[Piuparts-devel] Bug#682068: [PATCH] Mount selinuxfs read-only and on new location when possible
Laurent Bigonville
bigon at debian.org
Thu May 1 16:46:19 UTC 2014
From: Laurent Bigonville <bigon at bigon.be>
We need to mount the selinuxfs read-only inside the chroot to make the
userspace think that selinux is disabled. This is required, otherwise
dpkg will fail as no policy is installed in the chroot.
We are also moving the mountpoint of the selinuxfs from /selinux to
/sys/fs/selinux if the /selinux directory is not present on disk. This
directory has been removed in jessie.
---
piuparts.py | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/piuparts.py b/piuparts.py
index 32f651b..fafa90a 100644
--- a/piuparts.py
+++ b/piuparts.py
@@ -1412,15 +1412,25 @@ class Chroot:
def mount_selinux(self):
if selinux_enabled():
- run(["mkdir", "-p", self.relative("/selinux")])
- run(["mount", "-t", "selinuxfs", "/selinux", self.relative("/selinux")])
+ run(["mkdir", "-p", self.selinuxfs_relative_path()])
+ run(["mount", "--bind", "/sys/fs/selinux", self.selinuxfs_relative_path()])
+ run(["mount", "-o", "remount,ro,bind", self.selinuxfs_relative_path()])
logging.info("SElinux mounted into chroot")
def unmount_selinux(self):
if selinux_enabled():
- run(["umount", self.relative("/selinux")])
+ run(["umount", self.selinuxfs_relative_path()])
logging.info("SElinux unmounted from chroot")
+ # If /selinux is present, assume that this is the only supported
+ # location by libselinux. Otherwise use the new location.
+ # /selinux was shipped by the libselinux package until wheezy.
+ def selinuxfs_relative_path(self):
+ if os.path.isdir(self.relative('/selinux')):
+ return self.relative('/selinux')
+ else:
+ return self.relative('/sys/fs/selinux')
+
def mount_proc(self):
"""Mount /proc inside chroot."""
self.run(["mount", "-t", "proc", "proc", "/proc"])
--
2.0.0.rc0
More information about the Piuparts-devel
mailing list