On Sun, 2010-06-27 at 21:26 +0200, Dominick Grift wrote: > On 06/27/2010 08:37 PM, Mr Dash Four wrote: > > > >>> Also, does semodule need to have a running SELinux as I need to deploy > >>> this module on a Linux system (image) which does NOT have SELinux > >>> running (yet)? > >>> > >> > >> Not sure, try it out. > >> > > I will, though I have a gut feeling that it won't work as semodule may > > be looking for a running SELinux database and I presume it picks up > > policy (and files) from the running system. Will give it a try though! > > > >>> In other words, if I issue this command in chroot-ed environment would > >>> that be enough? The "%post" section of the kickstart file does just that > >>> - it chroots to the image as it has been built and from there I can do > >>> whatever I like on the actual image, though this is not a running system > >>> - i.e. SELinux on that system is not loaded! If that is possible and if > >>> I run on different architectures (say the image is for x86_64 and the > >>> machine on which the image is built is i686) would it matter? > >>> > >> > >> The policy is arch-independent but i am not sure if it can be installed > >> on a system that has no selinux enabled. I think it is possible but i am > >> not sure. > >> > > I'll give it a go! > > > >> You will still have the issue that you would have to relabel the > >> filesystem on each boot though. > >> > > Is that a necessary thing to do after installing a new module? My > > understanding is that relabelling only corrects the SELinux file > > attributes on every file on the system, so why would I need to do the > > relabelling when I have just installed a new policy? > > > > Also, if my assumption is correct then why would I need to have a > > running SELinux to do that? It is a great inconvenience and a real pain > > for scenarios I described in my previous posts! > > Good points. i think you might indeed be able to run restorecon or > fixfiles/setfiles in %post, but i am not sure. > > I would suggest you try it. > > Otherwise wait a day when the professionals can reply to your query. restorecon exits immediately if SELinux is disabled, so you cannot use it to label a tree on a non-SELinux build host. Dan wanted it that way so that he could unconditionally invoke it from scripts and not have it do anything if SELinux was disabled. setfiles however does support labeling even on a non-SELinux host. As well as labeling an image that is being built with a "foreign" (i.e. different from host) policy on a SELinux host, although you have to run it in setfiles_mac_t for that purpose, as the livecd-creator does. -- Stephen Smalley National Security Agency -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
