[DSE-Dev] [Piuparts-devel] Bug#682068: Bug#682068: selinux + piuparts

Laurent Bigonville bigon at debian.org
Thu May 1 16:24:44 UTC 2014


Le Thu, 1 May 2014 17:57:02 +0200,
Holger Levsen <holger at layer-acht.org> a écrit :

> Hi Laurent,
> 
> On Donnerstag, 1. Mai 2014, Laurent Bigonville wrote:
> > I've attached a patch that is implementing the change.
> 
> great!
> 
> > If /selinux is
> > present, the selinuxfs will be mounted there. This directory was
> > shipped by libselinux package until wheezy (even if in wheezy it was
> > mounted already to the new location).
> 
> ack
> 
> > The patch is also changing the way the selinuxfs is mounted. The
> > selinuxfs is now bind mounted and then set to read only. This is
> > needed to make think the userspace that selinux is disabled,
> > otherwise dpkg will simply fail if the selinux policy is not
> > installed in the chroot (see: #734193)
> 
> ic. selinux doesnt work in chroots at all?

On my SELinux enabled machine, piupart is indeed not working properly
because of this. This is only valid for sid/jessie versions of dpkg but
this can hardly be called a regression as if the policy is not present
on disk this might mean that something wrong is already happening.

> > I've also added a soft dependency against python-selinux to use the
> > python API to detect if selinux is enabled instead of using
> > selinuxenabled executable. If you don't agree with this, I can
> > revert this change.
> 
> Yes, I think a recommends is too much here, as recommends are
> installed by default. So please revert this bit. Besides that, the
> patch looks fine.

OK

> 
> I would prefer if you could also give me a pull request or send a git
> patch via email... else I'll just take your patch from here...

I'll do that.

> 
> Thanks!
> 
> 
> cheers,
> 	Holger




More information about the SELinux-devel mailing list