On Sun, 2005-01-09 at 12:48 -0500, Colin Walters wrote:
On Sat, 2005-01-08 at 21:55 -0800, Bob Kashani wrote:
> When I install the selinux-policy-targeted rpm in a chroot it seems that
> load_policy is executed and loads the policy that's installed in the
> chroot into the running kernel (I'm assuming via %post). Should
> installing the selinux-policy-targeted rpm in a chroot allow this to
> happen? What if you're installing a policy into the chroot that's
> different than the one you have installed on your system? Is there a way
> to not allow load_policy to execute in a chroot?
I don't think we're going to be able to support generically using
SELinux in chroots¹. Fundamentally chroot is a very weak virtualization
mechanism; much of the core system leaks to the chroot (and vice versa),
and that's the problem you're running into here. I think moving forward
most of what people are doing with chroots (e.g. package building and
especially testing) should be done with "real" virtualization like UML
or Xen.
I'm actually playing around with UML as well. :) The only issue with
virtualization is that you end up taking a performance hit but on the
other hand it does make life easier.
But one workaround for your problem may be to make SELinux appear to
be
disabled inside the chroot. I've attached two (completely untested)
patches; the first attempts to make SELinux appear to be disabled if you
don't mount /selinux inside the chroot, and the second makes load_policy
exit immediately with 0 status if SELinux isn't enabled.
I'll try your patches. But I did figure out a simple workaround. (not
mounting /selinux in the chroot). It seems that if you don't
mount /selinux in the chroot then load_policy doesn't try to install the
policy in the chroot into the running kernel. I have no idea why that is
the case. But everything seems to work without mounting /selinux so...in
fact it seems that I don't even need /sys either. I just tried mounting
only /proc (which is what I was doing in the first place) with selinux-
policy-targeted-1.17.30-2.68 and everything works!!! :) I did do a
'touch /.autorelabel' as specified in the FAQ which seems to have helped
with a few other things as well.
I'll let you know how it goes with your patches.
Thanks,
Bob
--
Bob Kashani
http://www.ocf.berkeley.edu/~bobk/garnome