[DSE-Dev] [Piuparts-devel] Bug#682068: Bug#682068: selinux + piuparts
Laurent Bigonville
bigon at debian.org
Thu May 1 16:24:44 UTC 2014
Le Thu, 1 May 2014 17:57:02 +0200,
Holger Levsen <holger at layer-acht.org> a écrit :
> Hi Laurent,
>
> On Donnerstag, 1. Mai 2014, Laurent Bigonville wrote:
> > I've attached a patch that is implementing the change.
>
> great!
>
> > If /selinux is
> > present, the selinuxfs will be mounted there. This directory was
> > shipped by libselinux package until wheezy (even if in wheezy it was
> > mounted already to the new location).
>
> ack
>
> > The patch is also changing the way the selinuxfs is mounted. The
> > selinuxfs is now bind mounted and then set to read only. This is
> > needed to make think the userspace that selinux is disabled,
> > otherwise dpkg will simply fail if the selinux policy is not
> > installed in the chroot (see: #734193)
>
> ic. selinux doesnt work in chroots at all?
On my SELinux enabled machine, piupart is indeed not working properly
because of this. This is only valid for sid/jessie versions of dpkg but
this can hardly be called a regression as if the policy is not present
on disk this might mean that something wrong is already happening.
> > I've also added a soft dependency against python-selinux to use the
> > python API to detect if selinux is enabled instead of using
> > selinuxenabled executable. If you don't agree with this, I can
> > revert this change.
>
> Yes, I think a recommends is too much here, as recommends are
> installed by default. So please revert this bit. Besides that, the
> patch looks fine.
OK
>
> I would prefer if you could also give me a pull request or send a git
> patch via email... else I'll just take your patch from here...
I'll do that.
>
> Thanks!
>
>
> cheers,
> Holger
More information about the SELinux-devel
mailing list