On Tue, 2008-05-13 at 12:53 -0400, Stephen Smalley wrote: > On Tue, 2008-05-13 at 12:06 -0400, Eric Paris wrote: > > Current Setup: > > > > F9 trying to build an F9 livecd so policy should be happy. I'm trying > > to eliminate the illegal file context cruft to start with. > > > > Enforcing. > > > > the label on livecd-creator is bin_t NOT unconfined_notran_t > > > > chroot/selinux contains: > > null -> /dev/null > > load -> /dev/null > > mls -> 1 > > enforcing -> 1 > > policyvers -> 22 > > context -> regular file > > Just as a reminder, I don't believe you should have context there at > all, as omitting it should just work (tm). You also shouldn't need "null" in /selinux; that's a node within selinuxfs for use by the kernel when closing unauthorized files upon execve and replacing them with references to the null device. It doesn't get used by SELinux userspace. There is no "enforcing" file; it is "enforce" and I don't think you need it within the chroot for anything. It isn't the indicator of whether SELinux is enabled. So that leaves you with just "load" (so that policy reload appears to succeed), "mls" (so that semanage knows whether to include MLS fields), and "policyvers" (again for policy reload purposes). And neither "load" nor "policyvers" should be necessary if we could just disable policy reload altogether (which is possible but not sure how to make it happen transparently under only these conditions), and "mls" wouldn't be necessary if we introduced proper support into libsemanage for querying the MLS status of the policy and change semanage/seobject.py to use that instead. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
