On Tue, Nov 16, 2004 at 01:46:14PM +0100, Axel Thimm wrote: > Hi, > > when trying to setup FC2 chroots on FC3 hosts I get a lot of selinux > errors. The filesystem in question has the following (default) > security contexts in place: > > root:object_r:default_t > > (fs is mounted beneath /data in permissive/targeted mode) > > The errors look like the following: > cracklib-dicts ################################################## > +error: unpacking of archive failed on file /usr/lib64/cracklib_dict.hwm: cpio: lsetfilecon failed - Inappropriate ioctl for device > sed ################################################## > libattr ################################################## > libacl ################################################## > coreutils ################################################## > +error: unpacking of archive failed on file /usr/sbin/chroot: cpio: lsetfilecon failed - Inappropriate ioctl for device > > It looks like these FC2 packages have stored security contexts in the > archive and rpm cannot recreate them. > > a) Why cannot rpm recreate the security contexts? Do I need some > special policies to allow setting up chroots into > /some/path/to/chroot? > Look at libselinux if you want to know why the failure, and what to do about it. rpm supplies logistical mechanism to set file contexts only, reading the file context regexes, calling the function in libeselinux, and duly reports information at hand on failure. Diagnosing selinux failures is a deep context way beyond what is implemented in rpm. > b) Why does this only occur in FC2 and not FC3 chroots? Don't FC3 > packages contain security contexts anymore (namely coreutils and > cracklib-dicts)? Perhaps because of the above? > The problem (and fix) will require diagnosis deeper than "fails in FC2 chroots, works in FC3 chroots". The starting point is invariably looking at AVC messages to identify the failure, and then correcting the contexts and/or policy to address the failure. > c) Should rpm handle these failures more gracefully, i.e. have a > switch to turn them into warnings? > SELinux is not optional at the application level, nor can mandatory access controls be finessed with a "switch" in rpm. 73 de Jeff -- Jeff Johnson ARS N3NPQ jbj@xxxxxxxxxx (jbj@xxxxxxx) Chapel Hill, NC _______________________________________________ Rpm-list mailing list Rpm-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/rpm-list
