Re: Fedora buildsys and SELinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Eric Paris wrote:
Current Setup:
F9 trying to build an F9 livecd so policy should be happy. I'm trying
to eliminate the illegal file context cruft to start with.
Enforcing.
the label on livecd-creator is bin_t NOT unconfined_notran_t
chroot/selinux contains:
null -> /dev/null
load -> /dev/null
mls -> 1
enforcing -> 1
policyvers -> 22
context -> regular file
libselinux always opens files with O_TRUNC
libselinux rpm_execcon has the patch to return -1 and set con =
context_new(mycon);
the new libselinux is being used inside and outside the chroot
rpm was NOT rebuilt with the new libselinux, rpm.src.rpm only requires
libeselinux-devel not libselinux-static so I'm hoping we are safe.
******************************
^M Installing: kbd ##################### [126/129]
^M Installing: kernel ##################### [127/129]
^M Installing: selinux-policy ##################### [128/129]
^M Installing: selinux-policy-targeted ##################### [129/129]
All of this still went smoothly...
libsemanage.dbase_llist_query: could not query record value
No idea where this is coming from
/sbin/restorecon reset / context
system_u:object_r:file_t:s0->system_u:object_r:root_t:s0
/sbin/restorecon reset /lib context
unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
/sbin/restorecon reset /lib/kbd context
unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
/sbin/restorecon reset /lib/kbd/consoletrans context
unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
/sbin/restorecon reset /lib/kbd/consoletrans/cp1250_to_uni.trans context
unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
/sbin/restorecon reset /lib/kbd/consoletrans/cp1251_to_uni.trans context
unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
/sbin/restorecon reset /lib/kbd/consoletrans/8859-4_to_uni.trans context
unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
We are back to calling restorecon on every single file.....
-Eric
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I don't have a
problem with calling restorecon on every single file,
since this is a limited number of files. The goal is to allow the
chroot to run without mucking around with the host security. So I don't
have to run permissive or disabled if I use mock/livecd. If mock/livecd
have to relabel when they complete that is fine.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkgpyBkACgkQrlYvE4MpobNUlACbBN5WJvv0IUH6Voq3L2GgLIej
MXYAn3ja4+e8pZpHQTXbctm5fYIe9UOj
=a9ex
-----END PGP SIGNATURE-----