I've spent pretty much all week flailing around try to get livecd-creator working with selinux enforcing with F10 as both the host and the image. Next week begins the journey of working on making old composes work on F10. Where do I stand? Well, it seems to work! I booted an image and logged in. Changes I've made so far (doesn't look like a whole lot for basically a week of work....) policycoreutils got some updates to allow users to be created in the chroot (already built and in koji) and to make relabeling a little better. libselinux has no changes with my current approach. I do not want rpm running inside the chroot to transition to rpm_t, nor do I want scriptlets to run as rpm_script_t as then those scriptlets can cause transitions to things like depmod_t which isn't going to have permissions necessary to run with the possibly screwy labels inside the chroot. I added one rule to policy to allow hal to respond back to chroot allow hald_t unconfined_notrans_t:dbus send_msg; Create a fake /selinux inside the chroot it contains: mls -> copy from host poliyver -> copy from host enforce -> 0 load -> /dev/null This means that from the point of view of the inside of the chroot selinux is "on" but not enforcing. The not enforcing part is important because some programs (passwd for example) try to determine if selinux is going to permit something before it actually tries it. If passwd realizes that selinux is enforcing but then it doesn't have a real /selinux to make those decisions it gets mad. So I'm lieing to the chroot. Changes to livecd-creator: diff -Naupr imgcreate/creator.py imgcreate.new/creator.py --- imgcreate/creator.py 2008-05-06 12:16:08.000000000 -0400 +++ imgcreate.new/creator.py 2008-05-16 13:01:05.000000000 -0400 @@ -22,6 +22,7 @@ import stat import sys import tempfile import shutil +import selinux import yum import rpm @@ -427,7 +428,7 @@ class ImageCreator(object): self._mount_instroot(base_on) - for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum"): + for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum", "/sys", "/proc"): makedirs(self._instroot + d) cachesrc = cachedir or (self.__builddir + "/yum-cache") @@ -439,10 +440,6 @@ class ImageCreator(object): (cachesrc, "/var/cache/yum")]: self.__bindmounts.append(BindChrootMount(f, self._instroot, dest)) - # /selinux should only be mounted if selinux is enabled (enforcing or permissive) - if kickstart.selinux_enabled(self.ks): - self.__bindmounts.append(BindChrootMount("/selinux", self._instroot, None)) - # Create minimum /dev origumask = os.umask(0000) devices = [('null', 1, 3, 0666), @@ -460,6 +457,20 @@ class ImageCreator(object): os.symlink('/proc/self/fd/2', self._instroot + "/dev/stderr") os.umask(origumask) + # selinux whoo hooo + if kickstart.selinux_enabled(self.ks): + makedirs(self._instroot + "/selinux") + # this should actually create our new fake /selinux, not bind from the host, though i haven't decided how + self.__bindmounts.append(BindChrootMount("/selinux1", self._instroot, "/selinux")) + + # label the fs like it is a root before the bind mounting + cmd = "/sbin/setfiles -F -r %s %s %s" % (self._instroot, selinux.selinux_file_context_path(), self._instroot) + os.system(cmd) + # these dumb things don't get magically fixed, so make the user generic + for f in ["/proc", "/sys", "/selinux"]: + cmd = "chcon -u system_u %s" % (self._instroot + f) + os.system(cmd) + self._do_bindmounts() os.symlink("../proc/mounts", self._instroot + "/etc/mtab") diff -Naupr imgcreate/kickstart.py imgcreate.new/kickstart.py --- imgcreate/kickstart.py 2008-05-06 12:16:08.000000000 -0400 +++ imgcreate.new/kickstart.py 2008-05-15 10:10:40.000000000 -0400 @@ -372,11 +372,11 @@ class SelinuxConfig(KickstartConfig): if ksselinux.selinux == ksconstants.SELINUX_DISABLED: return - if not os.path.exists(self.path("/sbin/restorecon")): + if os.path.exists(self.path("/sbin/restorecon")): + self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"]) + else: return - self.call(["/sbin/restorecon", "-l", "-v", "-r", "/"]) - def apply(self, ksselinux): if os.path.exists(self.path("/usr/sbin/lokkit")): args = ["/usr/sbin/lokkit", "-f", "--quiet", "--nostart"] -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list