[RFC] Livecd-creator and selinux, we can play nice

[Eric Paris]

On Wed, 2008-05-28 at 16:04 -0400, Bill Nottingham wrote:
> Eric Paris (eparis at redhat.com) said: 
> > So I've spent a fair bit of time the last 2 weeks trying to get
> > livecd-creator and an selinux enforcing machine to play nicely together.
> > It doesn't look like much, but from the point of view of the livecd
> > creator I think the following patch is all we need.  Working with
> > rawhide as the host system I was able to build F8, F9 and rawhide
> > livecd's with an enforcing machine.
> > 
> > I wouldn't suggest jumping into enfocing builds just yet as there are
> > still some policy issues I need to work out with the selinux people but
> > I would like comments.  Basically its quite simple, if selinux is on the
> > host we create a fake /selinux which tells the install chroot lies.
> > I've had to make some changes to some selinux libraries to support all
> > this, but I think we are just about there.
> > 
> > I'll probably backport some of the kernel changes to F9 after they are
> > all tested and better settled but for now I'd like input on my livecd
> > changes....
> 
> My concern is this is a normal occurence (needing a chroot) 

Yes and no....

> that you're
> only patching in one place. Do we code this same logic into mock?

Mock doesn't need any special labeling knowledge, mock just has to have
policy that doesn't get in the way....   But mock is the next thing I'm
going to start trying to find issues with. 

>  Into
> pungi?

don't know pungi...

> Into yum --installroot?

possibly....

> Into the documentation for admins on
> how to set up a chroot?

where is this documentation?   usually, no, but if the chroot is
supposed to be drastically different than the host policy maybe...

> (Also, for general use, we need this in a RHEL 5 kernel. Fun!)

Yeah, I've heard that, and its likely to not be possible....   Once we
all agree on how to make it work going forward we can talk about RHEL5.