Fedora buildsys and SELinux
Jeremy Katz
katzj at redhat.com
Mon May 12 20:33:10 UTC 2008
On Mon, 2008-05-12 at 11:26 -0400, Bill Nottingham wrote:
> Eric Paris (eparis at redhat.com) said:
> > same problem. Wonder how people would feel about really hacking up the
> > buildroot creator to force install selinux stuff first and then run the
> > full install transaction set....
>
> Due to dependencies, you can never load the policy 'first'.
Just to make this a little bit more explicit for others following along,
we can't due this because loading the policy requires that the policy be
installed on disk as well as things like load_policy being on disk.
That depends on having libc, etc in the chroot as well. So ignoring
questions of taste, you'd still have the chicken and egg problem.
But as far as taste as concerned, hacking up every single thing that
ever creates a chroot feels wrong, wrong, wrong, wrong, wrong.
Especially because it's not little hacks, it's a big hack involving
creating a new micro-transaction with only a subset of the packages. It
also becomes "interesting" when you start to think about update
operations within a chroot.
Jeremy
More information about the selinux
mailing list