On Mon, 2008-05-19 at 15:14 -0400, Eric Paris wrote: > On Fri, 2008-05-16 at 15:19 -0400, Eric Paris wrote: > > I've spent pretty much all week flailing around try to get > > livecd-creator working with selinux enforcing with F10 as both the host > > and the image. Next week begins the journey of working on making old > > composes work on F10. Where do I stand? Well, it seems to work! I > > booted an image and logged in. > > Today I tried flipped my repos to point at F7 and tried to build. > Didn't see any selinux messages but crap still hit the fan on boot > (eventual kernel panic complaining about no root and killing init) So the interesting question there is whether the image was missing files or just mislabeled? > Anyway, I also decided to see what would happen if I flipped my > kickstart file to selinux --disabled while leaving the system enforcing. > Sorta boom. Installing selinux-policy-targeted got really pissed off: > > libsepol.policydb_write: Discarding booleans and conditional rules > libsepol.policydb_write: Discarding booleans and conditional rules > libsepol.context_read_and_validate: invalid security context > libsepol.policydb_to_image: new policy image is invalid > libsepol.policydb_to_image: could not create policy image > /usr/sbin/load_policy: Can't load policy: No such file or directory > libsemanage.semanage_reload_policy: load_policy returned error code 2. > libsemanage.semanage_install_active: Could not > copy /etc/selinux/targeted/modules/active/policy.kern > to /etc/selinux/targeted/policy/policy.21. If you are going to build a selinux disabled image, then I assume you'd want to fake the chroot into seeing SELinux as disabled too so that it doesn't try to do things like load policy (as above). Which would mean bind mounting a file over /proc/filesystems in the chroot to obscure the presence of selinuxfs. > But something tells me its still going to work just fine once the build > finishes. Anyway. -- Stephen Smalley National Security Agency -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list