-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eric Paris wrote: > Current Setup: > > F9 trying to build an F9 livecd so policy should be happy. I'm trying > to eliminate the illegal file context cruft to start with. > > Enforcing. > > the label on livecd-creator is bin_t NOT unconfined_notran_t > > chroot/selinux contains: > null -> /dev/null > load -> /dev/null > mls -> 1 > enforcing -> 1 > policyvers -> 22 > context -> regular file > > libselinux always opens files with O_TRUNC > > libselinux rpm_execcon has the patch to return -1 and set con = > context_new(mycon); > > the new libselinux is being used inside and outside the chroot > > rpm was NOT rebuilt with the new libselinux, rpm.src.rpm only requires > libeselinux-devel not libselinux-static so I'm hoping we are safe. > > ****************************** > > ^M Installing: kbd ##################### [126/129] > ^M Installing: kernel ##################### [127/129] > ^M Installing: selinux-policy ##################### [128/129] > ^M Installing: selinux-policy-targeted ##################### [129/129] > > All of this still went smoothly... > > libsemanage.dbase_llist_query: could not query record value > > No idea where this is coming from > > /sbin/restorecon reset / context system_u:object_r:file_t:s0->system_u:object_r:root_t:s0 > /sbin/restorecon reset /lib context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0 > /sbin/restorecon reset /lib/kbd context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0 > /sbin/restorecon reset /lib/kbd/consoletrans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0 > /sbin/restorecon reset /lib/kbd/consoletrans/cp1250_to_uni.trans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0 > /sbin/restorecon reset /lib/kbd/consoletrans/cp1251_to_uni.trans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0 > /sbin/restorecon reset /lib/kbd/consoletrans/8859-4_to_uni.trans context unconfined_u:object_r:file_t:s0->system_u:object_r:lib_t:s0 > > We are back to calling restorecon on every single file..... > > -Eric > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I don't have a problem with calling restorecon on every single file, since this is a limited number of files. The goal is to allow the chroot to run without mucking around with the host security. So I don't have to run permissive or disabled if I use mock/livecd. If mock/livecd have to relabel when they complete that is fine. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgpyBkACgkQrlYvE4MpobNUlACbBN5WJvv0IUH6Voq3L2GgLIej MXYAn3ja4+e8pZpHQTXbctm5fYIe9UOj =a9ex -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
