-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/20/2010 11:12 AM, Stephen Smalley wrote:
> On Tue, 2010-04-20 at 11:05 -0400, Eric Paris wrote:
>> It does look like you are right, we might never hit the
>> cap_inode_setsecurity, but I'm trying to run down exactly how this is
>> happening....
>>
>> -Eric
>>
>> On Tue, Apr 20, 2010 at 11:00 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 04/20/2010 10:45 AM, Stephen Smalley wrote:
>>>> On Tue, 2010-04-20 at 10:21 -0400, Daniel J Walsh wrote:
>>>>> Currently the kernel is blocking the setting of labels on a disabled
>>>>> SELinux box.
>>>>>
>>>>> We have made changes to livecd to be able to build a livecd image on a
>>>>> disabled SELinux box, but the kernel is preventing the placing of labels.
>>>>>
>>>>> We want this functionality so that Fedora Build machines can be allowed
>>>>> to create different kinds of images and do not want to require all
>>>>> machines to enable SELinux.
>>>>>
>>>>> Currently these images are being built with SELinux disabled because of
>>>>> this.
>>>>>
>>>>> strace shows
>>>>>
>>>>> lsetxattr("/root/whatever/", "security.selinux",
>>>>> "system_u:object_r:root_t:s0", 28, 0) = -1 EOPNOTSUPP (Operation not
>>>>> supported)
>>>>>
>>>>>
>>>>> eparis says this code is causing the problem.
>>>>>
>>>>> static int cap_inode_setsecurity(struct inode *inode, const char *name,
>>>>> const void *value, size_t size, int flags)
>>>>> {
>>>>> return -EOPNOTSUPP;
>>>>> }
>>>>>
>>>>> I think we should allow this if you have a capability like sys_admin or
>>>>> dac_override.
>>>>
>>>> Perhaps I don't understand, but inode_setsecurity() is only called if
>>>> the filesystem does not support xattrs; otherwise it gets handled via
>>>> the filesytem's ->setxattr handler, and that should work regardless of
>>>> SELinux-disabled (and always has in the past).
>>>>
>>>> I think we need more details, like kernel version, filesystem type, etc.
>>>>
>>>
>>> 2.6.32.11-99.fc12.x86_64; ext4
>
> Oh, this is the dracut bug that isn't really disabling SELinux (just
> leaving it permissive with no policy loaded). Ala FC2 days. Didn't
> that get fixed?
>
> grep selinuxfs /proc/filesystems
>
I believe it is fixed in F13. Not in F12.
Looks like Harald is just about to push F13 dracut into F12.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvNz5gACgkQrlYvE4MpobOosgCcCFUmcMJzNGs7zDlvmmytLf6b
5o0AoOEGAxjtVb/9AVJ5AAlxFcpxaZNF
=uFWS
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
