Bug 391451

Summary: SELinux: Chroot Install/Update with Enforcing Mode
Product: [Fedora] Fedora Reporter: Warren Togami <wtogami>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 9CC: dwalsh, mebrown, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-08 18:30:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 188611    

Description Warren Togami 2007-11-20 04:24:55 UTC 
LTSP needs to install a Fedora chroot into a location like /opt/ltsp/i386 for
thin clients to boot over a network.

LTSP could use various tools like anaconda, mock or yum directly to install this
chroot.  The latest code uses anaconda due to the convenience of kickstart
definitions to install this chroot, but we could use any tool.

Unfortunately, chroot install with anaconda fails because various operations
during RPM are denied while SELinux is enforcing.  It appears that depmod,
ldconfig and more are denied.  Reportedly mock does something to avoid SELinux
denials but I don't understand it at the moment.

We need a solution to allow us to keep SELinux enabled during:
1) Install without SELinux denials.
2) yum operation within the chroot without SELinux denials.

For the purpose of LTSP we don't use SELinux enabled on the booted thin clients,
so proper labeling is not important within the chroot.  We don't care if the
contents within the chroot are properly labeled or not as a result.  However
future users of netbooted workstations will want full SELinux protection and
proper labeling within the chroot.

Questions
=========
1) Is there anything that can be done in selinux-policy to allow install and yum
update within the chroot without AVC denials?
 
2) Is it possible to do this while maintaining proper labels within the chroot?
Comment 1 Warren Togami 2007-11-27 05:38:54 UTC 
Talked a bit with dwalsh about this last week.

anaconda with --noselinux will install a chroot unlabeled, which installs and
internally yum updates just fine.  This will suit the needs for LTSP initially.

Supporting SELinux enabled netboot workstations later however will require far
more difficult changes to how SELinux works.
Comment 2 Daniel Walsh 2007-12-10 19:52:19 UTC 
Which executable do you use to create this environment?
Comment 3 Warren Togami 2007-12-10 20:11:56 UTC 
anaconda without --noselinux will label the contents inside, causing things to
explode during installation if enforcing (broken chroot).  You need to set it to
permissive to install with labeling.  That is a problem.
Comment 4 Bug Zapper 2008-05-14 03:56:33 UTC 
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 Daniel Walsh 2008-07-02 20:01:20 UTC 
Changes are rolling into Fedora 9 to allow livecd to create a system in
enforcing mode.  These changes should help with this problem.

the -26 kernel is required