[Rpm-maint] [PATCH 01/19] Execute matchpathcon_init in a chroot

Steve Lawrence slawrence at tresys.com
Thu Mar 4 21:16:08 UTC 2010


On Thu, 2010-03-04 at 10:52 +0200, Panu Matilainen wrote: 
> On Tue, 2 Feb 2010, Steve Lawrence wrote:
> 
> > If the --root option is given and matchpathcon_init is called outside of
> > the chroot, it will read the host policy configuration and file context
> > rather than those in the chroot. This leads to potentially mislabeled
> > files (if host and root policies differ) and wrong data from libselinux
> > (e.g. selinux_getpolicytype).
> 
> This would break anaconda, which uses the hosts policy on purpose (which 
> makes sense in the case of installer).
> 
> As discussed sometime earlier, one of the problems with chroots vs selinux 
> is that rpm doesn't have the slightest clue what the user / API consumer 
> might want. One possibility might be using policy configuration from 
> chroot if it's there, and otherwise fall back to using host policy.
> It shouldn't need an extra chroot() either, as you can just stat the paths 
> from the outside.
> 
>  	- Panu -

A fallback to using the hosts configuration looks like a good solution.

- Steve


More information about the Rpm-maint mailing list