Fedora buildsys and SELinux
Stephen Smalley
sds at tycho.nsa.gov
Mon May 12 12:17:27 UTC 2008
On Fri, 2008-05-09 at 16:00 -0400, Eric Paris wrote:
> On Fri, 2008-05-09 at 15:33 -0400, Eric Paris wrote:
> > On Fri, 2008-05-02 at 13:20 -0400, Stephen Smalley wrote:
> > > One question that has come up is whether the patch to support setting
> > > unknown file labels is sufficient to support the buildsys needs, or
> > > whether something more is required. My impression is that all we truly
> > > need is:
> > > 1) support for setting unknown file labels for use by rpm, and
> > > 2) bind mount /dev/null over selinux/load within the chroot so that
> > > policy loads within the chroot do nothing rather than changing the build
> > > host's policy, and
> > > 3) bind mount a regular empty file over selinux/context within the
> > > chroot so that attempts to validate/canonicalize contexts by rpm will
> > > always return the original value w/o trying to validate against the
> > > build host's policy.
> >
> > So I ran livecd-creator today with a couple of things inside the
> > chroot /selinux
> >
> > load -> /dev/null
> > null -> /dev/null
> > context = [blank file]
> > mls = 1
> > enforcing = 1
> > policyvers = 22
> >
> > This was attempting to build a F9 livecd on an F9 box, so I wasn't
> > worried about the labeling issues (although the kernel in question is
> > patched to support unknown labels)
> >
> > Things blew up spectacularly :)
>
> So I added O_TRUNC to both of the callers to /selinux/context in
> libselinux and that took care of the lsetfilecon() crap but I still get
> tons and tons of "scriptlet failed, exit status 255"
>
> Anyone have ideas/suggestions how to debug those more?
Ah, it is likely failing on the rpm_execcon(3) ->
security_compute_create(3) call i.e. writing to /selinux/create.
Which computes the context in which to run the scriptlet or helper from
the policy. If that returns the same as rpm's own context, then we fall
back to rpm_script_t. So this affects things like ldconfig.
I increasingly suspect we're better off not mounting selinuxfs within
the chroot at all and addressing any issues that arise via policy.
> warning: libgcc-4.3.0-8: Header V3 DSA signature: NOKEY, key ID 4f2a6fd2
> Installing: libgcc ##################### [ 1/129]
> error: %post(libgcc-4.3.0-8.x86_64) scriptlet failed, exit status 255
> Installing: setup ##################### [ 2/129]
> Installing: filesystem ##################### [ 3/129]
> Installing: basesystem ##################### [ 4/129]
> Installing: ncurses-base ##################### [ 5/129]
> Installing: tzdata ##################### [ 6/129]
> Installing: rootfiles ##################### [ 7/129]
> Installing: glibc ##################### [ 8/129]
> error: %post(glibc-2.8-3.x86_64) scriptlet failed, exit status 255
> Installing: ncurses-libs ##################### [ 9/129]
> error: %post(ncurses-libs-5.6-16.20080301.fc9.x86_64) scriptlet failed, exit status 255
> Installing: popt ##################### [ 10/129]
> error: %post(popt-1.13-3.fc9.x86_64) scriptlet failed, exit status 255
> Installing: zlib ##################### [ 11/129]
> error: %post(zlib-1.2.3-18.fc9.x86_64) scriptlet failed, exit status 255
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list