On Tue, 2008-05-20 at 15:12 -0400, Eric Paris wrote: > ***passwd: > running a system with selinux enforcing/permissive (doesn't matter) and > attempting to run livecd-creator with selinux --disabled results in > passwd espoloding. passwd called is_selinux_enabled() which says yes > since /proc/mounts has an selinuxfs and the passwd calls > selinux_enforcing() which explodes when it can't find > a /selinux/enforce. First discussion was to change /proc/mounts to hide > the selinuxfs, sounds like a good plan until I realize /proc/mounts is > actually link to /proc/self/mounts and that its getting way to complex > tying to set up FS namespaces or whatever this is going to take. Right > now I'm thinking of creating a /selinux with enforce=0 in all cases > inside the chroot, anyone see a problem with that? (I could also work > on fixing passwd, but i'm trying to be as 'backwards compatible' as > possible.... That seems pretty reasonable to me. The contortions of trying to get /proc/mounts right are definitely not worth it > ***restorecon: > do we have an interface to see what is actually in security.xattr? > Making use of the wonderful new deferred selinux context patch set from > the kernel I get beautiful message like: > The file wasn't really "unlabeled_t" it just wasn't a valid label on the > host machine. Since restorecon/fixfiles runs over the same files like 3 > times during a livecd creation this gets rather annoying. Do we have an > interface I could use to make restorecon do the right comparison here? If not, we could dump the output to /dev/null ;-) But, that seems a bit less than the ideal of really checking > ***allow unlabeled_t fs_t:filesystem associate: > anyone have thoughts on how we want to handle this? I can probably do > some sort of fscontext= mount magic once i figure out the right fs we > are talking about and where the script does the mount. But then host > policy is going to need rules to allow everything that can associate > with fs_t with fs_allow_unlabeled_t. So I'm not clear on exactly what the cause of this is or even what it's trying to say. > Needless to say, I successfully built an F8 livecd with types not known > tot he host system on rawhide today, booted, and logged in. Awesome! Jeremy -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
