On Mon, 2008-06-09 at 10:12 -0400, Stephen Smalley wrote: > > + # we steal mls from the host system for now, might be best to always set it to 1???? > > This might be a problem for building RHEL 4 images, since MLS wasn't > enabled there. I'm not certain though - I believe that there were > compatibility fixes put into RHEL 4 kernel updates to allow them to > mount filesystems modified under RHEL 5, so a modern RHEL 4 kernel would > ignore any MLS component in the context. But the policy Makefile could > be confused by /selinux/mls==1 there. Building a RHEL4 live image is all but certain to involve a number of additional and probably larger challenges. Just getting RHEL5 ones to build takes some contortions at this point. > > - self.call(["/sbin/restorecon", "-l", "-v", "-r", "/"]) > > + self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"]) > > I assume that this is running the restorecon program from the chroot > rather than the host restorecon program. Any issues there with the > (potentially older) restorecon in the image not providing the same set > of options or behavior? Yes, and this is definitely a possible concern. At the same time, if people aren't building really old images that don't support all the options, we should take advantage of what we can. So it's a bit of a "use what we think we need, if someone wants to build something old where that's not available, adapt" Jeremy -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
