chcon in %post
Eric Paris
eparis at redhat.com
Tue Jun 17 21:52:33 UTC 2008
On Tue, 2008-06-17 at 16:22 -0500, Jason L Tibbitts III wrote:
> I just came across a package that does this:
>
> %post
> /usr/bin/chcon -t unconfined_execmem_exec_t %{_libexecdir}/haddock.bin >/dev/null 2>&1 || :
>
> rpmlint complains bitterly about it, and honestly I'm really not sure
> what's supposed to happen here. This is a ghc-compiled binary. (ghc
> is a Haskell compiler.)
>
> So, if you have a binary in a package that really needs this context,
> is running chcon in %post the right way to do it?
I'd suggest getting the filecontext into policy so that RPM lays it down
that way. And no chcon is not the right way (reverted on system
relabel). use semanage fcontext -a and then restorecon if you cannot
for some reason push the correct context upstream into policy.
More information about the fedora-selinux-list
mailing list