On Tue, 2008-05-13 at 12:06 -0400, Eric Paris wrote: > Current Setup: > > F9 trying to build an F9 livecd so policy should be happy. I'm trying > to eliminate the illegal file context cruft to start with. > > Enforcing. > > the label on livecd-creator is bin_t NOT unconfined_notran_t > > chroot/selinux contains: > null -> /dev/null > load -> /dev/null > mls -> 1 > enforcing -> 1 > policyvers -> 22 > context -> regular file Just as a reminder, I don't believe you should have context there at all, as omitting it should just work (tm). > libselinux always opens files with O_TRUNC And thus you wouldn't need this hack. > libselinux rpm_execcon has the patch to return -1 and set con = > context_new(mycon); Just to clarify, the patch should actually enable rpm_execcon() to proceed with rpm_script_t even if /selinux/create does not exist. > the new libselinux is being used inside and outside the chroot > > rpm was NOT rebuilt with the new libselinux, rpm.src.rpm only requires > libeselinux-devel not libselinux-static so I'm hoping we are safe. > > ****************************** > > ^M Installing: kbd ##################### [126/129] > ^M Installing: kernel ##################### [127/129] > ^M Installing: selinux-policy ##################### [128/129] > ^M Installing: selinux-policy-targeted ##################### [129/129] > > All of this still went smoothly... > > libsemanage.dbase_llist_query: could not query record value > > No idea where this is coming from Maybe a table was empty. Might want to look under etc/selinux/targeted within the chroot. > /sbin/restorecon reset / context system_u:object_r:file_t:s0->system_u:object_r:root_t:s0 > /sbin/restorecon reset /lib context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0 > /sbin/restorecon reset /lib/kbd context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0 > /sbin/restorecon reset /lib/kbd/consoletrans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0 > /sbin/restorecon reset /lib/kbd/consoletrans/cp1250_to_uni.trans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0 > /sbin/restorecon reset /lib/kbd/consoletrans/cp1251_to_uni.trans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0 > /sbin/restorecon reset /lib/kbd/consoletrans/8859-4_to_uni.trans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0 > > We are back to calling restorecon on every single file..... Well, you did put back in a /selinux/context against my advice, and I'm not sure what else you changed in the above. But more fundamentally we really need someone who understands the code flow in rpm to explain when rpm checks for SELinux status and how it switches from using policy outside the chroot to using policy within the chroot for file labeling. An strace of rpm might be interesting although no doubt very hard to follow. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
