On Fri, 8 Jul 2016 06:56:14 AM Richard W.M. Jones wrote: > On Thu, Jul 07, 2016 at 09:50:17PM +0800, Jason Zaman wrote: > > Doesn't Android set the labels on the /system disk image during build? > > Maybe virt-builder can copy that? This would also speed up initial > > deployment of new images. > > Well this is the real problem. Because the guest policy is a binary > blob, and because the binary blobs are not (necessarily) compatible > across kernel versions, we cannot just load the policy blob of the > guest into our kernel, so we cannot label guests properly. Sure be > nice if policy wasn't stored in this way. While virt-builder is one case that needs special attention the important fact is that autorelabel has never worked as well as it should have. There has never been a guarantee that an autorelabel operation would complete successfully in the face of the wrong combination of mislabeled files. It might be a good idea to copy the Android build process to virt-builder for other reasons but even so the design Richard proposes is worth having regardless. Also the way that the reboot was managed was never that great, especially on a systemd system. I can't recall how much of that is my responsibility. I'd like to get this in Debian. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
