On Tue, 2008-05-20 at 16:10 -0400, Eric Paris wrote:
On Tue, 2008-05-20 at 15:33 -0400, Stephen Smalley wrote:
On Tue, 2008-05-20 at 15:12 -0400, Eric Paris wrote:
***passwd: running a system with selinux enforcing/permissive (doesn't matter) and attempting to run livecd-creator with selinux --disabled results in passwd espoloding. passwd called is_selinux_enabled() which says yes since /proc/mounts has an selinuxfs and the passwd calls selinux_enforcing() which explodes when it can't find a /selinux/enforce. First discussion was to change /proc/mounts to hide the selinuxfs, sounds like a good plan until I realize /proc/mounts is actually link to /proc/self/mounts and that its getting way to complex tying to set up FS namespaces or whatever this is going to take. Right now I'm thinking of creating a /selinux with enforce=0 in all cases inside the chroot, anyone see a problem with that? (I could also work on fixing passwd, but i'm trying to be as 'backwards compatible' as possible....
Wait - you are confusing /proc/mounts and /proc/filesystems.
You are (once again) correct. Should be a lot easier to lie to :)
I feel vindicated, I knew I saw that /proc/mounts was part of it....
init_selinuxmnt() is going to go through /proc/mounts inside the chroot and find an selinuxfs mounted back out on the host system. I think this in turn is going to cause is_selinux_enabled() to return that selinux is in fact enabled. No proof but what i know for sure is that
cat /proc/filesystems | grep -v selinux > /tmp.filesystems mount -o bind /tmp.filesystems /chroot/proc/filesystems
still caused passwd to fail because it thought selinux was enabled....
-Eric