[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fedora buildsys and SELinux

Hash: SHA1

Bill Nottingham wrote:
> James Morris (jmorris namei org) said: 
>>> * All the parties are here now needed to figure this out
>>> * Someone better than me is going to reply with specifics about what is
>>> not working in the buildsys
>>> * We all agree it's pretty important to get this figured out in a good
>>> way
>> Can you please explain specifically what the problem is?
> You cannot create files in a chroot of a context not known by the
> host policy. This means that if your host is running RHEL 5, you are
> unable to compose any trees/images/livecds with SELinux enabled for
> later releases.
> Bill
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Just catching up on this email chain.

The far more insidious problem is the act of loading policy in the
chroot effects the kernel of the host.  So processes that are running in
the host become invalidated when the client loads a policy.  This
happens even in the case where you are building a chroot environment on
the SAME os.  Since the spec file is running semanage commands to modify
and add unconfined_t users, the unconfined processes of the parent and
potential labels become unknown to the kernel for a period of time,
which ends up labeling the files and processes as unlabeled_t.  When
this happens files labeled unlabeled_t can not be accesses by confined
process and if a process becomes unlabeled_t it will not be allowed any
access on the box, which can cause the process to crash or go into in
infinite loop.  If I build a livedvd, I end

setenforce 0
livedvd ...
setenforce 1
And sometimes I still need to
fixfiles restore
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]