Re: Fedora buildsys and SELinux

Eric Paris <eparis@xxxxxxxxxx> · Tue, 13 May 2008 12:06:08 -0400

Current Setup:

F9 trying to build an F9 livecd so policy should be happy.  I'm trying
to eliminate the illegal file context cruft to start with.

Enforcing.

the label on livecd-creator is bin_t    NOT  unconfined_notran_t

chroot/selinux contains:
null -> /dev/null
load -> /dev/null
mls -> 1
enforcing -> 1
policyvers -> 22
context -> regular file

libselinux always opens files with O_TRUNC

libselinux rpm_execcon has the patch to return -1 and set con =
context_new(mycon);

the new libselinux is being used inside and outside the chroot

rpm was NOT rebuilt with the new libselinux, rpm.src.rpm only requires
libeselinux-devel not libselinux-static so I'm hoping we are safe.

******************************

^M  Installing: kbd                          ##################### [126/129]
^M  Installing: kernel                       ##################### [127/129]
^M  Installing: selinux-policy               ##################### [128/129]
^M  Installing: selinux-policy-targeted      ##################### [129/129]

All of this still went smoothly...

libsemanage.dbase_llist_query: could not query record value

No idea where this is coming from

/sbin/restorecon reset / context system_u:object_r:file_t:s0->system_u:object_r:root_t:s0
/sbin/restorecon reset /lib context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
/sbin/restorecon reset /lib/kbd context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
/sbin/restorecon reset /lib/kbd/consoletrans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
/sbin/restorecon reset /lib/kbd/consoletrans/cp1250_to_uni.trans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
/sbin/restorecon reset /lib/kbd/consoletrans/cp1251_to_uni.trans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0
/sbin/restorecon reset /lib/kbd/consoletrans/8859-4_to_uni.trans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0

We are back to calling restorecon on every single file.....

-Eric

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list