[Rpm-maint] [PATCH 01/19] Execute matchpathcon_init in a chroot
Panu Matilainen
pmatilai at laiskiainen.org
Thu Mar 4 08:52:11 UTC 2010
On Tue, 2 Feb 2010, Steve Lawrence wrote:
> If the --root option is given and matchpathcon_init is called outside of
> the chroot, it will read the host policy configuration and file context
> rather than those in the chroot. This leads to potentially mislabeled
> files (if host and root policies differ) and wrong data from libselinux
> (e.g. selinux_getpolicytype).
This would break anaconda, which uses the hosts policy on purpose (which
makes sense in the case of installer).
As discussed sometime earlier, one of the problems with chroots vs selinux
is that rpm doesn't have the slightest clue what the user / API consumer
might want. One possibility might be using policy configuration from
chroot if it's there, and otherwise fall back to using host policy.
It shouldn't need an extra chroot() either, as you can just stat the paths
from the outside.
- Panu -
More information about the Rpm-maint
mailing list