>> Also, does semodule need to have a running SELinux as I need to deploy >> this module on a Linux system (image) which does NOT have SELinux >> running (yet)? >> > > Not sure, try it out. > I will, though I have a gut feeling that it won't work as semodule may be looking for a running SELinux database and I presume it picks up policy (and files) from the running system. Will give it a try though! >> In other words, if I issue this command in chroot-ed environment would >> that be enough? The "%post" section of the kickstart file does just that >> - it chroots to the image as it has been built and from there I can do >> whatever I like on the actual image, though this is not a running system >> - i.e. SELinux on that system is not loaded! If that is possible and if >> I run on different architectures (say the image is for x86_64 and the >> machine on which the image is built is i686) would it matter? >> > > The policy is arch-independent but i am not sure if it can be installed > on a system that has no selinux enabled. I think it is possible but i am > not sure. > I'll give it a go! > You will still have the issue that you would have to relabel the > filesystem on each boot though. > Is that a necessary thing to do after installing a new module? My understanding is that relabelling only corrects the SELinux file attributes on every file on the system, so why would I need to do the relabelling when I have just installed a new policy? Also, if my assumption is correct then why would I need to have a running SELinux to do that? It is a great inconvenience and a real pain for scenarios I described in my previous posts! -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
