On Sun, 2005-01-09 at 12:48 -0500, Colin Walters wrote: > On Sat, 2005-01-08 at 21:55 -0800, Bob Kashani wrote: > > When I install the selinux-policy-targeted rpm in a chroot it seems that > > load_policy is executed and loads the policy that's installed in the > > chroot into the running kernel (I'm assuming via %post). Should > > installing the selinux-policy-targeted rpm in a chroot allow this to > > happen? What if you're installing a policy into the chroot that's > > different than the one you have installed on your system? Is there a way > > to not allow load_policy to execute in a chroot? > > I don't think we're going to be able to support generically using > SELinux in chroots¹. Fundamentally chroot is a very weak virtualization > mechanism; much of the core system leaks to the chroot (and vice versa), > and that's the problem you're running into here. I think moving forward > most of what people are doing with chroots (e.g. package building and > especially testing) should be done with "real" virtualization like UML > or Xen. I'm actually playing around with UML as well. :) The only issue with virtualization is that you end up taking a performance hit but on the other hand it does make life easier. > But one workaround for your problem may be to make SELinux appear to be > disabled inside the chroot. I've attached two (completely untested) > patches; the first attempts to make SELinux appear to be disabled if you > don't mount /selinux inside the chroot, and the second makes load_policy > exit immediately with 0 status if SELinux isn't enabled. I'll try your patches. But I did figure out a simple workaround. (not mounting /selinux in the chroot). It seems that if you don't mount /selinux in the chroot then load_policy doesn't try to install the policy in the chroot into the running kernel. I have no idea why that is the case. But everything seems to work without mounting /selinux so...in fact it seems that I don't even need /sys either. I just tried mounting only /proc (which is what I was doing in the first place) with selinux- policy-targeted-1.17.30-2.68 and everything works!!! :) I did do a 'touch /.autorelabel' as specified in the FAQ which seems to have helped with a few other things as well. I'll let you know how it goes with your patches. Thanks, Bob -- Bob Kashani http://www.ocf.berkeley.edu/~bobk/garnome
