On 06/27/2010 08:37 PM, Mr Dash Four wrote:
>> Also, does semodule need to have a running SELinux as I need to deploy
>> this module on a Linux system (image) which does NOT have SELinux
>> running (yet)?
>>
>
> Not sure, try it out.
>
I will, though I have a gut feeling that it won't work as semodule may
be looking for a running SELinux database and I presume it picks up
policy (and files) from the running system. Will give it a try though!
>> In other words, if I issue this command in chroot-ed environment would
>> that be enough? The "%post" section of the kickstart file does just
that
>> - it chroots to the image as it has been built and from there I can do
>> whatever I like on the actual image, though this is not a running system
>> - i.e. SELinux on that system is not loaded! If that is possible and if
>> I run on different architectures (say the image is for x86_64 and the
>> machine on which the image is built is i686) would it matter?
>>
>
> The policy is arch-independent but i am not sure if it can be installed
> on a system that has no selinux enabled. I think it is possible but i am
> not sure.
>
I'll give it a go!
> You will still have the issue that you would have to relabel the
> filesystem on each boot though.
>
Is that a necessary thing to do after installing a new module? My
understanding is that relabelling only corrects the SELinux file
attributes on every file on the system, so why would I need to do the
relabelling when I have just installed a new policy?
Also, if my assumption is correct then why would I need to have a
running SELinux to do that? It is a great inconvenience and a real pain
for scenarios I described in my previous posts!
Good points. i think you might indeed be able to run restorecon or
fixfiles/setfiles in %post, but i am not sure.
I would suggest you try it.
Otherwise wait a day when the professionals can reply to your query.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux