selinux + livecd-creator, May 20, 2008
Jeremy Katz
katzj at redhat.com
Tue May 20 19:37:24 UTC 2008
On Tue, 2008-05-20 at 15:33 -0400, Stephen Smalley wrote:
> On Tue, 2008-05-20 at 15:12 -0400, Eric Paris wrote:
> > Making use of the wonderful new deferred selinux context patch set from
> > the kernel I get beautiful message like:
> >
> > /sbin/restorecon reset /sbin/dump context
> > system_u:object_r:unlabeled_t:s0->system_u:object_r:eparis_exec_t:s0
> >
> > The file wasn't really "unlabeled_t" it just wasn't a valid label on the
> > host machine. Since restorecon/fixfiles runs over the same files like 3
> > times during a livecd creation this gets rather annoying. Do we have an
> > interface I could use to make restorecon do the right comparison here?
>
> Well, could we instead avoid running restorecon/fixfiles multiple times
> on the same files? And ideally just get rpm to label the files
> correctly in the first place since that is why we added the kernel
> patch?
FWIW, we do a final pass with restorecon/fixfiles at the end of creating
the files just so that we can ensure that any files that were created as
the result of a %post script or anything else which doesn't transition
correctly (... perhaps because the policy doesn't know it needs to) ends
up with the right final label. This is pretty confined to just the
livecd-creator case, though.
Jeremy
More information about the fedora-selinux-list
mailing list