Fedora buildsys and SELinux
katzj at redhat.com
Mon May 12 20:33:08 UTC 2008
On Mon, 2008-05-12 at 10:53 -0400, Stephen Smalley wrote:
> > On second thought is that even possible? As I recall
> > selinux-policy-targeted rpm is installed about 128/129 packages when I
> > do my livecd create. That means that we didn't even have an 'inside
> > chroot' policy to check against for the vast majority of this operation.
> > I'd assume that building the appropriete mock buildroot would have the
> > same problem. Wonder how people would feel about really hacking up the
> > buildroot creator to force install selinux stuff first and then run the
> > full install transaction set....
> For a normal install, anaconda has to set down an initial file contexts
> file and load a policy to get things started IIRC - otherwise rpm
> wouldn't be able to label the files it sets down prior to installing
It uses the policy from outside the chroot until things are put into the
chroot. This "works" for the anaconda case as we don't really fully
support installing a different environment than what your install images
are built with
 We've actually done a lot of work to make this more supported, but
SELinux is actually now the big blocker that I know of due to this
reasoning. At least for things which count as similar, for certain
values of that.
> > > Or disable context validation altogether in userspace in that instance.
> > Anyone have suggestions on how to go about this?
> Absence of any /selinux/context at all should automatically do that.
> > > Or create some kind of "identity" node in the selinuxfs filesystem that
> > > is transaction-based like the existing selinuxfs nodes and always
> > > returns whatever was written to it, then bind mount that on top
> > > of /selinux/context.
> > I did get that out of using a plain file and using O_TRUNC in libselinux
> > eventually.
> Yes, but I don't see how requiring the use of a hacked-up libselinux is
> any better or more workable.
More information about the fedora-selinux-list