On Sat, 2005-01-08 at 21:55 -0800, Bob Kashani wrote:
> When I install the selinux-policy-targeted rpm in a chroot it seems that
> load_policy is executed and loads the policy that's installed in the
> chroot into the running kernel (I'm assuming via %post). Should
> installing the selinux-policy-targeted rpm in a chroot allow this to
> happen? What if you're installing a policy into the chroot that's
> different than the one you have installed on your system? Is there a way
> to not allow load_policy to execute in a chroot?
I don't think we're going to be able to support generically using
SELinux in chroots¹. Fundamentally chroot is a very weak virtualization
mechanism; much of the core system leaks to the chroot (and vice versa),
and that's the problem you're running into here. I think moving forward
most of what people are doing with chroots (e.g. package building and
especially testing) should be done with "real" virtualization like UML
or Xen.
But one workaround for your problem may be to make SELinux appear to be
disabled inside the chroot. I've attached two (completely untested)
patches; the first attempts to make SELinux appear to be disabled if you
don't mount /selinux inside the chroot, and the second makes load_policy
exit immediately with 0 status if SELinux isn't enabled.
¹ By "generically" I mean e.g. a stock FC3 installation. Certainly it's
possible to add policy for a specific chrooted application.
--- libselinux-1.20.1/src/enabled.c~ 2005-01-07 09:46:48.000000000 -0500
+++ libselinux-1.20.1/src/enabled.c 2005-01-09 12:38:58.843266136 -0500
@@ -39,7 +39,10 @@
if (!strstr(buf, "selinuxfs"))
goto out2;
-
+ if (!selinux_mnt)
+ goto out2;
+ if (security_getenforce () < 0 && errno == ENOENT)
+ goto out2;
enabled = 1;
if (getcon(&con) == 0) {
--- policycoreutils-1.20.1/load_policy/load_policy.c~ 2005-01-07 09:43:00.000000000 -0500
+++ policycoreutils-1.20.1/load_policy/load_policy.c 2005-01-09 12:42:47.707094481 -0500
@@ -34,6 +34,13 @@
void *map;
char *polpath, *boolpath = NULL, **names;
+ /* This is a workaround for load_policy being called inside
+ * a chroot; in this case we don't actually want to try
+ * loading a policy.
+ */
+ if (!is_selinux_enabled ())
+ exit (0);
+
#ifdef USE_NLS
setlocale (LC_ALL, "");
bindtextdomain (PACKAGE, LOCALEDIR);
