Re: SELinux troubles: cpio: lsetfilecon failed - Inappropriate ioctl for device

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Nov 16, 2004 at 01:46:14PM +0100, Axel Thimm wrote:
> Hi,
> 
> when trying to setup FC2 chroots on FC3 hosts I get a lot of selinux
> errors. The filesystem in question has the following (default)
> security contexts in place:
> 
>    root:object_r:default_t
> 
> (fs is mounted beneath /data in permissive/targeted mode)
> 
> The errors look like the following:
>  cracklib-dicts              ##################################################
> +error: unpacking of archive failed on file /usr/lib64/cracklib_dict.hwm: cpio: lsetfilecon failed - Inappropriate ioctl for device
>  sed                         ##################################################
>  libattr                     ##################################################
>  libacl                      ##################################################
>  coreutils                   ##################################################
> +error: unpacking of archive failed on file /usr/sbin/chroot: cpio: lsetfilecon failed - Inappropriate ioctl for device
> 
> It looks like these FC2 packages have stored security contexts in the
> archive and rpm cannot recreate them.
> 
> a) Why cannot rpm recreate the security contexts? Do I need some
>    special policies to allow setting up chroots into
>    /some/path/to/chroot?
> 

Look at libselinux if you want to know why the failure, and
what to do about it. rpm supplies logistical mechanism to set
file contexts only, reading the file context regexes, calling
the function in libeselinux, and duly reports information
at hand on failure. Diagnosing selinux failures is a deep
context way beyond what is implemented in rpm.

> b) Why does this only occur in FC2 and not FC3 chroots? Don't FC3
>    packages contain security contexts anymore (namely coreutils and
>    cracklib-dicts)? Perhaps because of the above?
> 

The problem (and fix) will require diagnosis deeper than "fails
in FC2 chroots, works in FC3 chroots". The starting point is
invariably looking at AVC messages to identify the failure,
and then correcting the contexts and/or policy to address
the failure.

> c) Should rpm handle these failures more gracefully, i.e. have a
>    switch to turn them into warnings?
> 

SELinux is not optional at the application level, nor can mandatory
access controls be finessed with a "switch" in rpm.

73 de Jeff

-- 
Jeff Johnson	ARS N3NPQ
jbj@xxxxxxxxxx (jbj@xxxxxxx)
Chapel Hill, NC

_______________________________________________
Rpm-list mailing list
Rpm-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/rpm-list

[Index of Archives]     [RPM Ecosystem]     [Linux Kernel]     [Red Hat Install]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Red Hat]     [Gimp]     [Yosemite News]     [IETF Discussion]

  Powered by Linux