Fedora buildsys and SELinux

Eric Paris eparis at redhat.com
Tue May 13 14:36:45 UTC 2008 

On Tue, 2008-05-13 at 08:44 -0400, Stephen Smalley wrote:
> On Mon, May 12, 2008 at 5:26 PM, Eric Paris <eparis at redhat.com> wrote:
> > On Mon, 2008-05-12 at 17:05 -0400, Stephen Smalley wrote:
> >  > On Mon, May 12, 2008 at 4:33 PM, Jeremy Katz <katzj at redhat.com> wrote:
> >
> >
> > > The only problem I see with not having selinuxfs mounted at all within
> >  > the chroot or even providing fake /selinux nodes is that rpm_execcon()
> >  > will then see SELinux as disabled and thus not try to run the
> >  > scriptlet in a different domain;
> >
> >  How does it do this check?   Guess I should pull some rpm sources.  My
> >  lord I don't wanna....
> 
> You don't have to look at rpm for that - rpm_execcon() is a helper
> function provided by libselinux for use by rpm.  I sent you a patch
> separately for it that should get it past a missing /selinux/create
> node, so you should be able to completely remove /selinux/context and
> /selinux/create and still proceed (at least in permissive mode).

Will do.....

> I'm not sure you need anything there; as I've said,
> is_selinux_enabled() will just fall back to checking /proc/filesystems
> for selinuxfs as the authoritative indicator of whether or not SELinux
> is enabled.

But we have other problems without /selinux mounted inside the chroot
(and this is without the rpm_execcon patch which I'm about to put in,
does rpm statically or dynamically link?)  :(

New, Interesting and different at least:

  Installing: selinux-policy               ##################### [128/129] 
  Installing: selinux-policy-targeted      ##################### [129/129] 
libsemanage.dbase_llist_query: could not query record value
libsepol.policydb_write: policy version 15 cannot support MLS

I assume this is because there isn't an selinux/policyvers?

libsepol.policydb_to_image: could not compute policy length
libsepol.policydb_to_image: could not create policy image
SELinux:  Could not downgrade policy file /etc/selinux/targeted/policy/policy.23, searching for an older version.
SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.23:  No such file or directory
/usr/sbin/load_policy:  Can't load policy:  No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/policy.kern to /etc/selinux/targeted/policy/policy.23. (No such file or directory).
semodule:  Failed!
/usr/sbin/semanage: Invalid prefix user
/usr/sbin/semanage: Invalid prefix user

ERROR:dbus.proxies:Introspect error on :1.3:/org/freedesktop/Hal/Manager: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

/sbin/restorecon reset /dev/stderr context unconfined_u:object_r:file_t:s0->system_u:object_r:device_t:s0
/sbin/restorecon reset /dev/stdin context unconfined_u:object_r:file_t:s0->system_u:object_r:device_t:s0
/sbin/restorecon reset /dev/random context unconfined_u:object_r:file_t:s0->system_u:object_r:random_device_t:s0

There were actually a whole lot less when the restorecon ran through
(still a bunch but a lot less), so I think that part is better.

After the restorecon finished and before the e2fsck I got:

Only root can do that.

Anyone have ideas what that might have been?

More information about the fedora-selinux-list mailing list