Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 391451 - SELinux: Chroot Install/Update with Enforcing Mode
Summary: SELinux: Chroot Install/Update with Enforcing Mode
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 9
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: K12LTSP
TreeView+ depends on / blocked
Reported: 2007-11-20 04:24 UTC by Warren Togami
Modified: 2009-01-08 18:30 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-01-08 18:30:20 UTC

Attachments (Terms of Use)

Description Warren Togami 2007-11-20 04:24:55 UTC
LTSP needs to install a Fedora chroot into a location like /opt/ltsp/i386 for
thin clients to boot over a network.

LTSP could use various tools like anaconda, mock or yum directly to install this
chroot.  The latest code uses anaconda due to the convenience of kickstart
definitions to install this chroot, but we could use any tool.

Unfortunately, chroot install with anaconda fails because various operations
during RPM are denied while SELinux is enforcing.  It appears that depmod,
ldconfig and more are denied.  Reportedly mock does something to avoid SELinux
denials but I don't understand it at the moment.

We need a solution to allow us to keep SELinux enabled during:
1) Install without SELinux denials.
2) yum operation within the chroot without SELinux denials.

For the purpose of LTSP we don't use SELinux enabled on the booted thin clients,
so proper labeling is not important within the chroot.  We don't care if the
contents within the chroot are properly labeled or not as a result.  However
future users of netbooted workstations will want full SELinux protection and
proper labeling within the chroot.

1) Is there anything that can be done in selinux-policy to allow install and yum
update within the chroot without AVC denials?
2) Is it possible to do this while maintaining proper labels within the chroot?

Comment 1 Warren Togami 2007-11-27 05:38:54 UTC
Talked a bit with dwalsh about this last week.

anaconda with --noselinux will install a chroot unlabeled, which installs and
internally yum updates just fine.  This will suit the needs for LTSP initially.

Supporting SELinux enabled netboot workstations later however will require far
more difficult changes to how SELinux works. 

Comment 2 Daniel Walsh 2007-12-10 19:52:19 UTC
Which executable do you use to create this environment?

Comment 3 Warren Togami 2007-12-10 20:11:56 UTC
anaconda without --noselinux will label the contents inside, causing things to
explode during installation if enforcing (broken chroot).  You need to set it to
permissive to install with labeling.  That is a problem.

Comment 4 Bug Zapper 2008-05-14 03:56:33 UTC
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:

Comment 5 Daniel Walsh 2008-07-02 20:01:20 UTC
Changes are rolling into Fedora 9 to allow livecd to create a system in
enforcing mode.  These changes should help with this problem.

the -26 kernel is required

Note You need to log in before you can comment on or make changes to this bug.