selinux + livecd-creator, May 20, 2008

Stephen Smalley sds at tycho.nsa.gov
Wed May 21 14:19:53 UTC 2008 

On Wed, 2008-05-21 at 10:06 -0400, Daniel J Walsh wrote:
> Stephen Smalley wrote:
> > On Tue, 2008-05-20 at 15:43 -0400, Daniel J Walsh wrote:
> >> Jeremy Katz wrote:
> >>> On Tue, 2008-05-20 at 15:33 -0400, Stephen Smalley wrote:
> >>>> On Tue, 2008-05-20 at 15:12 -0400, Eric Paris wrote:
> >>>>> Making use of the wonderful new deferred selinux context patch set from
> >>>>> the kernel I get beautiful message like:
> >>>>>
> >>>>> /sbin/restorecon reset /sbin/dump context
> >>>>> system_u:object_r:unlabeled_t:s0->system_u:object_r:eparis_exec_t:s0
> >>>>>
> >>>>> The file wasn't really "unlabeled_t" it just wasn't a valid label on the
> >>>>> host machine.  Since restorecon/fixfiles runs over the same files like 3
> >>>>> times during a livecd creation this gets rather annoying.  Do we have an
> >>>>> interface I could use to make restorecon do the right comparison here?
> >>>> Well, could we instead avoid running restorecon/fixfiles multiple times
> >>>> on the same files?  And ideally just get rpm to label the files
> >>>> correctly in the first place since that is why we added the kernel
> >>>> patch?
> >>> FWIW, we do a final pass with restorecon/fixfiles at the end of creating
> >>> the files just so that we can ensure that any files that were created as
> >>> the result of a %post script or anything else which doesn't transition
> >>> correctly (... perhaps because the policy doesn't know it needs to) ends
> >>> up with the right final label.  This is pretty confined to just the
> >>> livecd-creator case, though.
> >>>
> >>> Jeremy
> >>>
> >>> --
> >>> fedora-selinux-list mailing list
> >>> fedora-selinux-list at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >> Can we use fixfiles restore instead of restorecon.  It will output a
> >> little "*" for every 10,000 files it relabels and we don't need to see
> >> thousands of useless restorecon lines.
> > 
> > Isn't that just the same as calling restorecon with -p rather than -v?
> > 
> I believe fixfiles restore only labels file systems that support labels
> while restorecon -R -v /  Will walk all file systems.  so fixfiles might
> be a little faster.
> 
>         /usr/bin/find "$FILEPATH" \
>             ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype
> ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs \) -prune  -o
> -print0 | \
>             ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -0 -f - 2>&1 >>
> $LOGFILE

I see.  I'm not sure how much of a problem that is for the chroot
environment, and restorecon does have the -e option for excluding parts
of the tree, although it is non-optimal in implementation (ideally we
could prune the tree walk itself, but I think that would require
converting restorecon from using nftw to using fts, which has long been
a todo item).

However, if they were to use fixfiles restore, is there a way to enable
verbose mode there?  /sbin/fixfiles restore -v doesn't work.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list