Fedora buildsys and SELinux

Daniel J Walsh dwalsh at redhat.com
Tue May 13 16:55:53 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eric Paris wrote:
> Current Setup:
> 
> F9 trying to build an F9 livecd so policy should be happy.  I'm trying
> to eliminate the illegal file context cruft to start with.
> 
> Enforcing.
> 
> the label on livecd-creator is bin_t    NOT  unconfined_notran_t
> 
> chroot/selinux contains:
> null -> /dev/null
> load -> /dev/null
> mls -> 1
> enforcing -> 1
> policyvers -> 22
> context -> regular file
> 
> libselinux always opens files with O_TRUNC
> 
> libselinux rpm_execcon has the patch to return -1 and set con =
> context_new(mycon);
> 
> the new libselinux is being used inside and outside the chroot
> 
> rpm was NOT rebuilt with the new libselinux, rpm.src.rpm only requires
> libeselinux-devel not libselinux-static so I'm hoping we are safe.
> 
> ******************************
> 
> ^M  Installing: kbd                          ##################### [126/129]
> ^M  Installing: kernel                       ##################### [127/129]
> ^M  Installing: selinux-policy               ##################### [128/129]
> ^M  Installing: selinux-policy-targeted      ##################### [129/129]
> 
> All of this still went smoothly...
> 
> libsemanage.dbase_llist_query: could not query record value
> 
> No idea where this is coming from
> 
> /sbin/restorecon reset / context system_u:object_r:file_t:s0->system_u:object_r:root_t:s0
> /sbin/restorecon reset /lib context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
> /sbin/restorecon reset /lib/kbd context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
> /sbin/restorecon reset /lib/kbd/consoletrans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
> /sbin/restorecon reset /lib/kbd/consoletrans/cp1250_to_uni.trans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
> /sbin/restorecon reset /lib/kbd/consoletrans/cp1251_to_uni.trans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
> /sbin/restorecon reset /lib/kbd/consoletrans/8859-4_to_uni.trans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
> 
> We are back to calling restorecon on every single file.....
> 
> -Eric
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I don't have a problem with calling restorecon on every single file,
since this is a limited number of files.  The goal is to allow the
chroot to run without mucking around with the host security.  So I don't
have to run permissive or disabled if I use mock/livecd.  If mock/livecd
have to relabel when they complete that is fine.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgpyBkACgkQrlYvE4MpobNUlACbBN5WJvv0IUH6Voq3L2GgLIej
MXYAn3ja4+e8pZpHQTXbctm5fYIe9UOj
=a9ex
-----END PGP SIGNATURE-----




More information about the fedora-selinux-list mailing list