Re: [PATCH 1/2] LiveCD - Add fake /selinux so livecd can run in enforcing

[Jeremy Katz <katzj redhat com>]

On Mon, 2008-06-09 at 10:12 -0400, Stephen Smalley wrote:
> > +            # we steal mls from the host system for now, might be best to always set it to 1????
> 
> This might be a problem for building RHEL 4 images, since MLS wasn't
> enabled there.  I'm not certain though - I believe that there were
> compatibility fixes put into RHEL 4 kernel updates to allow them to
> mount filesystems modified under RHEL 5, so a modern RHEL 4 kernel would
> ignore any MLS component in the context.  But the policy Makefile could
> be confused by /selinux/mls==1 there.

Building a RHEL4 live image is all but certain to involve a number of
additional and probably larger challenges.  Just getting RHEL5 ones to
build takes some contortions at this point.

> > -        self.call(["/sbin/restorecon", "-l", "-v", "-r", "/"])
> > +        self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
> 
> I assume that this is running the restorecon program from the chroot
> rather than the host restorecon program.  Any issues there with the
> (potentially older) restorecon in the image not providing the same set
> of options or behavior?

Yes, and this is definitely a possible concern.  At the same time, if
people aren't building really old images that don't support all the
options, we should take advantage of what we can.  So it's a bit of a
"use what we think we need, if someone wants to build something old
where that's not available, adapt"

Jeremy