Fedora buildsys and SELinux

Stephen Smalley sds at tycho.nsa.gov
Tue May 13 17:27:01 UTC 2008


On Tue, 2008-05-13 at 12:53 -0400, Stephen Smalley wrote:
> On Tue, 2008-05-13 at 12:06 -0400, Eric Paris wrote:
> > Current Setup:
> > 
> > F9 trying to build an F9 livecd so policy should be happy.  I'm trying
> > to eliminate the illegal file context cruft to start with.
> > 
> > Enforcing.
> > 
> > the label on livecd-creator is bin_t    NOT  unconfined_notran_t
> > 
> > chroot/selinux contains:
> > null -> /dev/null
> > load -> /dev/null
> > mls -> 1
> > enforcing -> 1
> > policyvers -> 22
> > context -> regular file
> 
> Just as a reminder, I don't believe you should have context there at
> all, as omitting it should just work (tm).

You also shouldn't need "null" in /selinux; that's a node within
selinuxfs for use by the kernel when closing unauthorized files upon
execve and replacing them with references to the null device.  It
doesn't get used by SELinux userspace.

There is no "enforcing" file; it is "enforce" and I don't think you need
it within the chroot for anything.  It isn't the indicator of whether
SELinux is enabled.

So that leaves you with just "load" (so that policy reload appears to
succeed), "mls" (so that semanage knows whether to include MLS fields),
and "policyvers" (again for policy reload purposes).  And neither "load"
nor "policyvers" should be necessary if we could just disable policy
reload altogether (which is possible but not sure how to make it happen
transparently under only these conditions), and "mls" wouldn't be
necessary if we introduced proper support into libsemanage for querying
the MLS status of the policy and change semanage/seobject.py to use that
instead.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list