I've spent pretty much all week flailing around try to get livecd-creator working with selinux enforcing with F10 as both the host and the image. Next week begins the journey of working on making old composes work on F10. Where do I stand? Well, it seems to work! I booted an image and logged in.
Changes I've made so far (doesn't look like a whole lot for basically a week of work....)
policycoreutils got some updates to allow users to be created in the chroot (already built and in koji) and to make relabeling a little better.
libselinux has no changes with my current approach. I do not want rpm running inside the chroot to transition to rpm_t, nor do I want scriptlets to run as rpm_script_t as then those scriptlets can cause transitions to things like depmod_t which isn't going to have permissions necessary to run with the possibly screwy labels inside the chroot.
I added one rule to policy to allow hal to respond back to chroot allow hald_t unconfined_notrans_t:dbus send_msg;
Create a fake /selinux inside the chroot it contains: mls -> copy from host poliyver -> copy from host enforce -> 0 load -> /dev/null This means that from the point of view of the inside of the chroot selinux is "on" but not enforcing. The not enforcing part is important because some programs (passwd for example) try to determine if selinux is going to permit something before it actually tries it. If passwd realizes that selinux is enforcing but then it doesn't have a real /selinux to make those decisions it gets mad. So I'm lieing to the chroot.
Changes to livecd-creator: diff -Naupr imgcreate/creator.py imgcreate.new/creator.py --- imgcreate/creator.py 2008-05-06 12:16:08.000000000 -0400 +++ imgcreate.new/creator.py 2008-05-16 13:01:05.000000000 -0400 @@ -22,6 +22,7 @@ import stat import sys import tempfile import shutil +import selinux
import yum import rpm @@ -427,7 +428,7 @@ class ImageCreator(object):
self._mount_instroot(base_on)
- for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum"): + for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum", "/sys", "/proc"): makedirs(self._instroot + d)
cachesrc = cachedir or (self.__builddir + "/yum-cache") @@ -439,10 +440,6 @@ class ImageCreator(object): (cachesrc, "/var/cache/yum")]: self.__bindmounts.append(BindChrootMount(f, self._instroot, dest))
- # /selinux should only be mounted if selinux is enabled (enforcing or permissive) - if kickstart.selinux_enabled(self.ks): - self.__bindmounts.append(BindChrootMount("/selinux", self._instroot, None)) - # Create minimum /dev origumask = os.umask(0000) devices = [('null', 1, 3, 0666), @@ -460,6 +457,20 @@ class ImageCreator(object): os.symlink('/proc/self/fd/2', self._instroot + "/dev/stderr") os.umask(origumask)
+ # selinux whoo hooo + if kickstart.selinux_enabled(self.ks): + makedirs(self._instroot + "/selinux") + # this should actually create our new fake /selinux, not bind from the host, though i haven't decided how + self.__bindmounts.append(BindChrootMount("/selinux1", self._instroot, "/selinux")) + + # label the fs like it is a root before the bind mounting + cmd = "/sbin/setfiles -F -r %s %s %s" % (self._instroot, selinux.selinux_file_context_path(), self._instroot) + os.system(cmd) + # these dumb things don't get magically fixed, so make the user generic + for f in ["/proc", "/sys", "/selinux"]: + cmd = "chcon -u system_u %s" % (self._instroot + f) + os.system(cmd) + self._do_bindmounts()
os.symlink("../proc/mounts", self._instroot + "/etc/mtab") diff -Naupr imgcreate/kickstart.py imgcreate.new/kickstart.py --- imgcreate/kickstart.py 2008-05-06 12:16:08.000000000 -0400 +++ imgcreate.new/kickstart.py 2008-05-15 10:10:40.000000000 -0400 @@ -372,11 +372,11 @@ class SelinuxConfig(KickstartConfig):
if ksselinux.selinux == ksconstants.SELINUX_DISABLED: return - if not os.path.exists(self.path("/sbin/restorecon")): + if os.path.exists(self.path("/sbin/restorecon")): + self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"]) + else: return
- self.call(["/sbin/restorecon", "-l", "-v", "-r", "/"]) - def apply(self, ksselinux): if os.path.exists(self.path("/usr/sbin/lokkit")): args = ["/usr/sbin/lokkit", "-f", "--quiet", "--nostart"]
On Fri, 2008-05-16 at 15:19 -0400, Eric Paris wrote:
I've spent pretty much all week flailing around try to get livecd-creator working with selinux enforcing with F10 as both the host and the image. Next week begins the journey of working on making old composes work on F10. Where do I stand? Well, it seems to work! I booted an image and logged in.
Today I tried flipped my repos to point at F7 and tried to build. Didn't see any selinux messages but crap still hit the fan on boot (eventual kernel panic complaining about no root and killing init)
Anyway, I also decided to see what would happen if I flipped my kickstart file to selinux --disabled while leaving the system enforcing. Sorta boom. Installing selinux-policy-targeted got really pissed off:
libsepol.policydb_write: Discarding booleans and conditional rules libsepol.policydb_write: Discarding booleans and conditional rules libsepol.context_read_and_validate: invalid security context libsepol.policydb_to_image: new policy image is invalid libsepol.policydb_to_image: could not create policy image /usr/sbin/load_policy: Can't load policy: No such file or directory libsemanage.semanage_reload_policy: load_policy returned error code 2. libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/policy.kern to /etc/selinux/targeted/policy/policy.21.
But something tells me its still going to work just fine once the build finishes. Anyway.
-Eric
On Mon, 2008-05-19 at 15:14 -0400, Eric Paris wrote:
On Fri, 2008-05-16 at 15:19 -0400, Eric Paris wrote:
I've spent pretty much all week flailing around try to get livecd-creator working with selinux enforcing with F10 as both the host and the image. Next week begins the journey of working on making old composes work on F10. Where do I stand? Well, it seems to work! I booted an image and logged in.
Today I tried flipped my repos to point at F7 and tried to build. Didn't see any selinux messages but crap still hit the fan on boot (eventual kernel panic complaining about no root and killing init)
So the interesting question there is whether the image was missing files or just mislabeled?
Anyway, I also decided to see what would happen if I flipped my kickstart file to selinux --disabled while leaving the system enforcing. Sorta boom. Installing selinux-policy-targeted got really pissed off:
libsepol.policydb_write: Discarding booleans and conditional rules libsepol.policydb_write: Discarding booleans and conditional rules libsepol.context_read_and_validate: invalid security context libsepol.policydb_to_image: new policy image is invalid libsepol.policydb_to_image: could not create policy image /usr/sbin/load_policy: Can't load policy: No such file or directory libsemanage.semanage_reload_policy: load_policy returned error code 2. libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/policy.kern to /etc/selinux/targeted/policy/policy.21.
If you are going to build a selinux disabled image, then I assume you'd want to fake the chroot into seeing SELinux as disabled too so that it doesn't try to do things like load policy (as above). Which would mean bind mounting a file over /proc/filesystems in the chroot to obscure the presence of selinuxfs.
But something tells me its still going to work just fine once the build finishes. Anyway.
On Mon, 2008-05-19 at 15:30 -0400, Stephen Smalley wrote:
On Mon, 2008-05-19 at 15:14 -0400, Eric Paris wrote:
On Fri, 2008-05-16 at 15:19 -0400, Eric Paris wrote:
I've spent pretty much all week flailing around try to get livecd-creator working with selinux enforcing with F10 as both the host and the image. Next week begins the journey of working on making old composes work on F10. Where do I stand? Well, it seems to work! I booted an image and logged in.
Today I tried flipped my repos to point at F7 and tried to build. Didn't see any selinux messages but crap still hit the fan on boot (eventual kernel panic complaining about no root and killing init)
So the interesting question there is whether the image was missing files or just mislabeled?
Well in the F8 example kickstart I see this bit of craziness:
# make the initrd we care about rm -f /boot/initrd*.img cp /etc/sysconfig/mkinitrd /etc/mayflower.conf ver=`ls /boot/vmlinuz* |head -n 1 |sed -e 's;/boot/vmlinuz-;;'` /usr/lib/livecd-creator/mayflower -f /boot/initrd-$ver.img $ver rm -f /etc/mayflower.conf
which leads me to believe F7 probably needs something similar that I don't have with my basically blank kickstart file.
-Eric
selinux@lists.fedoraproject.org