* Labeling as part of distribution build process?
@ 2010-05-11 22:28 Stephen Hemminger
2010-05-12 0:39 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Stephen Hemminger @ 2010-05-11 22:28 UTC (permalink / raw)
To: SELinux
I am working on SELinux support for our distribution. We support LiveCD
and running off a read-only image. I have gotten xattr support for
Squashfs to work, but one question is how to do labeling of alternative
root location. One twist is that the build environment probably will
not be running with the same SELinux policy as the target.
What I want is to label a sub directory tree based on the rules
of a policy (package). The existing tools appear to be targeted
at a self-hosted policy environment. Is there some way to label
with other tools?
Thanks.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Labeling as part of distribution build process?
2010-05-11 22:28 Labeling as part of distribution build process? Stephen Hemminger
@ 2010-05-12 0:39 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2010-05-12 0:39 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: SELinux
On Tue, May 11, 2010 at 6:28 PM, Stephen Hemminger
<shemminger@vyatta.com> wrote:
> I am working on SELinux support for our distribution. We support LiveCD
> and running off a read-only image. I have gotten xattr support for
> Squashfs to work, but one question is how to do labeling of alternative
> root location. One twist is that the build environment probably will
> not be running with the same SELinux policy as the target.
>
> What I want is to label a sub directory tree based on the rules
> of a policy (package). The existing tools appear to be targeted
> at a self-hosted policy environment. Is there some way to label
> with other tools?
You should be able to use setfiles as long as you run it within a
chroot and run it in a domain that is allowed to set undefined
contexts (setfiles_mac_t in the Fedora policy, introduced to support
livecd building and building of other distribution releases with
different policies on a SELinux-enabled host). See:
http://marc.info/?l=selinux&m=127300211126195&w=2
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-05-12 0:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-05-11 22:28 Labeling as part of distribution build process? Stephen Hemminger
2010-05-12 0:39 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.