On Mon, 2008-05-19 at 15:14 -0400, Eric Paris wrote:
On Fri, 2008-05-16 at 15:19 -0400, Eric Paris wrote:
> I've spent pretty much all week flailing around try to get
> livecd-creator working with selinux enforcing with F10 as both the host
> and the image. Next week begins the journey of working on making old
> composes work on F10. Where do I stand? Well, it seems to work! I
> booted an image and logged in.
Today I tried flipped my repos to point at F7 and tried to build.
Didn't see any selinux messages but crap still hit the fan on boot
(eventual kernel panic complaining about no root and killing init)
So the interesting question there is whether the image was missing files
or just mislabeled?
Anyway, I also decided to see what would happen if I flipped my
kickstart file to selinux --disabled while leaving the system enforcing.
Sorta boom. Installing selinux-policy-targeted got really pissed off:
libsepol.policydb_write: Discarding booleans and conditional rules
libsepol.policydb_write: Discarding booleans and conditional rules
libsepol.context_read_and_validate: invalid security context
libsepol.policydb_to_image: new policy image is invalid
libsepol.policydb_to_image: could not create policy image
/usr/sbin/load_policy: Can't load policy: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
libsemanage.semanage_install_active: Could not
copy /etc/selinux/targeted/modules/active/policy.kern
to /etc/selinux/targeted/policy/policy.21.
If you are going to build a selinux disabled image, then I assume you'd
want to fake the chroot into seeing SELinux as disabled too so that it
doesn't try to do things like load policy (as above). Which would mean
bind mounting a file over /proc/filesystems in the chroot to obscure the
presence of selinuxfs.
But something tells me its still going to work just fine once the
build
finishes. Anyway.
--
Stephen Smalley
National Security Agency