[Server-devel] mkslim: shed off XS weight

Jerry Vonau jvonau at shaw.ca
Fri Sep 19 11:47:16 EDT 2008 

Martin Langhoff wrote:
> On Fri, Sep 19, 2008 at 2:45 PM, Martin Langhoff
> <martin.langhoff at gmail.com> wrote:
>> in any case,  I've run a quick check
>>
>>  - cp -P does not imply --recursive, so I reverted to -a

Yea, I know, that is why the mkdir/cp loop is there.

## selinux doesn't like cp -a ##  <<---- That is the reason for cp -P

  # Copy to working dir

The context would be that of an iso filesystem using cp -a,
here is the selinux warning:

################
Summary:

SELinux is preventing cp from creating a file with a context of 
iso9660_t on a
filesystem.

Detailed Description:

SELinux is preventing cp from creating a file with a context of 
iso9660_t on a
filesystem. Usually this happens when you ask the cp command to maintain the
context of a file when copying between file systems, "cp -a" for 
example. Not
all file contexts should be maintained between the file systems. For 
example, a
read-only file type like iso9660_t should not be placed on a r/w system. 
"cp -P"
might be a better solution, as this will adopt the default file context 
for the
destination.

Allowing Access:

Use a command like "cp -P" to preserve all permissions except SELinux 
context.

Additional Information:

Source Context                system_u:object_r:iso9660_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                fedora.css [ filesystem ]
Source                        cp
Source Path                   /bin/cp
Port                          <Unknown>
Host                          schoolserver
Source RPM Packages           coreutils-6.10-30.fc9
Target RPM Packages
Policy RPM                    selinux-policy-3.3.1-84.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   filesystem_associate
Host Name                     schoolserver
Platform                      Linux schoolserver 2.6.25.14-108.fc9.i686 
#1 SMP
                               Mon Aug 4 14:08:11 EDT 2008 i686 i686
Alert Count                   21
First Seen                    Fri 12 Sep 2008 07:27:12 PM CDT
Last Seen                     Fri 12 Sep 2008 11:18:01 PM CDT
Local ID                      90f4d968-0a9b-42df-9982-fd0bdf284859
Line Numbers

Raw Audit Messages

host=schoolserver type=AVC msg=audit(1221279481.164:576): avc:  denied 
{ associate } for  pid=12289 comm="cp" name="fedora.css" dev=dm-0 
ino=1835383 scontext=system_u:object_r:iso9660_t:s0 
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

host=schoolserver type=SYSCALL msg=audit(1221279481.164:576): 
arch=40000003 syscall=228 success=no exit=-13 a0=4 a1=df435d a2=9d566f0 
a3=1f items=0 ppid=12279 pid=12289 auid=500 uid=0 gid=0 euid=0 suid=0 
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="cp" exe="/bin/cp" 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
#####################

>>  - the 3rd param was not optional, and without it, I think t tried to
>> overlay /* -- oops!
> 
Too funny, me too, and I forgot to update the one on the web, sorry

+if [ "foo$3" = "foo" ]; then

+    echo "You need the 3rd parameter!";

+    usage

+fi

+
It's meant to be optional... You don't have to copy anything if not 
needed for your "slim" version. You could re-roll the iso without adding 
anything, just to have a smaller disk. This is what I meant:

if [ x$custom != "x"]; then
echo "testing copying"
cp -a $custom/* $WORKDIR
fi


Jerry

More information about the Server-devel mailing list