On Mon, 2008-05-12 at 08:17 -0400, Stephen Smalley wrote: > On Fri, 2008-05-09 at 16:00 -0400, Eric Paris wrote: > > So I added O_TRUNC to both of the callers to /selinux/context in > > libselinux and that took care of the lsetfilecon() crap but I still get > > tons and tons of "scriptlet failed, exit status 255" > > > > Anyone have ideas/suggestions how to debug those more? > > Ah, it is likely failing on the rpm_execcon(3) -> > security_compute_create(3) call i.e. writing to /selinux/create. > Which computes the context in which to run the scriptlet or helper from > the policy. If that returns the same as rpm's own context, then we fall > back to rpm_script_t. So this affects things like ldconfig. > > I increasingly suspect we're better off not mounting selinuxfs within > the chroot at all and addressing any issues that arise via policy. If we don't mount selinuxfs, then anything that attempts to figure out if SELinux is enabled (ie the fact that rpm checks if SELinux is enabled to determine whether or not to set the xattrs) will fail. Also, I don't remember for certain without looking, but even restorecon checks like that from what I remember. So we have to at least have some of /selinux present or we have to do deeper tricks with labeling outside of chroots which ... pain :-/ Jeremy -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list