[Piuparts-devel] Bug#682068: selinux + piuparts

Laurent Bigonville bigon at debian.org
Tue Jan 7 10:34:49 UTC 2014


Any news for this bug?

I've an extra request related to this.

According to [0] the selinuxfs in the chroot should be mounted as
read-only so the userspace inside the chroot thinks selinux is disabled.
If we are not doing this, dpkg (and other selinux-aware software) might
fail (see #734193).

According to this post[1] in this discussion, the selinuxfs should
be bound instead of mounted and then should be remounted as read-only

mount --bind /sys/fs/selinux /var/chroot/sys/fs/selinux
mount -o remount,ro,bind /var/chroot/sys/fs/selinux

I guess that mounting the selinuxfs as read-only is a bit more urgent
than moving the mountpoint.


Laurent Bigonville

[0] http://comments.gmane.org/gmane.comp.security.selinux/15349
[1] http://permalink.gmane.org/gmane.comp.security.selinux/15870

More information about the Piuparts-devel mailing list