[Rpm-maint] [PATCH 01/19] Execute matchpathcon_init in a chroot
Steve Lawrence
slawrence at tresys.com
Thu Mar 4 21:16:08 UTC 2010
On Thu, 2010-03-04 at 10:52 +0200, Panu Matilainen wrote:
> On Tue, 2 Feb 2010, Steve Lawrence wrote:
>
> > If the --root option is given and matchpathcon_init is called outside of
> > the chroot, it will read the host policy configuration and file context
> > rather than those in the chroot. This leads to potentially mislabeled
> > files (if host and root policies differ) and wrong data from libselinux
> > (e.g. selinux_getpolicytype).
>
> This would break anaconda, which uses the hosts policy on purpose (which
> makes sense in the case of installer).
>
> As discussed sometime earlier, one of the problems with chroots vs selinux
> is that rpm doesn't have the slightest clue what the user / API consumer
> might want. One possibility might be using policy configuration from
> chroot if it's there, and otherwise fall back to using host policy.
> It shouldn't need an extra chroot() either, as you can just stat the paths
> from the outside.
>
> - Panu -
A fallback to using the hosts configuration looks like a good solution.
- Steve
More information about the Rpm-maint
mailing list