Re: Fedora buildsys and SELinux

On Mon, 2008-05-12 at 17:05 -0400, Stephen Smalley wrote: How does it do this check? Guess I should pull some rpm sources. My lord I don't wanna.... I've got my fake selinux mount inside the chroot much like I previously described. /selinux/create is still getting long strings in it that don't make much sense. I guess something is using it directly and not through the libselinux interface?!?! enforcing=1 /selinux inside the chroot is the little thing that I made up to fake it. Installing: selinux-policy ##################### [128/129] Installing: selinux-policy-targeted ##################### [129/129] libsemanage.dbase_llist_query: could not query record value libsepol.sepol_user_modify: MLS is enabled, but no MLS default level was defined for user guest_u libsepol.sepol_user_modify: could not load (null) into policy libsemanage.dbase_policydb_modify: could not modify record value libsemanage.semanage_base_merge_components: could not merge local modifications into policy /usr/sbin/semanage: Could not add SELinux user guest_u libsepol.sepol_user_modify: MLS is enabled, but no MLS default level was defined for user xguest_u libsepol.sepol_user_modify: could not load (null) into policy libsemanage.dbase_policydb_modify: could not modify record value libsemanage.semanage_base_merge_components: could not merge local modifications into policy /usr/sbin/semanage: Could not add SELinux user xguest_u ERROR:dbus.proxies:Introspect error on :1.3:/org/freedesktop/Hal/Manager: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. /sbin/restorecon reset / context system_u:object_r:file_t:s0->system_u:object_r:root_t:s0 /sbin/restorecon reset /bin context unconfined_u:object_r:file_t:s0->system_u:object_r:bin_t:s0 /sbin/restorecon reset /bin/rvi context unconfined_u:object_r:file_t:s0->system_u:object_r:bin_t:s0 /sbin/restorecon reset /bin/touch context unconfined_u:object_r:file_t:s0->system_u:object_r:bin_t:s0 /sbin/restorecon reset /bin/mountpoint context unconfined_u:object_r:file_t:s0->system_u:object_r:mount_exec_t:s0 /sbin/restorecon reset /bin/arch context unconfined_u:object_r:file_t:s0->system_u:object_r:bin_t:s0 and restorecon goes on like this, and on, and on, and on, and on other things of note, restorecond goes nuts fixing up /etc/mtab for a while, must be some bad/no transition going on when we call mount? I get no kernel AVC's but I do get: [root@dhcp231-25 ~]# ausearch -m AVC -m USER_AVC ---- time->Mon May 12 17:19:48 2008 type=USER_AVC msg=audit(1210627188.083:329): user pid=1849 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.16 spid=2044 tpid=6840 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_notrans_t:s0-s0:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' ---- time->Mon May 12 17:20:13 2008 type=USER_AVC msg=audit(1210627213.086:330): user pid=1849 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.16 spid=2044 tpid=6840 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_notrans_t:s0-s0:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' I've never seen unconfined_notrans_t until I started playing with this stuff. Dan, what is it? /me goes to try to build a livecd image with permissive and then with no /selinux inside the chroot. -Eric