391451 – SELinux: Chroot Install/Update with Enforcing Mode

Bug 391451 - SELinux: Chroot Install/Update with Enforcing Mode

Summary: SELinux: Chroot Install/Update with Enforcing Mode

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	9
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	K12LTSP
TreeView+	depends on / blocked

Reported:	2007-11-20 04:24 UTC by Warren Togami
Modified:	2009-01-08 18:30 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2009-01-08 18:30:20 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Warren Togami 2007-11-20 04:24:55 UTC

LTSP needs to install a Fedora chroot into a location like /opt/ltsp/i386 for
thin clients to boot over a network.

LTSP could use various tools like anaconda, mock or yum directly to install this
chroot.  The latest code uses anaconda due to the convenience of kickstart
definitions to install this chroot, but we could use any tool.

Unfortunately, chroot install with anaconda fails because various operations
during RPM are denied while SELinux is enforcing.  It appears that depmod,
ldconfig and more are denied.  Reportedly mock does something to avoid SELinux
denials but I don't understand it at the moment.

We need a solution to allow us to keep SELinux enabled during:
1) Install without SELinux denials.
2) yum operation within the chroot without SELinux denials.

For the purpose of LTSP we don't use SELinux enabled on the booted thin clients,
so proper labeling is not important within the chroot.  We don't care if the
contents within the chroot are properly labeled or not as a result.  However
future users of netbooted workstations will want full SELinux protection and
proper labeling within the chroot.

Questions
=========
1) Is there anything that can be done in selinux-policy to allow install and yum
update within the chroot without AVC denials?
 
2) Is it possible to do this while maintaining proper labels within the chroot?

Comment 1 Warren Togami 2007-11-27 05:38:54 UTC

Talked a bit with dwalsh about this last week.

anaconda with --noselinux will install a chroot unlabeled, which installs and
internally yum updates just fine.  This will suit the needs for LTSP initially.

Supporting SELinux enabled netboot workstations later however will require far
more difficult changes to how SELinux works.

Comment 2 Daniel Walsh 2007-12-10 19:52:19 UTC

Which executable do you use to create this environment?

Comment 3 Warren Togami 2007-12-10 20:11:56 UTC

anaconda without --noselinux will label the contents inside, causing things to
explode during installation if enforcing (broken chroot).  You need to set it to
permissive to install with labeling.  That is a problem.

Comment 4 Bug Zapper 2008-05-14 03:56:33 UTC

Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 5 Daniel Walsh 2008-07-02 20:01:20 UTC

Changes are rolling into Fedora 9 to allow livecd to create a system in
enforcing mode.  These changes should help with this problem.

the -26 kernel is required

Note You need to log in before you can comment on or make changes to this bug.