On Mon, 2008-05-12 at 10:53 -0400, Stephen Smalley wrote:
> On second thought is that even possible? As I recall
> selinux-policy-targeted rpm is installed about 128/129 packages when I
> do my livecd create. That means that we didn't even have an 'inside
> chroot' policy to check against for the vast majority of this operation.
> I'd assume that building the appropriete mock buildroot would have the
> same problem. Wonder how people would feel about really hacking up the
> buildroot creator to force install selinux stuff first and then run the
> full install transaction set....
For a normal install, anaconda has to set down an initial file contexts
file and load a policy to get things started IIRC - otherwise rpm
wouldn't be able to label the files it sets down prior to installing
It uses the policy from outside the chroot until things are put into the
chroot. This "works" for the anaconda case as we don't really fully
support installing a different environment than what your install images
are built with
 We've actually done a lot of work to make this more supported, but
SELinux is actually now the big blocker that I know of due to this
reasoning. At least for things which count as similar, for certain
values of that.
> > Or disable context validation altogether in userspace in
> Anyone have suggestions on how to go about this?
Absence of any /selinux/context at all should automatically do that.
> > Or create some kind of "identity" node in the selinuxfs filesystem
> > is transaction-based like the existing selinuxfs nodes and always
> > returns whatever was written to it, then bind mount that on top
> > of /selinux/context.
> I did get that out of using a plain file and using O_TRUNC in libselinux
Yes, but I don't see how requiring the use of a hacked-up libselinux is
any better or more workable.