Fedora buildsys and SELinux

Eric Paris eparis at redhat.com
Fri May 9 19:33:10 UTC 2008 

On Fri, 2008-05-02 at 13:20 -0400, Stephen Smalley wrote:
> One question that has come up is whether the patch to support setting
> unknown file labels is sufficient to support the buildsys needs, or
> whether something more is required.  My impression is that all we truly
> need is:
> 1) support for setting unknown file labels for use by rpm, and
> 2) bind mount /dev/null over selinux/load within the chroot so that
> policy loads within the chroot do nothing rather than changing the build
> host's policy, and
> 3) bind mount a regular empty file over selinux/context within the
> chroot so that attempts to validate/canonicalize contexts by rpm will
> always return the original value w/o trying to validate against the
> build host's policy.

So I ran livecd-creator today with a couple of things inside the
chroot /selinux

load -> /dev/null
null -> /dev/null
context = [blank file]
mls = 1
enforcing = 1
policyvers = 22

This was attempting to build a F9 livecd on an F9 box, so I wasn't
worried about the labeling issues (although the kernel in question is
patched to support unknown labels)

Things blew up spectacularly   :)

warning: libgcc-4.3.0-8: Header V3 DSA signature: NOKEY, key ID 4f2a6fd2
  Installing: libgcc                       ##################### [  1/129] 
error: %post(libgcc-4.3.0-8.x86_64) scriptlet failed, exit status 255
  Installing: setup                        ##################### [  2/129] 
error: unpacking of archive failed on file /etc/bashrc: cpio: lsetfilecon
  Installing: filesystem                   ##################### [  3/129] 
error: unpacking of archive failed on file /: cpio: lsetfilecon
  Installing: basesystem                   ##################### [  4/129] 
  Installing: ncurses-base                 ##################### [  5/129] 
error: unpacking of archive failed on file /etc/terminfo: cpio: lsetfilecon

So I took a look at what's in "context" and I see
"t:s00s0s0s0s0s0s0s0s0s0:s0" which just seems horrible...  I assume this
is a libselinux function using this.  I wonder if I change that to use
O_TRUNC if things would go a bit more smoothly....

-Eric

More information about the fedora-selinux-list mailing list