> Also, does semodule need to have a running SELinux as I need to
> this module on a Linux system (image) which does NOT have SELinux
> running (yet)?
Not sure, try it out.
I will, though I have a gut feeling that it won't work as semodule may
be looking for a running SELinux database and I presume it picks up
policy (and files) from the running system. Will give it a try though!
> In other words, if I issue this command in chroot-ed environment
> that be enough? The "%post" section of the kickstart file does just that
> - it chroots to the image as it has been built and from there I can do
> whatever I like on the actual image, though this is not a running system
> - i.e. SELinux on that system is not loaded! If that is possible and if
> I run on different architectures (say the image is for x86_64 and the
> machine on which the image is built is i686) would it matter?
The policy is arch-independent but i am not sure if it can be installed
on a system that has no selinux enabled. I think it is possible but i am
I'll give it a go!
You will still have the issue that you would have to relabel the
filesystem on each boot though.
Is that a necessary thing to do after installing a new module? My
understanding is that relabelling only corrects the SELinux file
attributes on every file on the system, so why would I need to do the
relabelling when I have just installed a new policy?
Also, if my assumption is correct then why would I need to have a
running SELinux to do that? It is a great inconvenience and a real pain
for scenarios I described in my previous posts!