If you are maintinaing of developing a Fedora Package.

Simo Sorce ssorce at redhat.com
Wed Oct 17 12:47:30 UTC 2007


On Wed, 2007-10-17 at 13:11 +0200, Adam Tkac wrote:
> On Mon, Oct 15, 2007 at 11:31:17PM +0200, Karel Zak wrote:
> >  Couldn't be better to maintain default selinux labels like others
> >  file attributes?
> > 
> >      %attr(4755,root,root) %selinux(foo_t)  /bin/foo
> >
> 
> I think restorecon is fare more better than this approach. With this you have two databases of file contexts - first is in specfile and second in selinux-policy*. When you use restorecon you have one centralised database. We will discuss if rpm will automaticaly run restorecon on all installed files.

Not only that, but a new policy may well change some labels to fix
errors, and make the package content obsolete. And even dangerous if the
package maintainer forgets to update it and on a yum update you get back
the old broken label.

Simo.




More information about the fedora-devel-list mailing list