[RFC] Livecd-creator and selinux, we can play nice
Daniel J Walsh
dwalsh at redhat.com
Thu May 29 14:56:39 UTC 2008
Bill Nottingham wrote:
> Eric Paris (eparis at redhat.com) said:
>> So I've spent a fair bit of time the last 2 weeks trying to get
>> livecd-creator and an selinux enforcing machine to play nicely together.
>> It doesn't look like much, but from the point of view of the livecd
>> creator I think the following patch is all we need. Working with
>> rawhide as the host system I was able to build F8, F9 and rawhide
>> livecd's with an enforcing machine.
>>
>> I wouldn't suggest jumping into enfocing builds just yet as there are
>> still some policy issues I need to work out with the selinux people but
>> I would like comments. Basically its quite simple, if selinux is on the
>> host we create a fake /selinux which tells the install chroot lies.
>> I've had to make some changes to some selinux libraries to support all
>> this, but I think we are just about there.
>>
>> I'll probably backport some of the kernel changes to F9 after they are
>> all tested and better settled but for now I'd like input on my livecd
>> changes....
>
> My concern is this is a normal occurence (needing a chroot) that you're
> only patching in one place. Do we code this same logic into mock? Into
> pungi? Into yum --installroot? Into the documentation for admins on
> how to set up a chroot?
>
> (Also, for general use, we need this in a RHEL 5 kernel. Fun!)
>
> Bill
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Well I think we need to do a couple of these to figure out the common
requirements.
I envision mock to be quite different then livecd. I think we need to
full the mock chroot to think SELinux is disabled and to do no labeling
in the chroot. This would allow us to confine the mock process to be
able to write to the chroot and label the chroot mock_rw_t. We could
then use SELinux to prevent mock environments from breaking out of the
chroot, and stop mock environments from doing evil network things within
the chroot.
In livecd we need to be able to put down labels that the host machine
does not understand.
More information about the fedora-selinux-list
mailing list