Bug 208275

Summary: chroot problems with selinux and olpc
Product: [Fedora] Fedora Reporter: David Zeuthen <davidz>
Component: libselinuxAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: mclasen
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-11-28 14:29:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 191931    

Description David Zeuthen 2006-09-27 15:07:25 UTC 
Description of problem:

For OLPC builds we install the desired OS in a chroot on the build machine. We
use yum that in turn uses rpm.

We want to use SELinux on the OLPC machine. The SELinux policy for OLPC may be
tailor-made for OLPC.

The build machine may or may not run SELinux. The build machine may be running
RHEL4. It may run FC5.

As such, the SELinux policy that controls file labels may differ in the
installed OS vs. the OS running on the build machine.

What I'm seeing today is that this only works if the SELinux policy on build
machine matches the SELinux policy of the installed OS. 

Is there a magic option to give e.g. /sbin/fixfiles so it uses the policy in the
chroot instead of that in /selinux (which is bind mounted in the chroot)?

The only alternative I can think of right now includes using qemu to boot the
installed kernel and have a initrd that runs /sbin/fixfiles.

This affects livecd generation too (I have a livecd generator that works with
SELinux, it uses the ext3 file system on a loopback device).

Please advise. Thanks.
Comment 1 Daniel Walsh 2006-09-27 19:17:59 UTC 
setfiles /etc/selinux/targeted/contexts/file_contexts /

should get you what you want

fixfiles restore in the chroot should do the above.
Comment 2 Christopher Blizzard 2006-10-03 14:32:41 UTC 
David, are you going to make changes to the build scripts to support this? 
Sounds like it's resolved other than making the change.
Comment 3 David Zeuthen 2006-10-03 14:49:10 UTC 
Yea, I talked to dwalsh in the hallway about this yesterday. It works very
nicely for me on Rawhide, want to test on RHEL4 too since that is our build
environment.
Comment 4 Christopher Blizzard 2006-10-04 00:20:46 UTC 
Great, let me know how those tests go.