On Tue, 2008-05-13 at 08:44 -0400, Stephen Smalley wrote:
On Mon, May 12, 2008 at 5:26 PM, Eric Paris eparis@redhat.com wrote:
On Mon, 2008-05-12 at 17:05 -0400, Stephen Smalley wrote:
On Mon, May 12, 2008 at 4:33 PM, Jeremy Katz katzj@redhat.com wrote:
The only problem I see with not having selinuxfs mounted at all within the chroot or even providing fake /selinux nodes is that rpm_execcon() will then see SELinux as disabled and thus not try to run the scriptlet in a different domain;
How does it do this check? Guess I should pull some rpm sources. My lord I don't wanna....
You don't have to look at rpm for that - rpm_execcon() is a helper function provided by libselinux for use by rpm. I sent you a patch separately for it that should get it past a missing /selinux/create node, so you should be able to completely remove /selinux/context and /selinux/create and still proceed (at least in permissive mode).
Will do.....
I'm not sure you need anything there; as I've said, is_selinux_enabled() will just fall back to checking /proc/filesystems for selinuxfs as the authoritative indicator of whether or not SELinux is enabled.
But we have other problems without /selinux mounted inside the chroot (and this is without the rpm_execcon patch which I'm about to put in, does rpm statically or dynamically link?) :(
New, Interesting and different at least:
Installing: selinux-policy ##################### [128/129] Installing: selinux-policy-targeted ##################### [129/129] libsemanage.dbase_llist_query: could not query record value libsepol.policydb_write: policy version 15 cannot support MLS
I assume this is because there isn't an selinux/policyvers?
libsepol.policydb_to_image: could not compute policy length libsepol.policydb_to_image: could not create policy image SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.23, searching for an older version. SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.23: No such file or directory /usr/sbin/load_policy: Can't load policy: No such file or directory libsemanage.semanage_reload_policy: load_policy returned error code 2. libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/policy.kern to /etc/selinux/targeted/policy/policy.23. (No such file or directory). semodule: Failed! /usr/sbin/semanage: Invalid prefix user /usr/sbin/semanage: Invalid prefix user
ERROR:dbus.proxies:Introspect error on :1.3:/org/freedesktop/Hal/Manager: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
/sbin/restorecon reset /dev/stderr context unconfined_u:object_r:file_t:s0->system_u:object_r:device_t:s0 /sbin/restorecon reset /dev/stdin context unconfined_u:object_r:file_t:s0->system_u:object_r:device_t:s0 /sbin/restorecon reset /dev/random context unconfined_u:object_r:file_t:s0->system_u:object_r:random_device_t:s0
There were actually a whole lot less when the restorecon ran through (still a bunch but a lot less), so I think that part is better.
After the restorecon finished and before the e2fsck I got:
Only root can do that.
Anyone have ideas what that might have been?