On Fri, 2008-05-09 at 16:00 -0400, Eric Paris wrote:
On Fri, 2008-05-09 at 15:33 -0400, Eric Paris wrote:
On Fri, 2008-05-02 at 13:20 -0400, Stephen Smalley wrote:
One question that has come up is whether the patch to support setting unknown file labels is sufficient to support the buildsys needs, or whether something more is required. My impression is that all we truly need is:
- support for setting unknown file labels for use by rpm, and
- bind mount /dev/null over selinux/load within the chroot so that
policy loads within the chroot do nothing rather than changing the build host's policy, and 3) bind mount a regular empty file over selinux/context within the chroot so that attempts to validate/canonicalize contexts by rpm will always return the original value w/o trying to validate against the build host's policy.
So I ran livecd-creator today with a couple of things inside the chroot /selinux
load -> /dev/null null -> /dev/null context = [blank file] mls = 1 enforcing = 1 policyvers = 22
This was attempting to build a F9 livecd on an F9 box, so I wasn't worried about the labeling issues (although the kernel in question is patched to support unknown labels)
Things blew up spectacularly :)
So I added O_TRUNC to both of the callers to /selinux/context in libselinux and that took care of the lsetfilecon() crap but I still get tons and tons of "scriptlet failed, exit status 255"
Anyone have ideas/suggestions how to debug those more?
Ah, it is likely failing on the rpm_execcon(3) -> security_compute_create(3) call i.e. writing to /selinux/create. Which computes the context in which to run the scriptlet or helper from the policy. If that returns the same as rpm's own context, then we fall back to rpm_script_t. So this affects things like ldconfig.
I increasingly suspect we're better off not mounting selinuxfs within the chroot at all and addressing any issues that arise via policy.
warning: libgcc-4.3.0-8: Header V3 DSA signature: NOKEY, key ID 4f2a6fd2 Installing: libgcc ##################### [ 1/129] error: %post(libgcc-4.3.0-8.x86_64) scriptlet failed, exit status 255 Installing: setup ##################### [ 2/129] Installing: filesystem ##################### [ 3/129] Installing: basesystem ##################### [ 4/129] Installing: ncurses-base ##################### [ 5/129] Installing: tzdata ##################### [ 6/129] Installing: rootfiles ##################### [ 7/129] Installing: glibc ##################### [ 8/129] error: %post(glibc-2.8-3.x86_64) scriptlet failed, exit status 255 Installing: ncurses-libs ##################### [ 9/129] error: %post(ncurses-libs-5.6-16.20080301.fc9.x86_64) scriptlet failed, exit status 255 Installing: popt ##################### [ 10/129] error: %post(popt-1.13-3.fc9.x86_64) scriptlet failed, exit status 255 Installing: zlib ##################### [ 11/129] error: %post(zlib-1.2.3-18.fc9.x86_64) scriptlet failed, exit status 255