-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Valent Turkovic wrote: > John Dennis wrote: >> Valent Turkovic wrote: >>> 2008/1/22 Jesse Keating <jkeating@xxxxxxxxxx>: >>>> On Tue, 22 Jan 2008 13:29:03 +0100 >>>> "Valent Turkovic" <valent.turkovic@xxxxxxxxx> wrote: >>>> >>>>> I tested revisor and wanted to make an up to date version of Fedora 8 >>>>> Live CD - but selinux put a stop to that. >>>> Selinux is not going to work at all for things like revisor (and >>>> pungi/livecd-creator). Both make use of chroots to install packages >>>> into, and in certain cases you can wind up causing lots of harm to your >>>> host system (installing a new policy in the chroot will actually cause >>>> that policy to activate on the running kernel and then you have policy >>>> that doesn't match labels, watch the fun!). >>>> >>>> It is strongly recommended that you disable SELinux or at least put it >>>> in permissive if you're going to be doing composes. >>> >>> Is there a was to make selinux aware of that or atleast put a >>> notification window saying that you need to disable selinux in order >>> to use revisor? >> >> Revisor could be aware of SELinux and provide a warning, SELinux >> cannot do this. >> >>> One more issue for removing selinux as I said in an earlier thread :) >>> Selinux breaks features by desing and in a bad way, and I as a user >>> see more trouble from selinux than it is worth (just MHO). >> >> Your dissatisfaction with SELinux has been duly noted by the list, you >> are free to disable it. However, we would prefer contributions to make >> the distribution more robust and smooth out the bumps rather than >> disabling the technology. Your choice. >> > > I started to like selinux because all of you great fedora devels said > nothing but praises for it, but still it seams that any "feature" I test > seams to break because of selinux. > > But don't worry you all convinced me that selinux has a good reason to > stay. > > Valent. > As Jesse stated earlier, using SELinux on a machine where you are going to use a chroot and install packages without using a virtual machine currently will not work. You are using the same kernel for both the chroot and the host machine, so when a package loads new policy in the chroot (selinux-policy-*rpm) the new policy will effect the host machine. For example if you are building a Fedora 7 livecd on a Fedora 8 host machine, when the new selinux-policy package gets installed the Fedora 7 policy will load and replace the Fedora 8 policy. This will invalidate any contexts that existed in Fedora 8 and not in Fedora 7 causing them to become unlabeled_t. If this happens to a process, the process usually goes wild. We (SELinux engineering) is working on some solutions, but don't have a good one now. Virtual machines? Getting the chroot to run with a different kernel. Faking out /selinux in chroot to do nothing on policy load? Trying to stop Transitions? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEUEARECAAYFAkeYqd4ACgkQrlYvE4MpobPyMwCYwWwFtTnOQit/ENGWGGudTvGa mgCgkUEgkCrRDo/EVbwQq9Ax6ZCWCug= =Ol/k -----END PGP SIGNATURE----- -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
