So my rpm-ostree system is doing "cross labeling" - in my case, the build host is RHEL7, and the target system is Fedora rawhide.
Concretely, I'm using selinux_set_policy_root() to load the policy from a chroot, then selabel_open (SELABEL_CTX_FILE).
I know this might eventually break if Fedora's SELinux policy format breaks from what RHEL7 can understand...but I'm hoping to avoid that (or alternatively, update the RHEL7 SELinux libraries to understand newer formats).
The advantage of doing it this way is I don't need to run through Anaconda (or more generally, execute any *code* from the OS I'm building). Which in turn makes the system reliable and fast.
There is one problem though - the PCRE precompiled regexps in e.g. "file_contexts.bin". It turns out that the RHEL7 pcre silently fails to match the ones from rawhide =/
I work around this by temporarily moving the .bin out of the way.
But how about extending the file format to include e.g. the result of pcre_version(), and having the label code only use the mmap cache if the saved PCRE version exactly matches that on the system?
This would cause labeling slowdowns when the pcre RPM is rebuilt until the selinux-policy RPM is later rebuilt, but that seems better than potentially silent failures.
Thoughts?
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
