On Tue, 2008-05-13 at 08:44 -0400, Stephen Smalley wrote: > On Mon, May 12, 2008 at 5:26 PM, Eric Paris <eparis@xxxxxxxxxx> wrote: > > On Mon, 2008-05-12 at 17:05 -0400, Stephen Smalley wrote: > > > On Mon, May 12, 2008 at 4:33 PM, Jeremy Katz <katzj@xxxxxxxxxx> wrote: > > > > > > > The only problem I see with not having selinuxfs mounted at all within > > > the chroot or even providing fake /selinux nodes is that rpm_execcon() > > > will then see SELinux as disabled and thus not try to run the > > > scriptlet in a different domain; > > > > How does it do this check? Guess I should pull some rpm sources. My > > lord I don't wanna.... > > You don't have to look at rpm for that - rpm_execcon() is a helper > function provided by libselinux for use by rpm. I sent you a patch > separately for it that should get it past a missing /selinux/create > node, so you should be able to completely remove /selinux/context and > /selinux/create and still proceed (at least in permissive mode). Will do..... > I'm not sure you need anything there; as I've said, > is_selinux_enabled() will just fall back to checking /proc/filesystems > for selinuxfs as the authoritative indicator of whether or not SELinux > is enabled. But we have other problems without /selinux mounted inside the chroot (and this is without the rpm_execcon patch which I'm about to put in, does rpm statically or dynamically link?) :( New, Interesting and different at least: Installing: selinux-policy ##################### [128/129] Installing: selinux-policy-targeted ##################### [129/129] libsemanage.dbase_llist_query: could not query record value libsepol.policydb_write: policy version 15 cannot support MLS I assume this is because there isn't an selinux/policyvers? libsepol.policydb_to_image: could not compute policy length libsepol.policydb_to_image: could not create policy image SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.23, searching for an older version. SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.23: No such file or directory /usr/sbin/load_policy: Can't load policy: No such file or directory libsemanage.semanage_reload_policy: load_policy returned error code 2. libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/policy.kern to /etc/selinux/targeted/policy/policy.23. (No such file or directory). semodule: Failed! /usr/sbin/semanage: Invalid prefix user /usr/sbin/semanage: Invalid prefix user ERROR:dbus.proxies:Introspect error on :1.3:/org/freedesktop/Hal/Manager: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. /sbin/restorecon reset /dev/stderr context unconfined_u:object_r:file_t:s0->system_u:object_r:device_t:s0 /sbin/restorecon reset /dev/stdin context unconfined_u:object_r:file_t:s0->system_u:object_r:device_t:s0 /sbin/restorecon reset /dev/random context unconfined_u:object_r:file_t:s0->system_u:object_r:random_device_t:s0 There were actually a whole lot less when the restorecon ran through (still a bunch but a lot less), so I think that part is better. After the restorecon finished and before the e2fsck I got: Only root can do that. Anyone have ideas what that might have been? -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
