On Mon, 2008-05-12 at 17:05 -0400, Stephen Smalley wrote:
On Mon, May 12, 2008 at 4:33 PM, Jeremy Katz katzj@redhat.com wrote:
The only problem I see with not having selinuxfs mounted at all within the chroot or even providing fake /selinux nodes is that rpm_execcon() will then see SELinux as disabled and thus not try to run the scriptlet in a different domain;
How does it do this check? Guess I should pull some rpm sources. My lord I don't wanna....
Anyway, I'd be interested in having Eric try the install with no selinuxfs mounted or fake selinux nodes within the chroot and see what happens, both in permissive mode and enforcing mode.
I've got my fake selinux mount inside the chroot much like I previously described. /selinux/create is still getting long strings in it that don't make much sense. I guess something is using it directly and not through the libselinux interface?!?!
enforcing=1 /selinux inside the chroot is the little thing that I made up to fake it.
Installing: selinux-policy ##################### [128/129] Installing: selinux-policy-targeted ##################### [129/129] libsemanage.dbase_llist_query: could not query record value libsepol.sepol_user_modify: MLS is enabled, but no MLS default level was defined for user guest_u libsepol.sepol_user_modify: could not load (null) into policy libsemanage.dbase_policydb_modify: could not modify record value libsemanage.semanage_base_merge_components: could not merge local modifications into policy /usr/sbin/semanage: Could not add SELinux user guest_u libsepol.sepol_user_modify: MLS is enabled, but no MLS default level was defined for user xguest_u libsepol.sepol_user_modify: could not load (null) into policy libsemanage.dbase_policydb_modify: could not modify record value libsemanage.semanage_base_merge_components: could not merge local modifications into policy /usr/sbin/semanage: Could not add SELinux user xguest_u
ERROR:dbus.proxies:Introspect error on :1.3:/org/freedesktop/Hal/Manager: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. /sbin/restorecon reset / context system_u:object_r:file_t:s0->system_u:object_r:root_t:s0 /sbin/restorecon reset /bin context unconfined_u:object_r:file_t:s0->system_u:object_r:bin_t:s0 /sbin/restorecon reset /bin/rvi context unconfined_u:object_r:file_t:s0->system_u:object_r:bin_t:s0 /sbin/restorecon reset /bin/touch context unconfined_u:object_r:file_t:s0->system_u:object_r:bin_t:s0 /sbin/restorecon reset /bin/mountpoint context unconfined_u:object_r:file_t:s0->system_u:object_r:mount_exec_t:s0 /sbin/restorecon reset /bin/arch context unconfined_u:object_r:file_t:s0->system_u:object_r:bin_t:s0
and restorecon goes on like this, and on, and on, and on, and on
other things of note, restorecond goes nuts fixing up /etc/mtab for a while, must be some bad/no transition going on when we call mount?
I get no kernel AVC's but I do get:
[root@dhcp231-25 ~]# ausearch -m AVC -m USER_AVC ---- time->Mon May 12 17:19:48 2008 type=USER_AVC msg=audit(1210627188.083:329): user pid=1849 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.16 spid=2044 tpid=6840 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_notrans_t:s0-s0:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' ---- time->Mon May 12 17:20:13 2008 type=USER_AVC msg=audit(1210627213.086:330): user pid=1849 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.16 spid=2044 tpid=6840 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_notrans_t:s0-s0:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
I've never seen unconfined_notrans_t until I started playing with this stuff. Dan, what is it?
/me goes to try to build a livecd image with permissive and then with no /selinux inside the chroot.
-Eric