[Rpm-maint] [PATCH 01/19] Execute matchpathcon_init in a chroot

Panu Matilainen pmatilai at laiskiainen.org
Thu Mar 4 08:52:11 UTC 2010


On Tue, 2 Feb 2010, Steve Lawrence wrote:

> If the --root option is given and matchpathcon_init is called outside of
> the chroot, it will read the host policy configuration and file context
> rather than those in the chroot. This leads to potentially mislabeled
> files (if host and root policies differ) and wrong data from libselinux
> (e.g. selinux_getpolicytype).

This would break anaconda, which uses the hosts policy on purpose (which 
makes sense in the case of installer).

As discussed sometime earlier, one of the problems with chroots vs selinux 
is that rpm doesn't have the slightest clue what the user / API consumer 
might want. One possibility might be using policy configuration from 
chroot if it's there, and otherwise fall back to using host policy.
It shouldn't need an extra chroot() either, as you can just stat the paths 
from the outside.

 	- Panu -


More information about the Rpm-maint mailing list