chcon in %post
Daniel J Walsh
dwalsh at redhat.com
Mon Jun 23 13:04:32 UTC 2008
Eric Paris wrote:
> On Tue, 2008-06-17 at 16:22 -0500, Jason L Tibbitts III wrote:
>> I just came across a package that does this:
>>
>> %post
>> /usr/bin/chcon -t unconfined_execmem_exec_t %{_libexecdir}/haddock.bin >/dev/null 2>&1 || :
>>
>> rpmlint complains bitterly about it, and honestly I'm really not sure
>> what's supposed to happen here. This is a ghc-compiled binary. (ghc
>> is a Haskell compiler.)
>>
>> So, if you have a binary in a package that really needs this context,
>> is running chcon in %post the right way to do it?
>
> I'd suggest getting the filecontext into policy so that RPM lays it down
> that way. And no chcon is not the right way (reverted on system
> relabel). use semanage fcontext -a and then restorecon if you cannot
> for some reason push the correct context upstream into policy.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I just fixed a bugzilla to label all the Haskell apps as
unconfined_execmem_exec_t until haskell is fixed.
We need a better way to handle apps that need execmem in policy for non
unconfined_t users.
Currently we have mono, java, wine, unconfined_execmem_exec_t, all
basically giving the same privs
usertype +execmem.
More information about the fedora-selinux-list
mailing list