On Mon, 2008-06-09 at 10:12 -0400, Stephen Smalley wrote:
> + # we steal mls from the host system for now, might
be best to always set it to 1????
This might be a problem for building RHEL 4 images, since MLS wasn't
enabled there. I'm not certain though - I believe that there were
compatibility fixes put into RHEL 4 kernel updates to allow them to
mount filesystems modified under RHEL 5, so a modern RHEL 4 kernel would
ignore any MLS component in the context. But the policy Makefile could
be confused by /selinux/mls==1 there.
Building a RHEL4 live image is all but certain to involve a number of
additional and probably larger challenges. Just getting RHEL5 ones to
build takes some contortions at this point.
> - self.call(["/sbin/restorecon",
"-l", "-v", "-r", "/"])
> + self.call(["/sbin/restorecon", "-l", "-v",
"-r", "-F", "-e", "/proc", "-e",
"/sys", "-e", "/dev", "-e", "/selinux",
I assume that this is running the restorecon program from the chroot
rather than the host restorecon program. Any issues there with the
(potentially older) restorecon in the image not providing the same set
of options or behavior?
Yes, and this is definitely a possible concern. At the same time, if
people aren't building really old images that don't support all the
options, we should take advantage of what we can. So it's a bit of a
"use what we think we need, if someone wants to build something old
where that's not available, adapt"