Fedora buildsys and SELinux

Stephen Smalley sds at tycho.nsa.gov
Tue May 13 14:46:42 UTC 2008 

On Tue, 2008-05-13 at 10:36 -0400, Eric Paris wrote:
> > I'm not sure you need anything there; as I've said,
> > is_selinux_enabled() will just fall back to checking /proc/filesystems
> > for selinuxfs as the authoritative indicator of whether or not SELinux
> > is enabled.
> 
> But we have other problems without /selinux mounted inside the chroot
> (and this is without the rpm_execcon patch which I'm about to put in,
> does rpm statically or dynamically link?)  :(

Looks like rpm and rpmi are dynamically linked.  Don't know if there is
a static version somewhere for bootstrapping.

> New, Interesting and different at least:
> 
>   Installing: selinux-policy               ##################### [128/129] 
>   Installing: selinux-policy-targeted      ##################### [129/129] 
> libsemanage.dbase_llist_query: could not query record value
> libsepol.policydb_write: policy version 15 cannot support MLS
> 
> I assume this is because there isn't an selinux/policyvers?

Yes, but all of this flows from the fact that semodule/libsemanage are
trying to actually load a new policy.   Which they wouldn't if we
completely faked that SELinux was disabled within the chroot by making a
fake /proc/filesystems.  But allegedly that breaks rpm?  Which I don't
fully understand as it should just check whether SELinux is enabled
prior to chroot'ing and keep using that saved enabled status throughout
IMHO.  Or if you invoked semodule with -n it wouldn't try to reload.

If all else fails, I suppose you could create a /selinux/policyvers
and /selinux/mls to try to appease it.  And maybe still a /dev/null link
as /selinux/load to appease policy load.

> libsepol.policydb_to_image: could not compute policy length
> libsepol.policydb_to_image: could not create policy image
> SELinux:  Could not downgrade policy file /etc/selinux/targeted/policy/policy.23, searching for an older version.
> SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.23:  No such file or directory
> /usr/sbin/load_policy:  Can't load policy:  No such file or directory

Yes, trying to load policy is the root problem here.  So ideally we'd
just disable that altogether as above or failing that fake it as above.

> ERROR:dbus.proxies:Introspect error on :1.3:/org/freedesktop/Hal/Manager: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

That might just be a bug in the host policy, not allowing something that
ought to be allowed and that only happens to get triggered here.

> /sbin/restorecon reset /dev/stderr context unconfined_u:object_r:file_t:s0->system_u:object_r:device_t:s0
> /sbin/restorecon reset /dev/stdin context unconfined_u:object_r:file_t:s0->system_u:object_r:device_t:s0
> /sbin/restorecon reset /dev/random context unconfined_u:object_r:file_t:s0->system_u:object_r:random_device_t:s0

That may make sense given that udev manages device node labels for us
these days.  But /dev/stderr is just a symlink to /proc/self/fd/2
anyway, right?

> There were actually a whole lot less when the restorecon ran through
> (still a bunch but a lot less), so I think that part is better.
> 
> After the restorecon finished and before the e2fsck I got:
> 
> Only root can do that.
> 
> Anyone have ideas what that might have been?

mount would do that if it didn't think it was running as root.
 
-- 
Stephen Smalley
National Security Agency

More information about the selinux mailing list