(Sorry if some pieces explained here seems too obvious for Debian Live
list normal users. I am recycling an former email sent to a non Debian
Live person.)
1) Introduction
1.1) I develop Rescatux ( http://www.supergrubdisk.org/rescatux/ ) which
it's a live cd aimed at rescue tasks.
1.2) Rescatux is based on Debian Live ( http://live.debian.net/ ).
1.3) Debian Jessie (current Debian stable version) supports SElinux if
you install some packages from sid (Debian unstable branch). What I mean
by "supports SElinux" is that you can use it from a Debian installation.
2) SElinux permissions problems on Fedora / Centos / RHEL systems.
Rescatux has many options for interacting from itself (as a Debian Live
cd) to installed systems.
E.g. you can change root password easily.
These operation involves modifying /etc/shadow file.
As Rescatux does not currently support SElinux the /etc/shadow loses its
default SElinux permissions.
As you might know the consequence is that if you did that in a SElinux
enforced mode Fedora installation the next time you try to login into
your system as root (and actually as another users too) it will fail.
Why? Because SElinux refuses whatever library handles login to read the
/etc/shadow file.
3) As Rescatux is a Debian Live based system I want to add SElinux
support to Debian Live in order to have SElinux support in Rescatux and
avoid these problems.
The final target is to have SElinux support and then change selinux
policy for the chrooted system's one. As mjg59 suggested in fedora-devel
chat it's just running: semodule -R (inside the chroot I guess) which
does it.
4) What I have done so far?
4.1) I have added Debian SELinux packages
(
+ libapol4 \
+ libqpol1 \
+ policycoreutils \
+ python-ipy \
+ python-selinux \
+ python-semanage \
+ python-sepolgen \
+ python-sepolicy \
+ python-setools \
+ selinux-utils \
+ selinux-basics \
+ auditd \
)
to both binary and chroot part of Debian Live (binary is what goes into
the final iso itself and chroot is what's inside the squashfs).
4.2) When I boot from Rescatux I add to kernel boot command line these
parametres: selinux=1 enforcing=0 .
4.3) I have also modified Debian Live to inforce SELinux. (Not fully
succesfully but I have done it.)
(Here there is where I got inspiration from Fedora's livecd-tools
(https://github.com/rhinstaller/livecd-tools)
(https://github.com/rhinstaller/livecd-tools/blob/master/imgcreate/creator.py).
4.3.1) Make sure the directory which it's going to be converted into
SElinux has SELinux permissions thanks to:
+ setfiles -F -r chroot
/etc/selinux/default/contexts/files/file_contexts chroot
+ chcon -u system_u chroot/proc
+ chcon -u system_u chroot/sys
4.3.2) Make sure the mksquashfs puts the SElinux permissions into the
big squashfs file (I have checked and it's true that they are there).
+ MKSQUASHFS_OPTIONS="${MKSQUASHFS_OPTIONS} -xattrs"
5) So, well, the problem is that after all these changes Rescatux
refuses to boot in SElinux mode thus I cannot load any policy manually
and thus the SElinux permissions problems persists.
6) What am I missing?
Is there anything about how livecd-tools prepare the live cd that I am
missing?
Something that has to be inside the initrd that does not come by default
in the Debian or Debian Live's initrds ?
Thank you very much for any insight you might have.
7) Annex A. Rescatux updates:
Jessie branch: http://sourceforge.net/p/rescatux/git/ci/jessie/tree/
Commit: 9f74111d7c5222a739054af1900784481f6496c3
8) Annex B. Debian Live update:
tmp-selinux branch: https://github.com/adrian15/live-build/tree/tmp-selinux
Commit: 42a8f50690be1153285dc8841ec532ac2281e27d
adrian15
--
Support free software. Donate to Super Grub Disk. Apoya el software
libre. Dona a Super Grub Disk. http://www.supergrubdisk.org/donate/