Fedora buildsys and SELinux

Stephen Smalley sds at tycho.nsa.gov
Mon May 12 14:53:46 UTC 2008 

On Mon, 2008-05-12 at 10:45 -0400, Eric Paris wrote:
> On Mon, 2008-05-12 at 08:08 -0400, Stephen Smalley wrote:
> > On Fri, 2008-05-09 at 15:33 -0400, Eric Paris wrote:
> > > On Fri, 2008-05-02 at 13:20 -0400, Stephen Smalley wrote:
> > > > One question that has come up is whether the patch to support setting
> > > > unknown file labels is sufficient to support the buildsys needs, or
> > > > whether something more is required.  My impression is that all we truly
> > > > need is:
> > > > 1) support for setting unknown file labels for use by rpm, and
> > > > 2) bind mount /dev/null over selinux/load within the chroot so that
> > > > policy loads within the chroot do nothing rather than changing the build
> > > > host's policy, and
> > > > 3) bind mount a regular empty file over selinux/context within the
> > > > chroot so that attempts to validate/canonicalize contexts by rpm will
> > > > always return the original value w/o trying to validate against the
> > > > build host's policy.
> > > 
> > > So I ran livecd-creator today with a couple of things inside the
> > > chroot /selinux
> > > 
> > > load -> /dev/null
> > > null -> /dev/null
> > > context = [blank file]
> > > mls = 1
> > > enforcing = 1
> > > policyvers = 22
> > > 
> > > This was attempting to build a F9 livecd on an F9 box, so I wasn't
> > > worried about the labeling issues (although the kernel in question is
> > > patched to support unknown labels)
> > > 
> > > Things blew up spectacularly   :)
> > > 
> > > warning: libgcc-4.3.0-8: Header V3 DSA signature: NOKEY, key ID 4f2a6fd2
> > >   Installing: libgcc                       ##################### [  1/129] 
> > > error: %post(libgcc-4.3.0-8.x86_64) scriptlet failed, exit status 255
> > >   Installing: setup                        ##################### [  2/129] 
> > > error: unpacking of archive failed on file /etc/bashrc: cpio: lsetfilecon
> > >   Installing: filesystem                   ##################### [  3/129] 
> > > error: unpacking of archive failed on file /: cpio: lsetfilecon
> > >   Installing: basesystem                   ##################### [  4/129] 
> > >   Installing: ncurses-base                 ##################### [  5/129] 
> > > error: unpacking of archive failed on file /etc/terminfo: cpio: lsetfilecon
> > > 
> > > So I took a look at what's in "context" and I see
> > > "t:s00s0s0s0s0s0s0s0s0s0:s0" which just seems horrible...  I assume this
> > > is a libselinux function using this.  I wonder if I change that to use
> > > O_TRUNC if things would go a bit more smoothly....
> > 
> > I think it would be better to just adjust userspace as we discussed to
> > perform context validation against the target policy rather than the
> > build host policy as is done by setfiles -c.
> 
> On second thought is that even possible?  As I recall
> selinux-policy-targeted rpm is installed about 128/129 packages when I
> do my livecd create.  That means that we didn't even have an 'inside
> chroot' policy to check against for the vast majority of this operation.
> I'd assume that building the appropriete mock buildroot would have the
> same problem.  Wonder how people would feel about really hacking up the
> buildroot creator to force install selinux stuff first and then run the
> full install transaction set....

For a normal install, anaconda has to set down an initial file contexts
file and load a policy to get things started IIRC - otherwise rpm
wouldn't be able to label the files it sets down prior to installing
selinux-policy*.

> > Or disable context validation altogether in userspace in that instance.
> 
> Anyone have suggestions on how to go about this?

Absence of any /selinux/context at all should automatically do that.

> > Or create some kind of "identity" node in the selinuxfs filesystem that
> > is transaction-based like the existing selinuxfs nodes and always
> > returns whatever was written to it, then bind mount that on top
> > of /selinux/context.
> 
> I did get that out of using a plain file and using O_TRUNC in libselinux
> eventually.

Yes, but I don't see how requiring the use of a hacked-up libselinux is
any better or more workable.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list