On 06/27/2010 08:37 PM, Mr Dash Four wrote: > >>> Also, does semodule need to have a running SELinux as I need to deploy >>> this module on a Linux system (image) which does NOT have SELinux >>> running (yet)? >>> >> >> Not sure, try it out. >> > I will, though I have a gut feeling that it won't work as semodule may > be looking for a running SELinux database and I presume it picks up > policy (and files) from the running system. Will give it a try though! > >>> In other words, if I issue this command in chroot-ed environment would >>> that be enough? The "%post" section of the kickstart file does just that >>> - it chroots to the image as it has been built and from there I can do >>> whatever I like on the actual image, though this is not a running system >>> - i.e. SELinux on that system is not loaded! If that is possible and if >>> I run on different architectures (say the image is for x86_64 and the >>> machine on which the image is built is i686) would it matter? >>> >> >> The policy is arch-independent but i am not sure if it can be installed >> on a system that has no selinux enabled. I think it is possible but i am >> not sure. >> > I'll give it a go! > >> You will still have the issue that you would have to relabel the >> filesystem on each boot though. >> > Is that a necessary thing to do after installing a new module? My > understanding is that relabelling only corrects the SELinux file > attributes on every file on the system, so why would I need to do the > relabelling when I have just installed a new policy? > > Also, if my assumption is correct then why would I need to have a > running SELinux to do that? It is a great inconvenience and a real pain > for scenarios I described in my previous posts! Good points. i think you might indeed be able to run restorecon or fixfiles/setfiles in %post, but i am not sure. I would suggest you try it. Otherwise wait a day when the professionals can reply to your query. > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
