlet failed, exit status 255"
> 
> Anyone have ideas/suggestions how to debug those more?  

Ah, it is likely failing on the rpm_execcon(3) ->
security_compute_create(3) call i.e. writing to /selinux/create.
Which computes the context in which to run the scriptlet or helper from
the policy.  If that returns the same as rpm's own context, then we fall
back to rpm_script_t.  So this affects things like ldconfig.

I increasingly suspect we're better off not mounting selinuxfs within
the chroot at all and addressing any issues that arise via policy.

> warning: libgcc-4.3.0-8: Header V3 DSA signature: NOKEY, key ID 4f2a6fd2
>   Installing: libgcc                       ##################### [  1/129] 
> error: %post(libgcc-4.3.0-8.x86_64) scriptlet failed, exit status 255
>   Installing: setup                        ##################### [  2/129] 
>   Installing: filesystem                   ##################### [  3/129] 
>   Installing: basesystem                   ##################### [  4/129] 
>   Installing: ncurses-base                 ##################### [  5/129] 
>   Installing: tzdata                       ##################### [  6/129] 
>   Installing: rootfiles                    ##################### [  7/129] 
>   Installing: glibc                        ##################### [  8/129] 
> error: %post(glibc-2.8-3.x86_64) scriptlet failed, exit status 255
>   Installing: ncurses-libs                 ##################### [  9/129] 
> error: %post(ncurses-libs-5.6-16.20080301.fc9.x86_64) scriptlet failed, exit status 255
>   Installing: popt                         ##################### [ 10/129] 
> error: %post(popt-1.13-3.fc9.x86_64) scriptlet failed, exit status 255
>   Installing: zlib                         ##################### [ 11/129] 
> error: %post(zlib-1.2.3-18.fc9.x86_64) scriptlet failed, exit status 255


-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list